Jul 10, 2021 07:48 PM

Chinese Companies With Over 1 Million Users’ Data Could Face Probe Before Listing Abroad

The cybersecurity review is a relatively new feature of China’s regulatory landscape, having only been introduced last year and used for the first time early this month.Photo:VCG
The cybersecurity review is a relatively new feature of China’s regulatory landscape, having only been introduced last year and used for the first time early this month.Photo:VCG

A draft revision to regulations could mean any Chinese company that holds the personal information of 1 million or more users would have to seek a government cybersecurity review before listing abroad.

Beijing continues to tighten its grip over the country’s once-freewheeling tech sector, including measures to prevent risks arising from cross-border data transfers by foreign-listed companies.

The draft changes to the Measures for Cybersecurity Review (link in Chinese) were revealed on Saturday by the Cyberspace Administration of China (CAC) and are open for public comment until July 25.

Under the draft revisions, any Chinese internet company of significant size would have to get a cybersecurity review if they seek to raise money abroad, market participants said. The changes could push Chinese companies to list in Hong Kong to avoid potential reviews, some analysts said.

Companies should provide “IPO materials to be filed” to the Cybersecurity Review Office, the interdepartmental office that conducts cybersecurity reviews, the draft shows. This would mean that companies’ prospectuses and other filings will be checked by the government before they file for a listing outside China.

The draft measures said the cybersecurity review would focus on assessing national security risks that may arise from procurement, data processing and “overseas listings,” including the risk of core data or a large amount of personal information “being stolen, leaked, destroyed, or illegally used or exported.” Also under the microscope would be the risk of critical information infrastructure, core data or a large amount of personal information “being influenced, controlled or maliciously used by foreign governments” in the wake of a Chinese company’s overseas listing.

If the review enters a “special review process,” it would take additional three months to complete, up from 45 business days at present, according to the draft.

The cybersecurity review is a relatively new feature of China’s regulatory landscape, having only been introduced last year and used for the first time early this month. The first target was ride-hailing giant Didi Global Inc., swiftly followed by truck-booking app operator Full Truck Alliance Co. Ltd. and recruitment platform operator Kanzhun Ltd.

In April 2020, 12 government departments including the CAC jointly issued rules effective from June 1 that year that require “critical information infrastructure” operators to assess national security risks prior to procurement of network products or services, and apply for a cybersecurity review if necessary.

Under the new draft rules, the China Securities Regulatory Commission, the country’s top securities watchdog, would join the aforementioned dozen departments to form a new national cybersecurity review mechanism.

The revised draft measures cite as their legal basis the Data Security Law, effective from Sept. 1 this year, in addition to the State Security Law and the Cybersecurity Law (link in Chinese) mentioned in the previous version.

In addition to critical information infrastructure operators, “data processors” would also be subject to cybersecurity review, according to the draft. “Important communications products” would be newly defined as network products or services, it wrote.

 Read more  
Cover Story: How Didi’s Rush to Raise Funds in U.S. Backfired

China has pledged to step up scrutiny of domestic companies’ overseas listings and cross-border data transfers, vowing to hold publicly traded companies accountable for their data security.

The new draft rules add to the regulatory headwinds faced in the last two weeks by overseas-traded Chinese stocks including Didi. The CAC on Friday ordered the removal of 25 mobile applications operated by Didi offering services from carpooling to finance, following the removal of its ride-hailing application from app stores that came days after its debut on the New York Stock Exchange.

The U.S. remains a popular IPO destination for Chinese companies, especially those in the technology sector, despite mounting tensions between the world’s two largest economies and the growing risk of being delisted.

Chinese bike-sharing company Hello Inc. and audio app operator Ximalaya Inc. have recently suspended U.S. IPO plans, sources close to the matter told Caixin. Ximalaya, which filed its application in April, has dropped the plan and may switch to Hong Kong for a share sale, a source close to the company said.

Ximalaya had an average of 250 million monthly active users in the first quarter, according to its prospectus. Hello had 183 million annual transacting users last year. Both mentioned risks of user data and privacy leaks and the possibility that the IPO will require the approval from China’s securities regulator.

Contact reporter Luo Meihan ( and editor Joshua Dummer (

Download our app to receive breaking news alerts and read the news on the go.

Get our weekly free Must-Read newsletter.

You've accessed an article available only to subscribers
Share this article
Open WeChat and scan the QR code
Get our CX Daily, weekly Must-Read and China Green Bulletin newsletters delivered free to your inbox, bringing you China's top headlines.

We ‘ve added you to our subscriber list.

Manage subscription
Caixin-Sinica Business Brief: TikTok CEO Pushes Back on Security Concerns