China to Impose Security Check on HK IPOs Under Big Data Rules

(Bloomberg) -- China will require technology companies seeking a listing in Hong Kong to undergo a cybersecurity review as part of sweeping new rules aimed at tightening control of information amassed by private firms.

Most Read from Bloomberg

• Startup Fever Is Gripping the World’s Last Big Untapped Nation

• Hong Kong's New Museum Tries to Please Art World — and Beijing

• Elizabeth Holmes Faces Last-Ditch Chance to Testify at Trial

• Chronically Underfunded HBCUs Eye Scholarships in Biden Bill

• A Denser City, But at What Cost?

Prospective listings will need approval before selling shares in Hong Kong if authorities decide there is a potential impact to national security, according to a draft rule published by the Cybersecurity Administration of China, the country’s cyberspace regulator. The regulation was just one of many unveiled Sunday covering everything from takeovers to setting up overseas headquarters and transferring data across China’s border.

The listing review may cast a chill over offerings in the city by Chinese tech firms, which were counting on pivoting toward going public in Hong Kong without needing approval. American regulators have applied greater scrutiny to new listings and are moving forward with a plan to delist stocks whose auditors refuse to open their books to U.S. oversight. The crackdown could force almost $2 trillion worth of Chinese ADRs out of U.S. exchanges from 2024.

There may not be a wave of Hong Kong share sales by Chinese tech companies as some predicted months ago, said Winston Ma, adjunct professor of NYU Law School and author of “The Digital War - How China’s Tech Power Shapes the Future of AI, Blockchain and Cyberspace.”

AI chip firm Horizon Robotics, social media firm Little Red Book and e-commerce platform Huitongda Network Co. are among Chinese companies weighing billion-dollar Hong Kong listings after having explored going public in the U.S..

The cyberspace authority’s new rules are intended to enforce broader legislation passed in recent months that set out data security and internet privacy requirements. Beijing has made clear that the government will play a central role in the control of data and that private companies need to comply with its priorities, especially since Didi Global Inc.’s controversial U.S. listing triggered concern over sensitive information falling into foreign hands.

Large first-time offerings have almost entirely vanished in Hong Kong since early July, when Beijing announced that almost all businesses trying to go public overseas would require approval from the newly empowered cybersecurity regulator. Bloomberg previously reported China planned to exempt companies going public in Hong Kong from first seeking the approval of the cybersecurity regulator.

The Hang Seng Tech Index was up 0.5% as of 11:46 a.m. in Hong Kong, while Hong Kong Exchanges & Clearing Ltd., the operator of the city’s bourse, was down 0.2%.

The regulator is soliciting public feedback on the new rules until Dec. 13.

Other highlights in Sunday’s rules include:

• Internet platforms amassing data relevant to national security and public interest will need to seek security clearance before mergers, spin-offs and restructuring. (Article 13)

• Large internet companies need to report to regulators before they can set up overseas headquarters or centers for operations and R&D. (Article 13)

• Companies that process important data or those who process data and list overseas need to conduct an annual security appraisal on how they store, share and trade data. (Article 32)

• Companies that transfer data overseas will need to pass government security appraisals, and sign a government-stipulated contract with the foreign data recipient, which needs to be greenlit by regulators. (Article 35)

• Regulators will establish a security gateway for cross-border data transactions, preventing the spread of “illegal” information from overseas. No entities or individuals will be allowed to provide tools or services to circumvent such infrastructure. (Article 41)

• Internet platforms with 100 million daily active users need to obtain government approval on major updates to platform operations, data privacy and user rights. (Article 43)

• Users should be able to opt out with ease on personalized recommendations, and they have the right to ask companies to delete any data collected through such recommendations. (Article 49)

• Internet companies that use artificial intelligence, virtual reality and other new technologies to process data will need to seek security approval. (Article 54)

Most Read from Bloomberg Businessweek

• Boeing Built an Unsafe Plane, and Blamed the Pilots When It Crashed

• First Task for the Teamsters’ Next Boss: Take On UPS

• Google Wants to Save the Planet With Satellite Images

• Generation Lockdown: Where Youth Unemployment Has Surged

• India’s Race to Vaccinate Its Villages Meets With Rural Resistance

©2021 Bloomberg L.P.