On July 6, the General Office of the Central Committee of China’s Communist Party and the General Office of the State Council jointly issued the Opinions on Strictly Cracking Down on Illegal Securities-related Activity in Accordance with Law (the Opinions) to further strengthen regulatory supervision of securities-related activity, including enforcement with respect to overseas listings of China Concepts Stock (CCS) by enhancing data security protection. 1 CCS generally refers to companies which conduct overseas listings with assets and/or earnings primarily based or originating in China
The Opinions were issued amidst probes into several Chinese internet platform companies by several government departments, including in this instance the increasingly powerful Cyberspace Administration of China (CAC) regarding data security with its implications for national security as well as privacy concerns. Such concerns are in part responses to more insistent demands by overseas regulators, particularly in the US, for transparency by CCS companies, including access to audit working papers.
On July 10, CAC released the draft revision of the Cybersecurity Review Measures (Draft Revision) with comments due by July 25, half the typical 30 days reflecting the urgency of the matter.2 The Cybersecurity Review Measures which were invoked by CAC as the basis for the probes into the platform companies are themselves relatively new and only came into effect on June 1, 2020. The Draft Revision would require Chinese companies which process personal information3 of more than 1 Million users to apply for a mandatory cybersecurity review before conducting an overseas IPO to examine the risks of critical information infrastructure (CII)4 and important data5 being maliciously exploited by overseas governments, among other concerns. The 1 Million users threshold is likely to be meaningless as the prospects for a Chinese company to conduct an overseas IPO when the number of its domestic users is less than 0.1% of the population are very limited.
This alert focuses on (i) the current status of cybersecurity investigations into CCS companies recently listed in the US; (ii) the requirements under the Opinions and Draft Revision to tighten data security on offshore securities listings; and (iii) compliance issues confronting CCS companies with respect to data security, cross-border data transfer and privacy protection.
i. Heightened Cybersecurity Review over CCS Companies
On July 2, CAC’s Cybersecurity Review Office launched a cybersecurity investigation into Didi Chuxing, the country’s largest ride-hailing service, which conducted an ADR listing (NYSE: DIDI) on June 30.6 On July 4, CAC announced that Didi Chuxing had seriously violated regulations regarding the collection and use of personal information, and ordered removal of its app from all app stores.7
The next day, July 5, CAC announced similar cybersecurity investigations into Yunmanman, Huochebang, and Boss Zhipin.8 Yunmanman and Huochebang are China’s two leading truckhailing apps who label themselves as “Uber for trucks” and which merged into a new company called Full Truck Alliance Co. which conducted an ADR listing (NYSE: YMM) on June 22. Boss Zhipin Inc., one of China’s largest online job recruiting platforms, listed in the US (NYSE: BZ) on June 11. CAC, not the China Securities Regulatory Commission (CSRC) or any of China’s other financial or foreign exchange regulators, ordered all three platforms to stop registering new users and remove their apps from online stores, stalling their growth and resulting in falling market valuations. All three of these listing vehicles were established as Variable Interest Entities (VIEs)