Proposed revisions to China’s cybersecurity review process would require companies that control data of more than 1 million users to seek permission from regulators before filing for IPOs overseas. China’s cyberspace authority proposed a series of revisions to the cybersecurity review rules Saturday.

Why it matters: The proposal came a week after regulators launched a cybersecurity review on ride-hailing giant Didi. The changes proposed align with a recent decision from senior Party and government bodies to increase scrutiny on companies seeking overseas listing. 

  • The revision “would make it very difficult or even impossible for Chinese internet firms to get listed in foreign exchanges,” Henry Gao, a law professor at Singapore Management University, told TechNode. “Many of them would probably choose Hong Kong or domestic listing due to the tedious regulatory approval process,” he added.

Details: The CAC proposed to revise the Measures for Cybersecurity Review, a regulation that came into effect in June 2020, adding a new article on overseas IPOs. One key purpose for overseas IPO reviews is to control the risk of companies exporting “core” and “important” data, or being “influenced, controlled, or abused” by foreign governments during the listing process, according to the draft provision (in Chinese). 

  • The revision added China Securities Regulatory Commission, the securities industry regulator, to a list of 14 government agencies tasked to set up the cybersecurity review mechanism.
  • The revision also extended the period for special security review from 45 working days to three months or longer. 
  • The proposed mandatory overseas IPO reviews do not apply to IPOs in Hong Kong. Hong Kong is a popular destination for Chinese tech companies to raise funds, alongside the US. 
  • Henry Gao said under these new regulatory changes, tech companies should prioritize “potential cyber security risks, especially those relating to the cross-border transfer of data, and make sure that there are regulatory approvals well in advance of major decisions.”
  • The CAC is seeking public comments on the draft revision until July 25.

Context: The proposal came four days after the Chinese Communist Party and government officials issued a guiding opinion (in Chinese) asking regulators to heighten scrutiny on Chinese companies listing overseas.

  • Most, if not all, Chinese tech companies seeking overseas IPOs reach the 1 million user threshold. Recently listed Didi has about 156 million monthly active users, while Daojia, a lesser-known home service platform that filed for a US IPO in July, has more than 16 million (in Chinese) registered users. At the end of 2020, China had 989 million internet users, according to the government body China Internet Network Information Center (in Chinese).
  • Former US President Donald Trump in December signed into law the Holding Foreign Companies Accountable Act, banning companies from trading on US exchanges if they don’t allow US accounting regulators to review and audit documents for three consecutive years.

Qin is the managing editor at TechNode. Previously, she was a reporter at the South China Morning Post's Inkstone. Before that, she worked in the United States for five years. She was a senior video producer...