China plots tougher cyber scrutiny for tech firms in Hong Kong IPOs

China could force companies to carry out a cyber security review should they seek an IPO in Hong Kong as it looks to implement new laws on data security management, regulating network data processing, and protecting individuals in cyber space.

The Cyberspace Administration of China (CAC) released a draft document named “Regulations on Network Data Security Management” which is open for feedback until 12 December. The document stipulates that when data processors go public in Hong Kong, which affects or may affect national security, they will have to apply for a network security review in accordance with national regulations.

A number of Chinese tech firms were planning to launch an IPO in Hong Kong after US regulators have been applying greater scrutiny to new listings and are moving forward with plans to delist stocks whose auditors refuse to comply with US oversight, as reported by Bloomberg.

This could force around $2 trillion worth of Chinese listings to move out of US exchanges from 2024, as tensions between the two countries continue to grow.

This wasn’t the only rule put forward by CAC, it is also looking to ensure internet platforms amassing data relevant to national security and public interest seek security clearance before spin-offs, mergers, and restructuring. Plus, large internet companies will need to report to regulators before setting up overseas headquarters or centres for operations and R&D.

Additionally, companies that process important data or those that process data and list overseas must carry out an annual security review on how they share, store, and trade data. Platforms with over 100 million daily active users also need to obtain approval on major updates to platform operations, data privacy, and user rights.

CAC said it is implementing these regulations in order to implement other laws on data security management, regulating network data processing activities, and protecting individuals and organisations in cyberspace. These laws are the 2017 Cybersecurity law, and this year’s Data Security Law and the Personal Information Protection Law (PIPL).

PIPL was passed at the start of November and stipulates how data can be collected and used in the country while governing the actions of companies hoping to move data out of the country. It regulates personal information processing activities in China, as well as any activities carried out by state agencies. It also applies to foreign organisations that process personal data overseas.