U.S. Markets open in 3 hrs 12 mins
  • S&P Futures

    4,110.00
    -37.75 (-0.91%)
     
  • Dow Futures

    33,707.00
    -255.00 (-0.75%)
     
  • Nasdaq Futures

    12,486.00
    -138.00 (-1.09%)
     
  • Russell 2000 Futures

    1,974.30
    -19.20 (-0.96%)
     
  • Crude Oil

    73.82
    +0.43 (+0.59%)
     
  • Gold

    1,884.40
    +7.80 (+0.42%)
     
  • Silver

    22.43
    +0.03 (+0.13%)
     
  • EUR/USD

    1.0767
    -0.0030 (-0.2799%)
     
  • 10-Yr Bond

    3.5320
    0.0000 (0.00%)
     
  • Vix

    19.78
    +1.05 (+5.61%)
     
  • GBP/USD

    1.2031
    -0.0025 (-0.2105%)
     
  • USD/JPY

    132.2770
    +1.1270 (+0.8593%)
     
  • BTC-USD

    22,805.40
    -602.42 (-2.57%)
     
  • CMC Crypto 200

    523.73
    -13.13 (-2.45%)
     
  • FTSE 100

    7,831.59
    -70.21 (-0.89%)
     
  • Nikkei 225

    27,693.65
    +184.19 (+0.67%)
     

China's foreign listing regulations that mandate cybersecurity reviews apply to Hong Kong, experts say

Chinese companies handling data from more than 1 million users are required to go through a cybersecurity review if they want to list overseas, and that includes Hong Kong, according to an assessment endorsed by China's cyberspace watchdog.

The conclusion, included in the "expert views" that the Cyberspace Administration of China (CAC) published on its website, shows how the regulator is empowering itself to be a key gatekeeper of overseas listings even though the new law, which came into effect this week, does not specifically mention Hong Kong.

According to the Cybersecurity Review Measures, a regulation jointly signed off by 13 Chinese ministerial bodies, Chinese internet companies seeking to go public in a "foreign" market must go through a cybersecurity review by the cybersecurity Review Office, a unit inside the CAC.

Do you have questions about the biggest topics and trends from around the world? Get the answers with SCMP Knowledge, our new platform of curated content with explainers, FAQs, analyses and infographics brought to you by our award-winning team.

SMIC, Nongfu, Feihe tipped to join Hang Seng in latest index review

The regulation, however, left open the question of whether it covers Hong Kong, which is not a "foreign" market, but is run as a separate legal system under the "one country, two systems" framework.

The CAC has not officially clarified whether a company seeking to list in Hong Kong must file for a cybersecurity review.

In the first expert interpretation, Qi Yue, an engineer from the China Cybersecurity Review Technology and Certification Centre (CCRC), wrote that Chinese internet operators cannot ignore cyberspace, data and national security risks in the process of listing in Hong Kong, even though the regulation does not specifically mention the city.

Qi added that only those already listed abroad would be exempt from such reviews.

All other cases, including initial public offering (IPO), direct public offering, acquiring a special-purpose acquisition company (SPAC), and reverse takeovers (RTO), need to undergo the review procedures, Qi said.

The CCRC is the agency designated to accept documents from companies for their cybersecurity review. Created in 2006 by China's market regulator, the agency's website says it provides "technical support for cybersecurity reviews".

Another internet company source, who has worked with CCRC on multiple projects, said it has been largely toothless in the past and often tried to sell certification services to tech firms.

A second expert view from Hu Ying, who heads the data security department at the China Electronics Standardisation Institute, said companies seeking a listing in Hong Kong "shall still be assessed in accordance with the relevant provisions of the security review of cross-border data transmission", regardless of the fact that Hong Kong is not mentioned directly.

A woman walks past the headquarters of Didi Chuxing in Beijing, July 16, 2021. Photo: AP alt=A woman walks past the headquarters of Didi Chuxing in Beijing, July 16, 2021. Photo: AP>

China's cybersecurity review system came under the spotlight last summer after Chinese ride-hailing giant Didi Chuxing defied the wishes of Chinese regulators by going ahead with a US$4.4 billion IPO in New York, later described as a "deliberate act of deceit".

The IPO prompted the CAC to tighten regulations and initiate an on-site data security investigation of Didi's offices. It also ordered Didi to remove 25 apps from app stores and barred the company from accepting new customers. The investigation has not yet issued any official conclusions.

In December, Didi said it would delist from the New York Stock Exchange and explore a listing in Hong Kong. Didi's bankers have held preliminary discussions with Hong Kong Exchanges and Clearing Limited for a listing that may take place in the second quarter, the Post reported last month.

This article originally appeared in the South China Morning Post (SCMP), the most authoritative voice reporting on China and Asia for more than a century. For more SCMP stories, please explore the SCMP app or visit the SCMP's Facebook and Twitter pages. Copyright © 2022 South China Morning Post Publishers Ltd. All rights reserved.

Copyright (c) 2022. South China Morning Post Publishers Ltd. All rights reserved.