China's unprecedented crackdown on its burgeoning (for now) tech industry just won't stop and overnight, China's Cyberspace Administration of China - the same entity responsible for the crackdown on Didi - proposed new rules that would require nearly all companies seeking to list in foreign countries to undergo a cybersecurity review, a move that would significantly tighten oversight over its internet giants.
Confirming our thoughts from last week, namely that "with 34 Pending Filings, China Sends A Message: No More US IPOs", tech platform companies that possess the personal data of at least 1 million users will have to apply for approval from the Cybersecurity Review Office, a group backed by 12 powerful Chinese ministries, if they plan an IPO in a foreign market according to a draft of the updated version of Beijing’s Measures for Cybersecurity Review published on Saturday, which is open for feedback until July 25.
While the draft does not specify if it exempts or covers Hong Kong - the world’s favorite IPO destination in seven of the past 12 years - the city is usually not considered a “foreign” market under Chinese regulations, and especially now following the its quasi-annexation by China.
According to the SCMP, the threshold was set at 1 million - a low bar a country where almost 1 billion people go online actively - apparently to conform with Foreign Investment Risk Review Modernization Act of the United States, which requires approvals by the Committee on Foreign Investment in the United States (CFIUS) for deals that involve the personal data of 1 million or more US individuals.
Coming in the aftermath of a series of aggressive crackdowns by the cyberspace regulator on China’s dominant ride-hailing service Didi-Chuxing, the new rules will transform the regulatory landscape for Chinese tech firms wanting to raise funds from foreign markets.
Didi, which raised US$4.4 billion in a June 30 stock sale in New York, angered Chinese regulators - especially the CAC - because of the way that it forced its way to the listing, with SCMP sources describing the company’s insistence to list as akin to a “deliberate act of deceit”.
As Bloomberg notes, the move is "one of the most concrete steps taken yet to restrain the ability of technology firms to raise capital in the U.S. through a so-called Variable Interest Entity model that the likes of Alibaba Group Holding Ltd. to Baidu Inc.and Didi Global Inc. have adopted. Regulators are also considering requiring VIEs like Alibaba that have already gone public to seek approval for additional share offerings in the offshore market, people with knowledge of the matter have said."
The crackdown is also meant to send a clear signal to the US: according to You Yunting, senior partner at Shanghai Debund Law Firm, the draft is mainly aimed at listings in the US.
“The Chinese government has been hoping to strengthen supervision of Chinese companies listed overseas for some time … but since the start of the China-US trade war, data has become a focus of the power play between the two sides,” You said. “Didi’s US listing was only the fuse that lit the supervision, but even without the Didi incident, the Chinese government would still have taken the initiative.”
So far this year, 37 Chinese companies have listed in the U.S., surpassing last year’s count, and raised a combined $12.9 billion, according to data compiled by Bloomberg.
“These rules will push more Chinese internet firms to list in Hong Kong instead of in another country, to bypass such a review,” said Feng Chucheng, a partner at research firm Plenum in Beijing. “The one million-user threshold is very low and would basically apply to every internet company aspiring for an IPO.”
The draft regulations also cover data security risks involving foreign powers, with reviews assessing the risks of data being transferred abroad illegally, or being stolen, leaked and destroyed. Reviews will also consider the national security risks of critical information infrastructure: whether critical and personal data is being affected, controlled, or maliciously used by foreign governments after a foreign listing, according to the draft.
The proposal did not say whether Chinese tech companies that have already filed to list in New York must go through the cybersecurity review. LinkDoc Technology, a company backed by Alibaba Group Holding’s Alibaba Health unit, and the Beijing-based Daojia are among the China-domiciled technology companies that have filed to raise funds in the US.
The current regulations, issued in April and effective from June 2020, require that critical information infrastructure operators go through a cybersecurity review if they acquire network products or services that may threaten national security. Just days after the Didi IPO, the Cyber Security Review Office announced probes into Didi, truck-hailing apps Yunmanman and Huochebang, as well as a recruiting app operated by Boss Zhipin, all on national security grounds.