Old bronze knocker with red door in Chinese temple showing national security risks of Chinese tech companies

Citing “National Security Risks,” China Government Puts New Cybersecurity Approval Requirements on Chinese Tech Companies

The Chinese Communist Party has been conducting an ongoing regulatory campaign that has seemed to particularly focus on domestic companies conducting foreign IPOs. The picture becomes even more clear with a proposed new set of rules that would force Chinese tech companies that hold data on over one million users to apply for special cybersecurity approval before listing, citing the national security risks associated with that data falling into the hands of foreign governments.

The new rules may be calculated to push Chinese tech companies to list their IPOs in Hong Kong instead of the West, as they would not be subject to the same requirements there. In a country of about 1.4 billion, nearly every platform that handles user data is very likely to have at least one million records and therefore be subject to the new rules.

Chinese tech companies steered away from foreign fundraising

A statement released by the Cyberspace Administration of China last week expressed concern that the personal data of citizens could be “affected, controlled, and maliciously exploited by foreign governments” and create national security risks.

The move comes in response to a trend of Chinese tech companies listing in foreign countries that originates with Alibaba’s first public listing in 2014. The online retail giant used a structure called a “variable interest entity” (VIE) that allowed it to get around existing Chinese government restrictions on foreign investment. Rather than being a traditional share of ownership as expressed by a stock, a VIE is a contract that grants the holder the rights to a certain percentage of the company’s profits. The profits are routed through a foreign shell company, in Alibaba’s case a holding company registered in the Cayman Islands. This entirely circumvents government restrictions on foreign entities investing in the physical assets of Chinese tech companies.

There has been something of a rush of foreign listings making use of VIEs in the past year, dating back to the planned listing of Alibaba-owned Ant Group in October. After making a speech challenging Chinese financial regulations, owner Jack Ma famously disappeared from the public eye for about three months and the IPO was blocked by the government. But other Chinese tech companies, 37 in 2021 alone including Baidu and rideshare app Didi, have found success in listing on foreign exchanges by making use of the VIE structure and have raised a collective $12.9 billion.

The latest controversy in this world of overseas listings is Didi’s IPO, which recently went ahead even though the Chinese government reportedly asked the company to delay it for several months due to concerns about national security risks. This caused anger at both ends, as the government’s intervention caused a large drop in value and foreign investors believed that they should have been notified. Didi is currently blocked from Chinese app stores while it makes “necessary security adjustments.”

National security requirements spook some tech companies

The new national security requirements do not forbid VIE structures such as these, but would make these companies entirely responsible for their data security and accountable for any lapses. Chinese tech companies would have to apply to the government for permission to list in this way, subject to a presumably stringent cybersecurity review beforehand that focuses on potential national security risks. This includes a review of supply chains conducted by the China Cybersecurity Review Technology and Certification Center, a division of the newly-formed Cybersecurity Review Office.

This has already caused several planned IPOs to be suddenly shelved, regardless of whether or not any national security risks were involved: LinkDoc, fitness app Keep and restaurant supplier Meicai all backed out of plans to list in the United States after the announcement was made. TikTok owner ByteDance has also reportedly been considering one of these foreign IPOs; it remains to be seen if the new requirements will dissuade it.

Hong Kong remains a viable (though less lucrative) option for Chinese tech companies looking to do an IPO. While this would allow them to avoid all the regulatory complications that come with the specter of national security risks, the VIE model may not be possible there for long. China’s securities regulators are reportedly preparing revisions to rules that would not only take VIEs off the table, but would force companies that have already listed in this way (like Alibaba and Baidu) to seek government approval to issue any new shares.

The process of reviewing potential national security risks seems designed to dissuade Chinese tech companies given that the government expects it to take at minimum 45 days to complete, but could potentially stretch out for months in “complex cases” and generate substantial added compliance costs. The measures are also reportedly not particularly specific about what standards these companies need to meet, beyond calling for IPO materials and procurement documents as well as a report on the potential impact of the company’s plans on national security.