In the first week of 2022, China’s main internet regulator, the Cyberspace Administration of China (CAC), announced a revised version of its cybersecurity review regulations. These little-known regulations played a key role in crippling Didi’s listing on the New York Stock Exchange last summer and, starting next month, the revised rules will officially place more restrictions on Chinese companies seeking overseas listings.
Called the Measures of Cybersecurity Review, the then-obscure set of rules was cited by the CAC regulators last July as the basis for launching a security investigation into ride-hailing giant Didi, just three days after its IPO. Specifically, the CAC cited the need to protect national data security and public interest. It also ordered app stores in China to immediately remove Didi’s apps. The regulator pointed to a previous version of the Measures, the National Security Law, and the Cybersecurity Law as the legal basis for the review.
China Voices
In TechNode’s subscriber-only translation column, we bring you discussions about tech on the Chinese internet. TechNode has not independently verified the claims made below.
Didi has since announced plans to delist from the US and is considering a Hong Kong listing. At the time of the publication, Didi is still undergoing the cybersecurity review and its apps remain unavailable on domestic app stores. The Didi investigation initiated an intense period of regulatory moves in China, upending business plans and the stock prices of many Chinese tech giants.
The revised Measures is due to take effect on Feb. 15. When first released in 2017, the regulations focused on improving the security of hardware and services used in networks, ensuring that regulators had the power to do a “security review” when a matter concerned national security. That version of the law was never put into use, but a revision in April 2020 introduced the concept of “cybersecurity review” and refined the scope of the review.
This 2020 version was the CAC’s legal basis for the initial Didi review. Less than two weeks after launching the Didi review, the CAC released a draft revision of the Measures requiring deeper scrutiny of companies planning to go public overseas. This version was refined and published on Jan. 4, 2022, becoming the latest iteration of the Measures.
TechNode examined interpretations of the Measures from Chinese regulators and top Chinese law firms to understand the focus of the Measures and how it might affect Chinese companies seeking overseas listings. All quotes have been translated from Chinese and edited for clarity.
Hong Kong listings should be easier to pursue
Several leading Chinese law firms said in public analyses that companies should face an easier cybersecurity review process should they choose to go public in Hong Kong. The Measures will require online platforms which plan to go public overseas and hold information on more than 1 million users to apply for a cybersecurity review. Hong Kong, China’s special administrative region and a hot spot for fundraising, doesn’t count as overseas, so this new rule shouldn’t apply, several attorneys wrote in their interpretations. But companies should look closely at their own businesses and assess whether their activity will affect national security: If so, even a Hong Kong listing could trigger a cybersecurity review.
The dust around the Measures of Cybersecurity Review has settled, its impact on overseas listing
Zhong Lun Law Firm, Jan. 10
Following the expression used in the draft version, the Measures didn’t give a clear definition for what counts as an “overseas listing.” However, listing in Hong Kong is unlikely to be regarded as an overseas listing, considering the standard definition of overseas and the definition given in the Exit-Entry Administration Law. In addition, Regulations on Network Data Security Management (draft for comments and released by the CAC on Nov. 14, 2021) separated the issues of “overseas listing” and “Hong Kong listing” into two different sections under Article 13. Therefore, Article 7 of the Measures shouldn’t include listing in Hong Kong. And companies going public in Hong Kong won’t need to apply for cybersecurity reviews.
But will all Hong Kong listings be exempt from the review? Not necessarily. But the review process will be different from foreign listings…
According to the Data Security Law, as long as data processing activities affect or may affect national security, a security review will be triggered, which will, of course, apply to Hong Kong listings as well…According to Regulations on Network Data Security Management, the cybersecurity review for Hong Kong listings will be more flexible than the mandatory requirement for foreign listings. For Hong Kong listings, a cybersecurity review will only be triggered when there is a real risk that affects or may affect national security.
China’s cybersecurity review system has entered a new stage: Interpretation of the new changes in the Measures of Cybersecurity Review
Fangda Partners, Jan. 5
Whether a company goes public in Hong Kong, the US, or other countries, as long as the action has or may impact national security, there is a possibility that the company will be subject to cybersecurity review. Therefore, to judge whether a company faces security reviews when seeking a listing abroad, one should look beyond the requirements in the Measures (online platform operators holding more than 1 million users’ information and planning to go public overseas must apply to the Cybersecurity Review Office for a cybersecurity review), and consider whether the listing would result in “core data, key data or large amounts of personal information being stolen, leaked, damaged, illegally used or illegally spread out of the country.”…
We believe that, with the official release of the Measures, the regulatory attitude on Hong Kong listings is evident. There is no need for companies to actively apply for a cybersecurity review when listing in Hong Kong…However, this exemption does not mean that the company will not be subject to a cybersecurity review. The Measures still give power to members of the cybersecurity review office to initiate a review if the company’s listing abroad affects or may affect national security.
The focus of China’s cybersecurity reviews
The CAC said in an interpretation of the Measures that the review focuses on protecting the safety of key data while preventing foreign governments from exerting control and influence over Chinese companies and their data should they choose to go public in a foreign country. This interpretation mentioned that several US laws had given the US government more power to exert control over data in its jurisdiction. It cited laws such as the Holding Foreign Companies Accountable Act, the executive order on Securing the Information and Communications Technology and Services Supply Chain, and the CLOUD Act. Therefore, the CAC hopes the Measures can serve as a defense to limit risks.
Expert Insights | Keeping up with the times and building a defense line for national security reviews
The CAC, Jan. 5
The cybersecurity review system mainly focuses on two types of risks. Firstly, “the risk of core data, key data, or large amounts of personal information being stolen, leaked, damaged, illegally used, or illegally spread out of the country (Article 10.5).” Secondly, during the process of companies going public, there is a risk of foreign governments influencing, controlling, or maliciously exploiting critical information infrastructure, core data, large amounts of personal information, and other cyber information security risks. (Article 10.6)”
The first risk mainly focuses on critical information infrastructure providers using its job of buying network products and providing services to illegally collect, store, utilize, and provide to an overseas entity “core data, key data or large amounts of personal information.” In other words, network products and service providers shouldn’t undertake secret action with collected data, nor should they damage users’ power to access and use their own information.
The latter focus refers to companies being placed under the jurisdiction of foreign laws after they list abroad. It could allow foreign governments to use legal and judicial power to “exert influence, advocate control, and maliciously use core data, key data, and large amounts of personal information” controlled by network operators, endangering our country’s sovereignty, security, and interests.
Length of cybersecurity review
“Security and development first”: The Measures of Cybersecurity Review officially released
King and Wood Mallesons, Jan. 4
The Measures didn’t drastically change the review process and the timeline compared to its draft proposal, apart from updating the special review process from three months to 90 working days. The update aims to unify time calculation in the regulation, but more importantly, extend the timeframe of the special review process.
According to our calculation, the regular cybersecurity review takes up to 70 working days (10 + 30 + 15 + 15). For the special review process, the longest required time can be more than eight months (70 working days + 90 working days + unknown number of extended days).