China moved on Saturday toward requiring domestic tech companies to submit to a cybersecurity checkup before they can go public on overseas stock exchanges, a step that would close the regulatory gap that allowed the ride-hailing giant Didi to list shares on Wall Street last week without getting a clean bill of digital health from Beijing.
On July 2, two days after Didi’s shares began trading on the New York Stock Exchange, China’s internet regulator ordered the company to stop signing up users while officials conducted a security review, sending its share price tumbling.
Chinese regulators have since ordered Didi’s apps off mobile stores and fined it for failing to give advance notice about some of its past merger deals, making clear their displeasure with the company, whose ride-hailing service has 377 million annual active users in China.
Data protection has been a main focus for Beijing as China jousts with the United States for high-tech leadership. Just as U.S. officials have sought to ensure that Americans’ data is protected from the Communist Party’s prying eyes, Chinese officials want to ensure that domestic tech companies do not compromise their information about Chinese users when they go public overseas and submit to the scrutiny of foreign securities regulators.
China’s internet regulator, the Cyberspace Administration of China, enacted its rules on security reviews last year as part of its framework for safeguarding the nation’s digital infrastructure.
Those regulations stopped short of requiring companies like Didi to undergo a formal security check before filing for an overseas initial public offering, but that would change under the revisions proposed by the agency on Saturday.
The revised rules say a security review would be mandatory for any business possessing information on more than one million users that seeks to list its shares abroad. Such companies would need to submit materials related to its I.P.O., as well as procurement documents and contracts.
Under the existing rules, the security review is aimed at addressing the risks to national security and business continuity posed by the servers, software, cloud services and other products that major tech companies use.
The revised rules add two more risks to the list: the possibility that important data could be “stolen, leaked, damaged and illegally exploited or moved overseas,” and that data could be “influenced, controlled or maliciously exploited by foreign governments” after an overseas I.P.O.
The Cyberspace Administration is accepting public comments on the revisions until July 25.
Top Chinese policymakers had indicated this week in a policy document that they would seek to toughen supervision over companies listed overseas, an issue that the document framed as a national security concern.
For fast-growing Chinese tech businesses, a Wall Street share sale has long been highly coveted as a chance to reward early employees and funders while also winning the validation of international investors. But Beijing is making clear that none of that is as important as securing companies’ data and digital infrastructure.
After moving against Didi, the Cyberspace Administration this week ordered three additional internet platforms — two that connected freight customers with truck drivers and one for job recruitment — to suspend user registrations and submit to security reviews. Like Didi, the two companies behind those platforms, Full Truck Alliance and Kanzhun, had also gone public recently in the United States.