Chinese firms, especially those dealing with data, may have to submit every overseas IPO to regulators for a data security review, experts told TechNode.
China’s top leaders called for increased supervision of data during international IPOs on Tuesday, days after ride-hailing giant Didi Chuxing and two other recently US-listed firms were banned from registering new users during a “cybersecurity review.”
Senior party and government officials issued a directive (in Chinese) on Tuesday night, calling for an increased crackdown on “illegal securities activities.” The directive was jointly issued by the General Office of the Central Committee, the administrative branch for the party’s top leading groups, and the General Office of the State Council, the Chinese cabinet.
The document appears to confirm that Beijing is worried about data security during the overseas IPOs process. Taken together with the Data Security Law passed on June 10, these new documents provide clues that data may be a key factor in the decision to launch an investigation on Didi.
Three newly US-listed firms have been blocked from registering new users since Friday by China’s data watchdog, the Cyberspace Administration of China. The CAC has cited concerns about data and national security and the collection and handling of personal private information, but has not published specific reasons.
READ MORE: How did Didi get in trouble with data regulators?
One of the document’s sections focus on overseas listings. Article 19 directs regulators to “improve relevant laws and regulations on data security, cross-border data flow, and confidential information management.” Article 20 asks regulators to increase scrutiny on Chinese companies listing overseas, which refers to China concepts stocks, and “clarify regulatory responsibilities in China and strengthen cross-department cooperation.”
‘Data practices that used to be legal might become illegal’
Zhu Bao, a Beijing-based attorney specializing in corporate compliance, said the directive’s focus on tightening data management is new and signals a shift in priorities.
“I don’t think this prohibits all Chinese companies from going public overseas. It signals that internet companies, especially those dealing with data and seeking an overseas listing, will face much stricter regulation and approval processes,” Zhu said.
“Certain data practices that used to be legal might become illegal now,” Zhu added. He said companies that collect users’ information should consider seeking legal advice and review their data servers to make sure they are compliant with the directive.
Yang Zhaoquan, director of Beijing Vlaw Law Firm, told TechNode that “data could be leaked during the review and auditing procedures in a IPO process.”
“In the age of big data, internet companies can collect massive amounts of sensitive data, including citizen’s personal information, state agency data, and operation data of other companies,” Yang added.
More than Didi
Chen Long, a partner at Plenum, an independent research firm on Chinese politics and economy, told TechNode that the documents clearly relate to Didi’s investigation, but reflect concerns broader than this case.
Apart from data security issues, the directive also asks to increase punishment for accounting fraud cases like Luckin Coffee’s 2020 fraud scandal, Chen said. “The directive is a culmination of the past year’s events and providing clarity on regulatory responsibility,” he added.
The directive didn’t specify a government body to take charge of the data review. Chen said China needs to clarify which government body should be responsible for reviewing Chinese companies filing for overseas IPO. Currently, it’s a gray area, he added.
Chen expects the Chinese government will task the China Securities Regulatory Commission (CSRC) and the Cyberspace Administration of China (CAC) to review the data of companies seeking overseas IPOs.
Bloomberg reported in May that China is considering rules that would require firms to seek formal approval before listing in overseas markets.
Zhu said he expects the CSRC will work with the Ministry of Public Security in the future to review these cases. He added it will probably take about six months for the government to finalize all the details and responsibilities. Still, tech and data companies seeking to list overseas should brace for a stricter review process from now on.
Translation of directive excerpts
Article 19: Strengthen cross-border supervision cooperation. Improve relevant laws and regulations on data security, cross-border data flow, and confidential information management. Regulation needs to be revised to strengthen the confidentiality and file management related to the issuance and listing of securities overseas, and consolidate the main responsibility of information security of overseas listed companies. Strengthen the standardized management of cross-border information provision mechanisms and procedures. Adhere to the principle of law and reciprocity, and further deepen cross-border audit supervision cooperation. Explore effective ways and methods to strengthen international securities law enforcement cooperation, actively participate in global financial governance, and promote the establishment of law enforcement alliances to combat cross-border securities violations and crimes.
Article 20: Strengthen the supervision of China’s concept stocks. Effective measures will be taken to deal with risks and emergencies of Chinese concept stock companies, and push to set up relevant regulatory systems. Amend State Council’s special regulation on companies raising funds and listing overseasing. Clarify which domestic industry supervisors will be responsible and strengthen cross-departmental supervisory coordination.