Communicating Around China’s New Data Security Rules For Chinese Entities Listing in the US

By ICR Asia PR Team

With the global rise of smartphones and the mobile internet, governments around the world are increasingly concerned about data, privacy, and the expanding surveillance abilities possessed by powerful technology companies. These are reasonable concerns, and a dialogue that every country needs to have within its own national context.

China’s New Data Security Rules — and What They Mean for U.S. IPOs

In the past week, China has begun to formulate new policies of its own in these areas, and this should come as no surprise. The Cyberspace Administration of China (CAC) on July 10 published a draft for revision, which proposes a new requirement that firms with access to the personal information of more than 1 million users must undergo a compulsory security review before conducting an Initial Public Offering (IPO) overseas. This cybersecurity review would look into national security risks that may be posed by data that could be affected, controlled, or maliciously exploited by foreign governments. The CAC also proposed companies must submit IPO materials to the agency for review ahead of listing. The changes have not yet been implemented, and the CAC will seek public opinion on the proposed revisions until July 25.

China is not unique in such concerns, or in taking actions to address them. China’s proposed regulations are is in many ways similar to regulations of the Committee on Foreign Investment in the United States (CFIUS) that require deals involving the personal data of 1 million or more U.S. individuals to be reviewed.

The CAC is still a relatively new agency that was set up in China in 2014 to protect the nation’s internet and data security. The agency’s expanding vigilance on these issues can pose challenges for companies recently listed in the U.S., or those planning to do so, as became clear in the recent case of Didi Global Inc. Just days after Didi’s $4.4 billion listing on the New York Stock Exchange, CAC launched a probe into the company and asked it to stop registering new users. CAC indicated it was investigating “serious violations of laws and regulations regarding the collection and use of personal information” to prevent national data security risks. Under Chinese law, transportation companies such as Didi are classified as critical infrastructure providers and geographic information and data on traffic flows could be considered sensitive information.

The rules posed by CAC on July 10, and the recent Didi incident, both point to highly sensitive issues and unique communication challenges for Chinese companies listed in the U.S.

What’s the Best Communications Response?

The question then is, what can be done? 

As when addressing any other issue or crisis that may impact an organization, the first step is to monitor the situation, and develop scenarios to manage risk. An effective media monitoring program is essential to stay abreast of both the latest official announcements on changing rules and regulations, as well as the media coverage of these changes. Media reporting on the subject will analyze and interpret these changes, and what they mean for companies. That reporting and analysis may or may not be accurate. Media will often look for the “winners” and “losers” of emerging regulatory change. Companies will need heightened vigilance on how they are being presented in this media narrative. Companies will want to develop their own analysis of how changes will impact them, and develop messaging to communicate that to the market.   

Secondly, there will need to be an appropriate level of proactive communication. Investors, media, partners, customers, and employees are all important stakeholders who need to be kept informed. Preparing to communicate before needing to do so is best practice. Assuaging concerns through communicating an organization’s position can be effective if done well.  

Finally, it is important to acknowledge that, at the end of the day, the regulator is always right. Companies will need to convey that they are responsible corporate citizens who will work closely with the respective authorities to comply with new rules and cybersecurity reviews. This is true in all countries and regions globally and is not unique to China. 

In a highly fluid environment of regulatory change, we may not always know immediately what the exact impact of a proposed rule change will be. For a communications program in such circumstances, the focus then will be on monitoring the situation, communicating what we know, when we know it, and conveying a strong message of regulatory compliance.    

Learn more about how to be ready to communicate during a crisis. Download our Guide to Crisis Communications Planning.