A concept photo of stock market of Hong Kong Illustration: VCG

Online platforms in China with more than one million users' personal information must undergo cybersecurity checks when they go public abroad, according to a new amendment of cybersecurity review regulation released on the website of Ministry of Industry and Information Technology (MIIT) on Tuesday.

A combined 13 Chinese departments have released an amendment on cybersecurity review effective on February 15 to include the data processing activities of network platform operators that affect or may affect national security into a cybersecurity review. The amendment made it clear that online platforms with personal information of more than one million users must report to the cybersecurity review office before going public outside of China.

The amendment of the regulation is aimed at ensuring network security, data security and safeguarding the national security. It is based on the Data Security Law which specifies that China would establish a data security review system, the MIIT confirmed. 

According to the Data Security Law, data processing activities referred to the collection, storage, use, processing, transmission, provision and disclosure of data, the MIIT said.

Network platform operators should apply for a network security review before submitting listing applications to foreign securities regulatory authorities, the MIIT said.

After a company applies for cybersecurity review there maybe three results based on different situations. In the first case, no review is required; In the second case, if the listing does not affect national security after the review, it can continue to go public abroad; In the third case, if the listing is found to impact national security, the firm will not be allowed to be listed abroad, the MIIT said.

The reviews will be carried out by China Cyberspace Review Technology and Certification Center under the MIIT and China Securities Regulation Commission will also be added as a member department to conduct the review.

According to the MIIT, China continues to follow the principle of opening-up and always supports domestic enterprises using overseas capital markets for fundraising in accordance with laws and regulations.

The government's move to amend the cybersecurity review regulation came as China's strengthened regulations on overseas listings as well as personal data protection. In July 2021, Chinese ride hailing giant Didi Chuxing was removed from app stores under order of the Cyberspace Administration of China (CAC) for illegally collecting users' personal data. The decision to remove the service came just days after its mega IPO on the US stock market. 

The regulations also reflect the increasingly tense relations between China and the US, with the US launching a number of crackdown measures on Chinese companies, including placing tougher requirements and supervision on domestic companies that are listed in the US, a change that has already resulted in the delisting of multiple Chinese firms from US market. 

A number of Chinese companies have also suspended overseas listings amid a stricter regulatory environment for Chinese firms looking to go public offshore. For example, domestic medical data firm LinkDoc Technology and digital fitness platform Keep have both suspended public listings plans in the US in light of tightened regulations. 

Experts called the publication of the Cybersecurity Review Measures a "milestone" in the development of China's cybersecurity sector. 

Zuo Xiaodong, vice president of the China Information Security Research Institute, told the Global Times on Tuesday that cybersecurity reviews are an important and constantly evolving process. Since the investigation in July into Chinese ride-hailing giant Didi after its listing in the US, amendmentsto the country's cybersecurity regulations have been the subject of widespread public attention. 

"Now the boots have finally dropped," said Zuo, meaning the policy uncertainties faced by companies in the process of listing have dissipated, and the new regulations are generally good for the IPO activities of companies, and are pro-economic development.

Furthermore, a large number of companies planning to go to Hong Kong had expressed growing concerns after a draft revision to the country's cybersecurity review regulations issued in November noted that if data processors want to go to Hong Kong for listing and the activity will affect or may affect national security, they should also undergo a cybersecurity review. These concerns have been addressed with the official rollout of the new measures. 

"With the issuance of the regulations, the policy is now very clear - the document only requires companies to list abroad, and no longer mentions Hong Kong, which means that companies want to list in Hong Kong do not need to conduct cybersecurity reviews," Zuo noted.

But he stressed that companies planning to list in Hong Kong should still take data security issues seriously. "To a certain extent, data security is still an important factor in determining the success of the IPO," he said.

Global Times