Chinese tech companies must undergo government cyber review to list overseas

China on Tuesday evening confirmed it will increase oversight on how local tech companies operate their platforms both locally and overseas through two new sets of rules.

The first set of rules, set to be enforced on February 15, is focused on cybersecurity reviews and will require local tech companies with personal information on over 1 million users to undergo a security review before being allowed to list onto overseas stock exchanges.

Announced by the Cyberspace Administration of China (CAC), the rules did not specify whether cybersecurity reviews would be required for companies that list in Hong Kong.

As part of a cybersecurity review process, the Chinese government can urge tech companies to make organisational changes to fulfil their commitments to the cybersecurity review.

The CAC said the new listing requirement was established to address the risk of key infrastructure, data, and personal information being used maliciously by foreign actors.

The new listing requirement adds another layer of uncertainty for Chinese companies looking to expand overseas, as Chinese companies like China Telecom have already received the stock exchange boot from the US. The US Securities and Exchange Commission last month also gained powers to ban foreign companies listed in the US from trading if their auditors do not comply with requests for information from American regulators.

Looking at the rest of the cybersecurity review measures, the CAC said any companies that carry out data processing activities that affect or may affect national security will also be required to undergo a cybersecurity review, although the Cyberspace Administration of China did not provide definitions on what activities would meet that threshold.

The second set of rules announced by the CAC, set to come into effect in March, target the use of algorithm recommendations by tech companies and require them to establish algorithm mechanism reviews, user registration reviews, and programs protecting minors.

All online platforms will also be required to provide users with the option to turn off or modify how they access algorithm recommendation services, as well as provide users with information on how their personal data is used in the provision of such services.

Both sets of rules follow a big year of tech crackdowns in China, when new laws came into force around data protection, online gaming for minors, gig economy rights. Along with new legislation, the Chinese government also slapped big penalties against tech giants, such as removing Didi from app stores and fining Alibaba 18.2 billion yuan. 

Just prior to the new year, China’s internet security regulator also suspended all of its contracts with Alibaba Cloud after one of its security engineers discovered the Log4J vulnerability and reported it to Apache. The Ministry of Industry and Information Technology suspended its contracts with Alibaba Cloud as it “did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management”, according to local media outlets.

RELATED COVERAGE

• Data assessment, user consent key to compliance with China law
  
  
• China looks to classify online data in draft security laws
• China’s personal data protection law kicks in November 1
• China pushes through data protection law that applies cross-border
• Didi barred from China appstores amidst government cybersecurity review
• China calls out 33 apps for collecting more user data than necessary
• APAC consumers believe onus on businesses, governments to safeguard their data