China has tightened cybersecurity reviews for internet companies that seek IPOs in the overseas markets with a set of draft rules, including a new threshold that businesses holding data of more than a million users in China must undergo a regulatory review before applying for an overseas IPO, which indicated the country’s resolve to rein in potential national security risks brought by domestic businesses that own oceans of data amid their cross-border operations.
It marked another crucial step in China’s broader efforts to ensure data security amid growing China-US tensions as Washington continues to crack down on Chinese firms.
Regulators’ tightening scrutiny on internet firms, which have been inclined to seek IPOs in the US market over recent years, came at a crucial moment that the potential risks posed by data breaches have been amplified along with the value those companies generated as China pushes ahead with digitization in various industries, analysts told the Global Times, adding that it will be impossible now to bypass local regulations via overseas listings.
It was the first time that the Cyberspace Administration of China (CAC) released a draft amendment and sought public opinion on the cybersecurity review measures since June last year, when the original measures became effective.
Most notably among the draft revision released Saturday is that all internet product and service providers that collect data of more than a million users must file for review and approval before seeking an IPO abroad.
“In the Chinese market, there are countless internet platforms that have stored the information of over 10 million or even 100 million users. The threshold of a million users, as clarified by the new rules, means almost all platforms operating in China which aspire to sell shares abroad need to go through a cybersecurity review,” Liu Dingding, a Beijing-based internet sector analyst, told the Global Times.
“This is in line with the basic principles of safeguarding national information security. There is no room for compromise,” Liu said.
The draft rules outlined specific steps and materials for a cybersecurity review, including an analysis on national security by the company and all procurement documents, current or future agreements as well as IPO materials prepared to be submitted.
“It is very timely to set up such a threshold at this moment,” Dong Shaopeng, an advisor to the China Securities Regulatory Commission (CSRC), told the Global Times, noting that the rules make protecting users’ data and ensuring China’s information security a “premise” for Chinese companies seeking IPOs abroad.
A new member – the CSRC – was added to the national cybersecurity review work mechanism, which previously composed of 12 national agencies, per the draft revision. Any of the 13 agencies that suspects a risk to national security can initiate a cybersecurity review.
“Data handling and overseas IPOs” are newly added to suspected behaviors that are deemed to potentially harm or do harm national security.
The CAC is seeking public comments on the draft revision through to July 25 and it was not immediately clear when the draft rules will come into effect.
Reconsider overseas IPOs
If the draft rules are implemented, domestic firms that have originally planned to conduct a listing abroad are likely to postpone due to the uncertainties ahead and might reconsider the market where they finally go public, an insider of a state-owned investment bank, who asked to remain anonymous, told the Global Times on Sunday.
Chinese medical data group LinkDoc Technology has shelved plans for an IPO in the US amid the clampdown on overseas listings, Reuters reported Thursday, citing sources with direct knowledge of the matter. It is said to be the first Chinese firm known to have pulled back from overseas IPO plans since China’s cybersecurity regulator’s review on the country’s top ride-hailing firm Didi Chuxing just two days after its New York debut.
Separately, China’s largest mobile sports platform Keep and podcasting platform Himalaya have both cancelled plans to go to the US for IPOs in recent weeks, the Financial Times reported Thursday.
Keep could go public as early as July, Sina Finance reported in April.
“What these firms need to do right now is to reflect upon their own business: how they use the data collected, are there any loopholes, and where they need to be rectified,” said the insider.
While assuming the number of Chinese firms seeking US IPOs might nosedive in the second half of the year amid the shaky environment, the insider said it does not mean the regulator will take a “one size fits all” approach to completely close the window for domestic firms which hope to be listed for international investors, which also does not align with the opening-up policy.
The country will ramp up efforts to seal the loopholes around the so-called Variable Interest Entity (VIE) model, an equity structure that Chinese companies have exploited in past years to attract foreign investment and list on US stock exchanges, which also meant they could bypass local regulations including data security review, said the insider.
“It’s just that the moment has come naturally: Our opening-up policy will not change, but openness and security must be coordinated. Protecting the security of national and personal information is definitely justified,” said Dong.
Foreign-funded companies that operate in China could also collect data, however, it is only desensitized data that can be used during actual business operations, and excessive collection, use and development must not be allowed, according to Dong.
So far this year, 37 Chinese companies have been listed in the US, surpassing last year’s count, and raised a combined $12.9 billion, according to data compiled by Bloomberg.
Apart from the effect on the capital market, if the new rules are implemented, it will also spark some changes in the venture capital market, where investors of internet start-ups will attach more importance to their handling of data collected, a part that has been usually neglected during previous investment, an investment manager in the internet sector, surnamed Jia, told the Global Times on Sunday.
According to a top guideline issued on Tuesday, China said it will strengthen rules and regulations for domestic businesses listed on overseas exchanges to enhance the protection of data security and toughen the crackdown on securities violations.
Specifically, China will improve rules and regulations for data security, cross-border data flow and management of classified information.
The latest draft revision of cybersecurity followed within less than a week of a flurry of regulatory moves imposed on internet platforms over cyber information protection as well as monopolistic practices.
China’s market regulator the State Administration for Market Regulation on Saturday announced a block on the Tencent-driven merger of the two streaming sites Huya and Douyu after an anti-monopoly review.
Three more internet platforms including job recruiting platform Boss Zhipin, and Yunmanman and Huochebang – two truck-booking platforms under the Full Truck Alliance were put in the crosshairs on July 5, three days after the CAC announced a review of cybersecurity into Didi.
However, the regulatory moves should not be misinterpreted as targeting certain firms. Regulation also needs to catch up with various industry developments that have become inseparable with data, with an aim to protect national security and ensure the healthy growth of the sprawling platform economy, experts said.
Lu Chuanying, researcher and secretary general of the Research Center for International Cyberspace Governance under the Shanghai Institute for International Studies, told the Global Times on Sunday that the development of the digital economy and regulation should seek a dynamic balance.
“Data protection and security has undoubtedly become a national strategy and top design, especially against the backdrop of data localization that each country wants to keep their data local and safe,” said Lu.
Zuo Xiaodong, vice-president of the China Information Security Research Institute, said that China should have already made a slew of policies around data security but many of them were not ideally implemented in the past, believing that more such policies will “have their teeth grown” regarding having a deterrent force in the future.