New regulations target firms with data on over one million users
China’s internet watchdog has announced that starting February 15, companies managing data for more than one million users must undergo a cybersecurity assessment before pursuing public listings overseas.
According to the Cyberspace Administration of China (CAC), companies in this category must submit to a security review before filing IPO applications with foreign regulators. The notice was released via the CAC’s official WeChat account.
Firms that fail the review, particularly if they are found to pose a threat to national security, will be barred from listing abroad, the CAC stated.
This move adds to a growing list of regulatory reforms initiated by the Chinese government aimed at increasing control over offshore listings by domestic firms.
Following the announcement, stock markets in Hong Kong reacted negatively. The Hang Seng Index slipped 0.36 percent in early trading Tuesday, while the technology index dropped 1.32 percent.
Shares in Hong Kong Exchanges and Clearing Ltd, which operates the city’s stock exchange, were down 1.8 percent after an earlier dip of up to 2.4 percent in response to the news.
Stricter Oversight Measures
The CAC originally floated these new requirements back in July, highlighting concerns that overseas listings might expose Chinese data to foreign control or interference.
In addition, the CAC announced new rules for algorithm-based recommendation systems, which will be enforced starting March 1. These regulations, initially proposed in August of the previous year, will give users the option to disable algorithmic suggestions and place tighter controls on how news content is curated using such technologies.
These efforts are part of a broader clampdown on how companies handle data. Chinese regulators are aiming to exert greater authority over data collection, storage, and distribution practices, while also promoting domestic listings over foreign ones.
Further tightening data governance, China implemented two key legislative measures last year—the Data Security Law and the Personal Information Protection Law. These laws regulate how companies store data and safeguard user privacy.
