How does China's new data security law affect Hong Kong IPOs?

How does China’s new data security law affect Hong Kong IPOs? (Photo by ISAAC LAWRENCE / AFP)

How will China’s new data security law affect Hong Kong IPOs?

  • China requires technology companies seeking a listing in Hong Kong to undergo a cybersecurity review as part of the sweeping new rules.
  • The regulations have yet to be enacted but have definitely created ambiguities for companies looking to float in Hong Kong.

Hong Kong Stock Exchange, the world’s third-largest financial bourse, has always positioned itself as the prime listing hub for Chinese companies that aim to raise capital abroad. The country has specifically gained from the lingering US-China geopolitical tension, recording its best nine months on record since 1980 as a flurry of Chinese companies redirected their IPOs to the city.

To make matters worse, Chinese companies that have plans to raise capital on Wall Street will now be entitled to greater scrutiny as the US regulators have even imposed a law that allows authorities to delist stocks whose auditors refuse to comply with US oversight. So the only respite for those Chinese companies is in Hong Kong but that might not be the case in the near future,

But now, IPOs in Hong Kong will not be that simple

Beijing has been intensifying probes into tech companies and their data security practices, especially when it comes to the transfer of data outside mainland China, which the government deems a matter of national security. It started when, in July, Chinese ride-hailing giant Didi Chuxing went public in New York — despite being told not to. 

Soon after that, the Cyberspace Administration of China (CAC) launched a cybersecurity review into the company and proposed a mandate for all Chinese firms with more than a million users to get approval before listing in foreign markets.

Here is where it gets trickier — while many had assumed that IPOs in Hong Kong would be exempt from various red tapes, the Cyberspace Administration of China (CAC) last month released the Network Data Security Management Regulation (Exposure Draft), clarifying that listings in the special administrative region would also need to go through a cybersecurity review if they “affect or may affect national security.”

The sprawling draft Regulation, consisting of 75 articles, unifies data security rules introduced by the Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL). The CAC is seeking public opinions on it until December 13, 2021

A partner at international law firm Pinsent Masons in Hong Kong Paul Haswell told South China Morning Post, “The mood at the moment, given how new the laws are and the fact that we are still waiting for an explanation on the ambit and meaning of some of their provisions, is one of concerned uncertainty.”

In short, the listing review would cause anxiety to Chinese tech firms which were counting on pivoting toward going public in Hong Kong without needing approval. As Bloomberg puts it, “there may not be a wave of Hong Kong share sales by Chinese tech companies as some predicted months ago.”

So far, there are three Chinese tech firms including Microblogging platform Weibo, NetEase’s music streaming service Cloud Village and artificial intelligence company SenseTime, that have upcoming Hong Kong listings. Those IPOs can be taken as test cases for the new regulations once enacted