China seeks to tighten cyber scrutiny on Hong Kong tech IPOs

China’s internet regulator released draft rules on Sunday that would require companies listing in Hong Kong to undergo a cyber security review if the share sale could implicate national security, threatening a recent shift by tech groups to the territory.

The Cyberspace Administration of China, the country’s powerful data watchdog, announced in July that it would tighten rules for companies seeking to list overseas, with those that hold data on more than 1m users required to pass a security review. The guidelines did not specify at the time whether the provision would apply to Hong Kong.

The CAC launched a probe into Didi Chuxing for suspected data violations two days after its blockbuster $4.4bn initial public offering on the New York Stock Exchange in June. The ride-hailing company was forced to stop registering new users during the investigation.

Global investment banks raced over the summer to redirect Chinese companies to float in Hong Kong, which was seen as a more politically palatable destination for tech groups to access global financial markets after the cyber security reviews halted a lucrative listings pipeline in the US.

Ximalaya, a popular Chinese podcast and audio platform, filed for an IPO in Hong Kong in September after abandoning plans to list in New York. The Financial Times reported in August that ByteDance, owner of viral short-video app TikTok, had revived plans to go public in Hong Kong by early next year.

The draft rules published on Sunday marked the first time that Beijing has said some share sales in Hong Kong would be subject to cyber security checks. It also followed the introduction of a sweeping data protection regime that gave the CAC greater power to survey how Chinese companies handle consumer data.

But the notice stopped short of specifying the preconditions for this layer of scrutiny.

The draft rules would also require companies with large amounts of data related to China’s national security, economy or public interests to submit to a cyber security review when pursuing a merger or restructuring.

Internet companies seeking to establish overseas headquarters, operational centres or research and development facilities must also report to the Chinese regulators in advance, the CAC wrote.

The draft rules were published a day before the opening of the Beijing Stock Exchange, a newly minted market that will raise funds for innovation-driven small start-ups as China tries to encourage companies to use local exchanges.

The Beijing exchange forms part of the government’s broader push to create homegrown tech leaders and foster less dependence on foreign operators.