Draft Network Data Security Management Regulations were released by the Cyberspace Administration of China on Sunday afternoon for a 1-month consultation.
What might sound innocuous though is far from it. While the regulations comprise a dense set of rules repeating and consolidating many principles from the troika of the Cybersecurity Law, Data Security Law and Personal Information Protection Law, there are onerous extensions to existing operational rules principles and enhanced hurdles in the path of China tech companies to listing on international markets.
Tech investors will only too well recall the ambiguous Cybersecurity Review Measures published in draft in July. Those measures proposed an expanded cybersecurity review process to be completed before listing on a “foreign” listing venue of any PRC company holding personal data of more than 1 million people. But “foreign” would not include the Hong Kong SAR if typical PRC legislative interpretation is followed. This therefore left mainland Chinese platforms like ByteDance and others to look to the Hong Kong Stock Exchange as a viable option outside of the traditional destination of the US's New York bourses for their IPOs.
That lacuna now seems set to close. If enacted, the draft rules will add another trigger for cybersecurity review for any data processor that seeks a listing in Hong Kong SAR which affects or may affect national security. The nature of the cybersecurity review for Hong Kong listings would appear likely to be the subject of further rules, as was understood from a previous private briefing that was given to some Hong Kong-based bankers by an official from the PRC's securities regulator. Nevertheless, even in the interim period, the subjective nature of “may affect national security” could well generate enough uncertainty to act as an effective block on any tech companies seeking to list in Hong Kong SAR without tacit approval from mainland China's internet regulator.
While Hong Kong companies should not be dragged into the direct application of this draft set of rules, notwithstanding Hong Kong SAR being part of the PRC or the extraterritoriality provisions under the draft regulation, those less familiar with the distinction between the neighbouring jurisdictions will no doubt question the continuing blurring of lines between their capital markets.
The more cynical observers may also note the timing of the release of these rules one day before Beijing opens its own innovation-driven stock exchange.
The draft is the first time the Chinese government has clarified that some IPOs in Hong Kong will be subject to a data security screening.