China’s foreign listing regulations that mandate cybersecurity reviews apply to Hong Kong, experts say
- The CAC has not officially clarified whether a listing in Hong Kong requires a cybersecurity review, but it posted the expert assessments on its website
- New listings in Hong Kong are subject to the ‘relevant provisions of the security review’, even though the city was not mentioned in the law, one expert said
Chinese companies handling data from more than 1 million users are required to go through a cybersecurity review if they want to list overseas, and that includes Hong Kong, according to an assessment endorsed by China’s cyberspace watchdog.
The conclusion, included in the “expert views” that the Cyberspace Administration of China (CAC) published on its website, shows how the regulator is empowering itself to be a key gatekeeper of overseas listings even though the new law, which came into effect this week, does not specifically mention Hong Kong.
The regulation, however, left open the question of whether it covers Hong Kong, which is not a “foreign” market, but is run as a separate legal system under the “one country, two systems” framework.
The CAC has not officially clarified whether a company seeking to list in Hong Kong must file for a cybersecurity review.
In the first expert interpretation, Qi Yue, an engineer from the China Cybersecurity Review Technology and Certification Centre (CCRC), wrote that Chinese internet operators cannot ignore cyberspace, data and national security risks in the process of listing in Hong Kong, even though the regulation does not specifically mention the city.
Qi added that only those already listed abroad would be exempt from such reviews.
