What’s new: Mainland firms seeking to list in Hong Kong would be subject to review by China’s cyberspace watchdog under new draft rules on data collection and management released by the regulator for public comment Sunday.
If enacted, the rules could create new headwinds for data rich firms that had pivoted their capital-raising plans to Hong Kong, after Beijing made clear that listings outside China were now subject to heightened scrutiny to see if they were exporting data that could affect national security.
Under the proposal (link in Chinese), internet platforms would also be required to inform CAC and other related authorities if they establish headquarters, operation centers, or research centers abroad.
The draft law would codify China’s planned three-tier classification system for troves of data — as general, important, and core data — based on how its misuse or disclosure could harm national security, the public interest and individual users. It does not elaborate on how protection measures would differ for data in the different categories.
Background: China has issued three major pieces of legislation to address issues related to data security so far — the Cybersecurity Law implemented in June 2017, the Data Security Law effective Sept. 1, and the Personal Information Protection Law that was passed in August.
In the wake of ride-hailing giant Didi Global Inc.’s listing in the U.S., CAC proposed a draft revision to the Measures for Cybersecurity Review (link in Chinese) in July, which would require that any Chinese company holding the personal information of 1 million or more users would have to seek a government cybersecurity review before listing abroad.
Read more
Opinion: Data Security Becomes a Core Issue for Doing Business in China
Contact reporter Manyun Zou (manyunzou@caixin.com) and editor Flynn Murphy (flynnmurphy@caixin.com)
Get our weekly free Must-Read newsletter.