Everything Dealmakers Need to Know About Cyberspace Administration of China

The Real Deal Podcast

In this week’s episode, we look at the Cyberspace Administration of China (CAC) and how the data regulator is impacting Chinese companies looking to list in the U.S.

Joining host Julie-Anna Needham is Lisha Zhou, China managing editor for Mergermarket, Dealreporter and PaRR, and Kimberly Jin, a regulatory reporter for PaRR based in Shanghai. Dealcast is presented by Mergermarket and SS&C Intralinks.

In this episode, you’ll learn:

  • History and role of the Cyberspace Administration of China
  • Auditing process for Chinese companies looking to list in the U.S.
  • The framework of CAC’s review and state of current filings
  • Evolution of CAC as M&A regulator
  • + more

Dealmakers, sign up for our monthly INsights newsletter here.


[MUSIC PLAYING] Welcome to Dealcast, the weekly M&A podcast presented to you by Mergermarket and SS&C Intralinks. I'm Julie-Anna Needham, a journalist who's been covering M&A for a decade. In this episode, we're going to find out more about the Cyberspace Administration of China and how it's impacting Chinese companies looking to list in the US. I'm joined by Lisha Zhou, China Managing Editor for PaRR, and by Kimberly Jin, who is a Regulatory Reporter based in Shanghai.

Hi, Lisha. Hi, Kimberly. Thanks for joining me today.


LISHA ZHOU: Hi, Julie-Anna.

JULIE-ANNA NEEDHAM: So let's start off with a brief introduction to CAC. What does it do? And how long has it been around for?

KIMBERLY JIN: Sure. So the full name of CAC is Cyberspace Administration of China. It's been around since 2011. At first, it's mostly focusing on the management and supervision of online content. But since 2020, it has been also emerging as a powerful data regulator in China.

LISHA ZHOU: Yes. And recently, CAC has become a powerful agency, which stands in the way of Chinese companies overseas listing and the Chinese platform companies merger filing.

JULIE-ANNA NEEDHAM: Great. So we're going to have a look into both of those things in a bit more detail. But we're going to focus on CAC's role in this long-running dispute relating to auditing compliance for Chinese companies that want to list in the US. Could I just have a very brief introduction to this dispute and what it involves?

LISHA ZHOU: Yes. We learned from media reports that a group from the US has arrived in Beijing and has passed the quarantine period. And this week, the group will start to talk with the Chinese government over the long-running dispute regarding the auditing compliance of the Chinese U.S.-listed companies. And this dispute has been a long time.

And basically, it insists the Chinese — the Ministry of Finance has insisted that China has the sovereignty rights of the Chinese companies data, which the U.S. regulators require the Chinese companies to disclose their basic data, auditing data, to the U.S. agency in terms of better regulation of the Chinese U.S.-listed companies. If this auditing compliance dispute can be solved, this will be definitely good to encourage more Chinese companies listed in the U.S.

However, there's another big [AUDIO OUT] standing in the way of Chinese companies listing in the U.S. Because since July last year when CAC probed into DiDi Chuxing, a Chinese taxi-hailing company, which just listed in the U.S. And two days later, the CAC approved it to DiDi Chuxing. And then immediately expand the probe into other Chinese US-listed companies, including both, [INAUDIBLE] and [INAUDIBLE] and [INAUDIBLE].

Then in late July last year, CAC proposed revising the cybersecurity review measures, which expands the review scope to cover Chinese companies overseas listing activities. The revised version passed in November, and took effect on February 15. And according to these amendments, Chinese companies that hold more than one million individuals personal information should obtain CAC's clearance before listing abroad. So for the Chinese companies, if they want to list in the US, they need to obtain clearance from CAC first.

JULIE-ANNA NEEDHAM: Great. Thanks for that, Lisha. And Kimberly, has CAC established a review regime? Can you explain what that review involves, and tell us whether the agency started to take up any filings for review?

KIMBERLY JIN: Sure. So the CAC has already established the framework of the cybersecurity review regime since the amended measures took effect 15th of February this year. The general idea is that when the companies submit an application for review, the CAC will reply in 10 working days if a review is triggered. And if it does, the CAC will conduct a full review within 30 working days.

If the case is complicated, the review time can be extended to 45 days. So that's the basic timeline of a review. And in recent months, we know that the CAC has specified exactly what materials the company need to submit in order to apply for a review. According to documents we've seen, the CAC is basically asking the companies to conduct a very meticulous data screening and mapping exercise, as well as to do a self-evaluation on the potential risks related to cybersecurity and data security due to their overseas listing activity.

And yes, the agency has already started to take up filings. As far as we know, there are several Chinese companies that have approached the agency and received a package of forms and guidance on filing procedures from the agency. And at least one of them has received a note from the agency, basically stating that their application has been accepted for next step.

JULIE-ANNA NEEDHAM: So this is like a really early stage in this process. Is it expected that lots more companies will be submitting filings for review?

KIMBERLY JIN: Yes. I think it depends on how many Chinese companies still want to go overseas listings. If they does, and if they have the personal data of more than one million Chinese users, they have to get a CAC review first before they actually can go overseas for listing.

LISHA ZHOU: Yeah, since the new revised measures took effect-- just on February 15 — so far, we heard only companies that has made filing. But no company has completely gone through the whole review procedure, as the review procedure at least require the 40 working days as introduced back [INAUDIBLE] before. And so far, many companies we heard that they are just in early stage of make a filing and get back and forth communication with the agency.

So far, we didn't hear and didn't see any company has got any outcome of the review. So we don't know whether the review would be clearance or would be any kind of remedies. So far, we haven't seen any successful review example.

JULIE-ANNA NEEDHAM: Kimberly, staying with you, from July last year, have any Chinese companies successfully listed in the U.S.? And have they gone through the CAC review?

KIMBERLY JIN: Sure. Actually, from July last year, there are four Chinese companies that successfully listed in the US. And they are Sentage Holdings, which is a consumer loan repayment services firm, LianBio, which is a drug startup, and Meihua, which sells disposable medical products, and Lakeshore Acquisition II, which is a spec company. Actually, according to their filings, none of them have gone through the CAC review. But LianBio and Meihua mentioned about it in their filings.

So in LianBio's filing, it says, the company is not subject for review because it holds no personal identifiable health data of the Chinese patients. As for Meihua, because it sells products while distributors largely, so it has very few customer data. And therefore, it is also not subject to the review.

We also looked into 19 Chinese companies that submitted or updated their SEC filings since mid-February. And surprisingly, none of them states in their filing that they are subject to the review by the agency. The reason they are citing is that they do not obtain personal data, or the amount of data they obtain is less than the one million user threshold stipulated by the majors.

Another interesting case I want to point out is the [INAUDIBLE] industrial supply, which is an e-commerce platform for industrial products. So actually, this company [INAUDIBLE], it attends a no objection letter for its oversea listing-- US listing from the China Security Regulatory Commission, CSRC, in late March. Although we do not know whether CAC has launched a full review into [INAUDIBLE]. But we do know that it's likely that at least the agency has taken a look at the deal and determined its U.S. listing does not have an impact on China's national security.

So I guess the key takeaway here is that the amount of personal data a company obtains is one of the most important factor the CAC will consider when deciding whether an overseas listing will trigger a review or not. And for B2B companies like Meihua and [INAUDIBLE], they are less likely to trigger such review compared to their B2C peers. Hope this makes sense.

JULIE-ANNA NEEDHAM: Yes, thank you. And can you explain where the CAC's data clearance is applied to all overseas listings? Obviously, we've been talking about the US. What about other listings including Hong Kong?

KIMBERLY JIN: Yes. So the CAC clearance will be applied for all overseas listing, as long as the company obtains personal data of more than one million users in China. And as for Hong Kong listing, as far as we know, currently the CAC clearing is not mandatory. But we cannot rule out the possibility that if the CAC considers a Hong Kong listing will have an impact on China's national security, it may actually proactively launch a review into the case.

JULIE-ANNA NEEDHAM: Great. Thank you. And Lisha, coming back to you. With CAC's involvement, how do you think that the number of Chinese companies looking to list in the US will change in the future? Will it recover again?

LISHA ZHOU: Currently, there is still something pending to be clarified or waiting-- we need to observe the final outcome because CAC is still probing DiDi Chuxing, both [INAUDIBLE] and [INAUDIBLE]. So we don't know what the outcome of the probe of these companies. If CAC has concluded this deal, we will see how these companies or similar companies will face-- what kind of cybersecurity review of their overseas listing.

And CAC's cyber security review procedure so far is quite confidential and has not to disclose or has not made make it public. So we still need to — waiting to see the first successful approval case so that people would know what the CAC review means to those companies that prepare for the overseas listing. And before these kind of issues has been clarified, we don't know how the Chinese companies overseas listing can really recover.

JULIE-ANNA NEEDHAM: Thank you. And one last question for you, Lisha. Has CAC become involved in any merger reviews?

LISHA ZHOU: Yes. Recently, PaRR has observed that CAC has emerged to act as an extent of merger review regulator before China's merger review regulator, SAMR, formally accepted a filing for review. We heard that some Chinese platform companies, which means data-heavy companies, made a merger filing with SAMR. But SAMR would ask them to provide the CAC's opinion on the deal.

And then the companies has to go to CAC and ask for CAC's opinion. And CAC may likely ask the company to withdraw some funding first and conduct a cybersecurity review of the deal first. So it appears that CAC has emerged as a more and more powerful agency and stand before platform companies to complete a merger filing.

JULIE-ANNA NEEDHAM: Great. Lisha and Kimberly, thank you very much. That was Lisha Zhou and Kimberly Jin. Thank you for listening to this week's episode of Dealcast, presented by Mergermarket and SS&C Intralinks.

Please rate, review, and follow the podcast. You can find us on Apple Podcasts, Spotify, or look out for your Mergermarket news alert. For more information, check out our show notes. Join us next week for another episode.