China is continuing the regulatory storm triggered by Didi’s US initial public offering (IPO). A new draft proposal by the Cyberspace Administration of China (CAC) – China’s primary internet regulator – requires companies that hold personal data of over one million users to go through additional cybersecurity reviews before listing abroad.
The “Cybersecurity Review Measures”, published on the official website of the CAC on Saturday, aims to protect “national security” and to ensure the security of critical information infrastructure supply chains.
“Critical information infrastructure operators, purchasing network products and services, and data processors carrying out data processing activities that affect or may affect national security shall conduct network security reviews in accordance with these measures,” the proposal said.
The country’s internet watchdog shocked investors last week when it suddenly launched a cybersecurity review into Didi Chuxing – China’s main ride-hailing app – two days after it debuted in New York.
Soon after, it conducted similar investigations into Full Truck Alliance and Zhipin.com which both recently listed in the US. The government subsequently announced that it would take tougher regulatory actions against Chinese companies trading overseas – particularly tech companies listed in the US.
The draft proposal also covers data security risks involving foreign powers, as it aims to review the threat of information being transferred abroad illegally, or being stolen, leaked or destroyed.
The new review measures will also take into account the national security risks of critical information infrastructure. It will check whether personal or critical data is being affected, controlled or maliciously used by foreign governments after listing abroad.
The proposal did not mention whether Chinese tech firms already listen in the US will have to go through the same cybersecurity review.
Laws currently applicable came into effect in June 2020, which require that critical information infrastructure operators go through cybersecurity reviews if they acquire network products or services that are deemed a risk to national security.