• Operational compliance crucial for domestic listings, while security risks key for overseas IPOs
• Failure to meet regulators’ data requirements could derail deals
• Consumer-facing brands, companies in AI, healthcare, energy, self-driving vehicles and internet sectors face closer scrutiny

China’s top stock-market regulator and various securities exchanges, since the country overhauled its listing regimes earlier this year, have begun to systemically assess the operation impact of an initial public offering (IPO) issuer’s data compliance practices, legal practitioners told this news service.

This underscores the fact that data operations have become an increasingly important component of corporate operations in the eyes of regulators, lawyers said. In practice though, authorities inspect different aspects of data compliance depending on the listing geographies, they added.

The China Securities Regulatory Commission (CSRC) and the country’s three main exchanges “are looking at data compliance from the standpoint of its impact on an IPO candidate’s qualifications, e.g., legitimacy of business model, long-term profitability and sustainability, etc.,” said Raymond Wang, partner at Shihui Partners.

The promulgations of China’s data laws and ministry-level regulations in recent years – the Data Security Law (DSL) and Personal Information Protection Law (PIPL) passed in 2021 for examples – have provided authorities the legal grounds to systematically examine data compliance practices of listing candidates, Wang said.

Domestic listings: devil is in the details

For domestic listings, China’s registration-based scheme, which were already adopted by Shanghai’s STAR Market, Shenzhen’s ChiNext, and the youngest Beijing Stock Exchange, was rolled out to all exchanges including the Shanghai Stock Exchange and Shenzhen Stock Exchange from 17 February 2023.

The scheme mandates the exchanges to determine if an issuer meets all the requirements.

The registration-based scheme was initially hailed as a fast-track program.

For companies with business models relying heavily on data, the bourses seek to make sure an issuer’s collection, processing, and trading of data are fully legitimate and compliant with domestic data laws, e.g. the PIPL and DSL mentioned above, in a preemptive move, so that this minimizes the possibility of disruptions to company operations after they go public, Peng Cai, equity partner at Zhong Lun Law Firm said.

The IPO of Intsig Information, a Shanghai-based software producer offering intelligent text recognition, business big data analysis, and internet advertising promotion, may help shed some light on the granularities of regulatory reviews on data compliance.

Intsig filed a listing application to the Shanghai Exchange’s STAR market in September 2021. On 31 December 2021, the application was suspended because the financial information stated in the filing expired. The application was suspended again on 23 March the following year because of its failures to complete due diligence and respond to queries from regulators in a timely manner.

Intsig went through three rounds of regulatory questioning before it finally received approval on 4 August 2023. In the first round of inquiry in October 2021, the Shanghai Stock Exchange asked about Intsig’s potential flaws in data management. In the second round of inquiry in March 2022, the exchange further asked if Intsig’s collection of data is legitimate and enquired about the accuracy of its data. In the third round in September 2022, Intsig was again questioned about data security and personal information protection.

In its responses to the inquiries, Intsig recognized the existence of flaws and imperfections in its data compliance practices, and submitted materials showing that was rectified. Intsig registered on the STAR market on 17 October 2023 – more than two years after the initial filing.

Offshore IPOs: one checkpoint after another 

For listings outside mainland China, IPO candidates must obtain CSRC’s blessings to go public, under a filing-based system that went effective on 31 March 2023.

CSRC reached out to fifty-one of 142 IPO candidates – i.e. 35.91% – that filed between 31 March and 15 September for data compliance queries, according to data compiled by Grandall Law Firm based on CSRC official releases.

For offshore listings, CSRC tends to assess national security risks related to data in addition to operational compliance, said Jing Hu, partner at King & Wood Mallesons.

CSRC pays particular attention to potential data security risks caused by communications between domestic entities (the issuer, as well as legal and financial advisors) and their overseas counterparts (stock exchanges, market regulators, legal and financial advisors of the listing jurisdiction) throughout the IPO process, Hu said.

Local advisors are advised not to directly transfer written materials to or engage in verbal communications (interviews, conferences) with overseas entities.

In practice, they often liaise with mainland China-based branches and subsidiaries of overseas entities to address regulatory concerns, according to a fourth Shanghai-based data lawyer.

In an event when such communications involve the transferring of sensitive or important data, or large amounts of personal information, to an overseas recipient, the issuer and advisors should pass the cross-border data transfer security assessment by the Cyberspace Administration of China (CAC) prior to any communications, Hu said.

Failures to meet data compliance requirements could kill deals, Cai at Zhong Lun noted.

Multiple layers of scrutiny are in place to ensure security rules are religiously followed.

For platform companies sitting on personal data of over 1m users and seeking foreign listings, they must go through a cybersecurity review under the Office of Cybersecurity Review located in the CAC before they file applications with securities regulators, Cai said.

Listing in Hong Kong does not trigger a proactive filing for cybersecurity review, Hu said.

Exceptions bring Hong Kong listings that may impact national security, for example when the candidate’s business operations involve highly sensitive data, such as human genetic data, Hu added.

It is notable that CAC’s cybersecurity review is an independent process from the review by the CSRC. An approval from CAC must be obtained before filing with the CSRC.

And, once they apply to CSRC, the market regulator will again invite CAC to review the applicants’ data compliance practices and ask the data regulator for follow-up questions and rectification suggestions where need be. CAC’s nod is a precondition to a CSRC approval, Cai said.

Stock exchanges outside mainland China, including the Hong Kong Stock Exchange, also require issuers to meet compulsory and substantial data compliance requirements as prescribed by Chinese laws prior to listings, Hu at Kind & Wood Mallesons said.

Still, in the event of minor issues, foreign exchanges may ask issuers to come up with solutions and make rectifications within a certain period of time after IPOs, Hu added.

Compliance checks a never-too-early task

IPO hopefuls – regardless of listing destinations – sitting on large volumes of personal data, such as To-Consumer (2C) brands and internet companies, should expect tighter regulatory scrutiny on data compliance, said Wang at Shihui.

IPO candidates with access to sensitive data, such as companies in the healthcare, energy, artificial intelligence (AI), and autonomous driving vehicles fields, will also be subject to stricter IPO reviews, Wang said.

If a company has operations in jurisdictions with tighter data-protection regulations, e.g., the General Data Protection Regulation (GDPR) in the European Union, CSRC will also make sure the company complies with such local laws, Cai at Zhong Lun noted.

Companies are advised to fully inspect data compliance regulations when choosing listing destinations, Wang at Shihui and Hu at King & Wood Mallesons said. For those whose operations involve sensitive data, important data, or a large volume of personal data, they should expect more risks (or data concerns from regulators) with overseas listings, Hu said.

For US IPOs in particular, companies should kick off data compliance checks as early as possible, to mitigate timeline uncertainties, Cai at Zhong Lun said.

Hu at King & Wood Mallesons suggested engaging lawyers specialized in data laws at “IPO kick-off meetings” if advisors see data compliance as a concern. It is also very important for companies to prepare materials on data compliance, and this needs to be consistent with that stated in the IPO prospectus, Wang at Shihui said.

For investors looking at private rounds, pre-deal due diligence on data-related issues always helps them project potential risks as they seek to exit in IPOs eventually, according to Wang at Shihui and Cai at Zhong Lun.

It also helps to keep in mind that China’s data regulations are constantly evolving, lawyers reminded.

China is considering publishing ministry-level regulations governing annual audits of personal data this year. The Artificial Intelligence Law and Network Data Security Management Regulation have been put in the latest legislation pipeline of China’s State Council.

At the end of the day, keeping a sharp eye on China’s IPO regime changes, against the backdrop of the country’s ever-changing regulatory environment, should always top any company’s agenda, lawyers said.