China reins in overseas IPOs, instituting stricter protection of users’ data
Published: Jul 10, 2021 12:28 PM


China's top cyberspace regulator on Saturday issued a sweeping set of draft rules for cybersecurity reviews over domestic internet companies that seek overseas listings. The new threshold dictates that businesses holding information of more than a million users in China must undergo a regulatory review before applying for an overseas IPO. 

Analysts speculate the new regulation is to impact all digital firms, internet-based platform businesses in particular 

Following a week of regulatory moves imposed on internet platforms, including ride-hailing giant Didi Chuxing, the draft rules released by the Cyberspace Administration of China (CAC) marks another crucial step in China's broad efforts to ensure data security amid growing risks from the US as it continues to crack down on Chinese firms.

Among the draft rules, the strictest is the requirement for all internet product and services providers that collect data of more than a million users must file for a cyber-security review and approval before seeking an overseas IPO.

"In the Chinese market, there are countless internet platforms that have stored information of over 10 million or even 100 million users. The threshold of a million users, as clarified by the new rules, means almost all platforms operating in China which aspire to sell shares abroad need to go through a cybersecurity review," Liu Dingding, a Beijing-based internet sector analyst, told the Global Times on Saturday. 

"This is in line with the basic principles of safeguarding national information security. There is no room for compromise," Liu said.

The draft rules outlined specific steps and materials for a cybersecurity review, including an analysis on national security by the company and all procurement documents, current or future agreements as well as IPO materials prepared to be submitted.

Regulators will focus on scrutiny of the risks of key information infrastructure being illegally controlled, disrupted or undermined, the risk of core data or mass personal information being stolen, leaked, damaged or illegally used or exported. 

In a very pointed move, the cybersecurity review will also focus on the risk of core information infrastructure, data and massive personal information being "influenced, controlled or maliciously used" by foreign governments.

The draft rules on Saturday as well as the recent policy tightening come as the US government has doubled down on its crackdown on Chinese companies listed in the US. The US requires audit inspections on Chinese firms, which would expose operational data from Chinese businesses.

"It is very timely to set up such a threshold at this moment," Dong Shaopeng, an advisor for the China Securities Regulatory Commission, told the Global Times on Saturday, noting that the rules make protecting users' data and ensuring China's information security a "premise" for Chinese companies seeking overseas IPOs.   

The CAC is seeking public comments on the draft rules through July 25 and it was not immediately clear when the draft rules will come into effect.

Another crucial part of the draft rules is a move to establish a high-level inter-agency mechanism for cybersecurity reviews, which will involve more than 10 government departments, including the CAC, the Ministry of Public Security and the State Administration for Market Regulation.

The draft rules followed a series of regulatory actions taken against internet firms over cybersecurity protection as well as monopolistic practices by China-based internet platform companies.

Headquarters of Didi Chuxing in Beijing File photo: VCG

Headquarters of Didi Chuxing in Beijing  File photo: VCG

Most notable among the actions is a cybersecurity review of Didi just days after it launched an IPO in the US. The regulators ordered app stores to remove Didi over "serious violations of the law and regulation" in its collection and use of personal information. Then on Friday, the CAC ordered the removal of 25 more Did-related apps due to illegal use of personal information. 

The CAC has launched cybersecurity reviews on several other US-listed companies, including job recruiting platform Boss Zhipin and Full Truck Alliance. Meanwhile, regulators have also stepped up crackdown on monopolistic practices by internet firms, issuing fines this week to a few companies affiliated to Didi, Alibaba and Tencent.

Dong said that the awareness of protecting data security was not sufficient when many Chinese firms got listed in the US in the past, but given the rising risks, the move "is in line with the country's national interest to strengthen related laws and regulations."