China is updating a vital ordinance governing cybersecurity rules that analysts say will effectively ban Chinese tech firms from listing in the United States and other foreign markets.
The move comes on the heels of its controversial probe into suspected data breaches by China’s ubiquitous carpooling and ride-hailing app Didi Chuxing in early July.
The watchdog has inserted several catch-all clauses to give more powers to regulators to scrutinize, encumber, vet and veto overseas IPO plans.
The watchdog has denied the revisions are linked to its actions against Didi, whose business model and trove of data were put under a national security microscope soon after Didi debuted on the New York bourse at the end of June.
State cybersecurity specialists are sifting through the company’s databanks to determine the scope of any data-related offense and penalties to be meted out, amid rumors that the firm had shrugged off Beijing’s warning and handed perceived as sensitive data to US regulators for its IPO to be approved.
Xinhua cited a CAC spokesperson as saying that the ordinance must be updated to prepare for the arrival of China’s Data Security Law that would take effect from September 1.
The state news agency said the Cybersecurity Review Ordinance would serve as the law’s detailed implementation guidelines since the new law only laid out principles and penalties in broad strokes.
Key insertions to the ordinance include legal responsibilities for data processors to report to the CAC before selling shares overseas and the expansion of the terms of reference of a “joint checking body” established under the ordinance to include representatives from the China Securities Regulatory Commission (CSRC).
A summary of the amendment reviewed by Asia Times noted that any Chinese tech companies with more than a million users must file applications and be subject to a CAC-led cybersecurity and data review and approval before going public on any foreign stock exchange, with the CSRC empowered to scrutinize IPO plans and make recommendations.
The outcome of such a review will be based on an assessment of the risks of core data and personal information being stolen, leaked, harvested, exploited or illegally transferred to a foreign entity via a share sale. The potential for crucial information infrastructure and core data falling into the hands of Beijing’s foreign adversaries will also be weighed.
Analysts with the semi-official China Information Security Institute believe that such risk evaluations would be “overtly stringent and cumbersome” and officials would follow rules and guidelines to the letter when weighing applications.
Zuo Xiaodong, the institute’s deputy director, revealed during a webinar last week that other than the state securities regulator, officials from about ten other state organs including the central bank, National Development and Reform Commission as well as ministries and bureaus responsible for information technology, public security, national security, finance, commerce, market regulation, radio and television and state secrets protection would also sit on the CAC-convened panel. Each member would have the right to launch probes and veto applications.
Zuo opined that the chance of Chinese tech firms being allowed to list in the US in the foreseeable future is “slim to almost zero” now that the tech war between Beijing and Washington has continued to intensify under the Biden administration.
“Beijing has given the de facto US IPO ban and with Beijing placing extra regulatory hurdles in the road to NYSE and Nasdaq, most Chinese tech firms may drop their plans and won’t bother applying in the first place, since when it comes to data security and supervision Beijing has got its message across very effectively with the Didi case: don’t send your data overseas and [you’d better] instead sell shares at home,” said Zuo.
Previous reports suggest various Chinese tech outfits had planned to list in the US.
Xiaohongshu, aka Little Red Book, China’s highly popular crowd-sourced review and sharing platform with more than 350 million registered users, has hit the brakes on its planned listing in the US this month.
The Shanghai-based challenger to Yelp cited “changing regulatory climate” as one of the reasons for the suspension. Ximalaya, an audio content platform, and LinkDoc, a Chinese medical tech startup that connects patients to medical experts, have also reportedly withdrawn their plans for US IPOs. Both firms count Tencent and Alibaba as their supporters.
China Business News recently reported that almost all Chinese tech companies whose user base exceeded the one million user threshold have been studying the amendment and new data security law to ensure full compliance once the new legislation kicks in.
For Xiaohongshu and others, listing instead in Shanghai and Shenzhen will be easier yet their valuation and access to foreign capital will inevitably suffer, according to observers. Hong Kong stands to gain as Chinese tech firms are discouraged from US listings, they say.
The city’s financial secretary Paul Chan told an online forum last week attended by Chinese entrepreneurs that Hong Kong had “all the attributes of New York,” in particular, access to international capital, but Chinese firms that listed in the city would hardly be “swept up by sudden regulatory shocks” or run into data security troubles.
He said such issues would be “less of a concern” in the territory, which has been part of China after its 1997 handover from Britain.
But there are no clear indications yet from the CAC or its “joint checking body” about how data and cybersecurity will be handled for Chinese tech firms that make a detour from the US to Hong Kong, a financial hub under Beijing’s suzerainty but which formulates its own financial, economic and data policies independent from those of the mainland.