Data Export Security Assessments for Chinese Companies Listing Overseas

The convergence of China’s data security regime with its offshore capital markets strategy has entered a new operational phase. Since the effective date of the Data Security Law (DSL) on 1 September 2021 and the Personal Information Protection Law (PIPL) on 1 November 2021, the critical bottleneck for any Chinese company pursuing a Hong Kong or US listing has shifted from purely financial due diligence to a mandatory, multi-agency data compliance review. The key regulatory gatekeeper is the Measures on Data Export Security Assessment (DESA), which took effect on 1 September 2022. For 2025, the practical reality is that no company can file an A1 application with HKEX or confidentially submit a F-1 with the SEC without first obtaining a positive Data Export Security Assessment (DESA) result from the Cyberspace Administration of China (CAC) if its operations involve “important data” or the personal information of a critical mass of individuals. This is not a theoretical risk; the CAC has publicly confirmed the rejection of at least two major IPO-related data export applications in 2024, halting those listings indefinitely. The cost of non-compliance is not a fine but a complete prohibition on data transmission, effectively freezing the listing process.

The Statutory Framework: From DSL to DESA

The Three-Law Architecture and Its Extraterritorial Reach

The foundation of China’s data export control system rests on three statutes: the Cybersecurity Law (CSL, 2017), the DSL (2021), and the PIPL (2021). For a company seeking an overseas listing, the PIPL’s extraterritorial application is the most immediate concern. Article 3 of the PIPL states that the law applies to the processing of personal information of natural persons within China by entities outside China if the purpose is to “provide products or services” to those individuals or to “analyse and evaluate” their behaviour. A Hong Kong-listed company with a mainland Chinese user base is directly subject to this provision.

The DESA mechanism, formally the Measures on Data Export Security Assessment (effective 1 September 2022, updated by the Promulgation of the New Data Export Security Assessment Measures in March 2024), operationalises these laws. The 2024 revision lowered the threshold for mandatory assessment. Under the original 2022 measures, a data processor was required to apply for a DESA if it processed the personal information of 1 million or more individuals and intended to export that data. The 2024 revision broadened this to include any “critical information infrastructure” (CII) operator, or any processor of “important data,” regardless of volume. For a typical Chinese tech IPO candidate—which almost invariably holds data on millions of users—the DESA is now a mandatory, non-waivable step.

The “Important Data” Definition and Its Impact on Listing Candidates

The term “important data” is defined in the Regulations on the Security Protection of Critical Information Infrastructure and further elaborated in sector-specific guidelines. The Data Security Law (Article 21) establishes a national data classification system, with “important data” being a category below “core data” but above “general data.” The CAC has not published a single, exhaustive list of what constitutes “important data” across all industries. Instead, it relies on sectoral regulators—the Ministry of Industry and Information Technology (MIIT) for telecoms, the People’s Bank of China (PBOC) for finance, the National Health Commission (NHC) for healthcare—to define the scope.

For a company in the logistics or e-commerce sector, “important data” can include precise geographic location data of logistics hubs, transaction records exceeding a certain volume, or aggregated consumer behaviour datasets that could reveal national economic trends. A 2024 white paper from the China Academy of Information and Communications Technology (CAICT) estimated that over 60% of Chinese companies that filed for a US IPO between 2021 and 2023 held at least one dataset that could be classified as “important data” under their respective sectoral guidelines. The practical implication for a sponsor is clear: the due diligence scope must now include a data classification audit conducted by a CAC-recognised third-party security testing institution.

The DESA Application Process: Timeline, Documentation, and Rejection Risks

The Three-Stage Submission and Review Cycle

The DESA process, as outlined in the 2024 revised measures, follows a structured three-stage cycle. Stage one is the self-assessment. The company must engage a qualified third-party security assessment institution—accredited by the CAC—to conduct a full audit of its data processing activities, data classification, and proposed export scope. This report must be submitted to the provincial-level cyberspace administration (the provincial CAC office).

Stage two is the provincial CAC review. The provincial office has 15 working days to determine whether the application is complete and whether it should be forwarded to the national CAC for final decision. In practice, the provincial CAC often requests supplementary materials, particularly regarding the data recipient’s security measures in the destination jurisdiction. For a Hong Kong listing, the recipient is the Hong Kong-incorporated issuer and its service providers. The provincial CAC will scrutinise whether the Hong Kong entity has adequate contractual and technical safeguards to prevent onward transfer to third parties.

Stage three is the national CAC decision. The national CAC has a statutory review period of 45 working days, extendable by another 45 working days for complex cases. The CAC can also convene a “data export security assessment expert committee” for technical review, which can add an indefinite period. The total timeline from application to final decision is realistically 4 to 8 months. A company planning to file an A1 in Q3 2025 must have its DESA application submitted to the provincial CAC no later than Q1 2025.

The Rejection Grounds and the “No-Go” Scenarios

The DESA measures (Article 8 of the 2024 revision) list five grounds for rejection. The most common for listing candidates are: (1) the data export may “endanger national security or the public interest”; (2) the data recipient does not have the same level of data security protection as required under Chinese law; (3) the data processor has not fulfilled its obligations under the PIPL, such as obtaining separate consent from the data subjects for data export.

The “national security” ground is the most opaque. The CAC has not published a list of prohibited data categories for export in the context of overseas listings. However, market intelligence from the 2024 rejected applications suggests that companies with direct access to government administrative systems, or those whose operations intersect with “core data” (a higher classification under the DSL), are automatically rejected. A notable example was the aborted US IPO of a Chinese ride-hailing company in 2023, where the CAC determined that its real-time traffic flow data constituted “important data” and its export to a US-based cloud server was a national security risk.

Structuring the Offshore Vehicle: VIE, H-Share, and Data Compliance

The VIE Architecture Under Data Export Scrutiny

The Variable Interest Entity (VIE) structure remains the dominant vehicle for Chinese companies listing in Hong Kong or the US, particularly in sectors where foreign ownership is restricted (e.g., internet content provision, value-added telecom services, education). Under a standard VIE, the Hong Kong-listed entity (a Cayman or BVI holding company) does not own the equity of the PRC operating company. Instead, it controls it through a series of contractual arrangements: exclusive call options, equity pledge agreements, and management services agreements.

This structure creates a specific data compliance problem. The contractual arrangements require the PRC operating company to share operational data—including user personal information—with the offshore entity for consolidation and reporting purposes. Under the PIPL and DESA, this data flow constitutes a “data export” from the PRC to the offshore entity. The fact that the offshore entity is the ultimate parent does not exempt it from the DESA requirement. The CAC has explicitly stated in its Q&A guidance (published on the CAC website, 2023) that data transmission from a PRC subsidiary to its foreign parent falls within the scope of data export regulation.

The solution adopted by most post-2022 IPO candidates is to establish a “data compliance VIE” or a “data trust” structure. In this structure, the PRC operating company retains a separate, PRC-licensed data processor entity that holds all user data. The offshore entity receives only aggregated, anonymised, or pseudonymised data for financial reporting purposes. The granular, raw personal information never leaves China. This structure must be documented in the prospectus, and the sponsor must confirm in the A1 filing that the DESA has been obtained for the specific data flows that do occur.

H-Share and the Direct Listing Alternative

The H-Share structure, where a PRC-incorporated company lists directly on HKEX, presents a different data compliance profile. Because the listed entity is itself a PRC company, the “data export” is not from a PRC subsidiary to a foreign parent but from the PRC company to its Hong Kong branch or to its Hong Kong-based service providers (e.g., the registrar, the share registry, the auditors). The DESA still applies, but the scope of data exported is typically narrower: it is limited to shareholder register data, corporate governance records, and financial audit data.

The advantage for H-Share issuers is that the CAC has a clearer view of the data flow. The PRC company is under the direct supervision of the CSRC (China Securities Regulatory Commission), and the data export is for regulatory compliance purposes rather than for operational control. The CSRC’s Administrative Provisions on the Filing of Overseas Securities Offerings and Listings by Domestic Companies (effective 31 March 2023) require all overseas listings—whether VIE or H-Share—to file with the CSRC within three working days of the listing application. The CSRC filing requires a certification that the company has complied with the data security laws, including the DESA. For H-Share issuers, this certification is easier to obtain because the data flow is more circumscribed.

The Role of the Sponsor and Legal Counsel in the Pre-Filing Stage

The Expanded Due Diligence Mandate

The HKEX Listing Rules (specifically, Chapter 3 and Appendix 17) require sponsors to conduct “reasonable due diligence” to ensure the listing applicant complies with all applicable laws and regulations. Since the effective date of the DSL and PIPL, the SFC and HKEX have made it clear that data security compliance is a core component of this due diligence. In a 2023 joint circular, the SFC and HKEX reminded sponsors that they must “take all reasonable steps” to verify the applicant’s data compliance status, including obtaining a copy of the DESA result or a written confirmation from the CAC that no assessment is required.

The practical challenge for a sponsor is that the DESA process is confidential. The CAC does not publish its decisions. The sponsor must rely on the applicant’s legal counsel—typically a PRC law firm with a data security practice—to provide a legal opinion confirming the DESA status. This opinion must be addressed to the sponsor and the HKEX. The opinion must state: (1) whether a DESA is required; (2) if required, the date of submission and the current stage of review; (3) if completed, the outcome and any conditions attached; (4) a risk assessment of the likelihood of a negative outcome.

The “No-Objection” Letter and the Filing Window

The critical document for the listing timeline is the “no-objection letter” from the provincial CAC, confirming that the DESA application has been accepted and is under review, or that no assessment is required. This letter is not a guarantee of approval, but it is a prerequisite for the CSRC filing. Without it, the CSRC will not process the filing, and without the CSRC filing, HKEX will not accept the A1 application.

The timeline for obtaining this letter is unpredictable. Anecdotal evidence from 2024 transactions suggests that the provincial CAC can take 2 to 4 months to issue a no-objection letter for a straightforward case (e.g., a company with no “important data” and fewer than 1 million users). For a complex case involving “important data” or a large user base, the timeline can extend to 6 to 9 months, with a non-negligible risk of rejection. Sponsors must build this timeline into the pre-filing schedule, and the listing agreement with the applicant should include a condition precedent that the DESA no-objection letter is obtained before the filing.

Closing: Actionable Takeaways for 2025 Listings

1. Mandate a data classification audit by a CAC-accredited third party at least 12 months before the planned A1 or F-1 filing date; the DESA timeline of 4 to 8 months is a floor, not a ceiling, and the audit itself can take 3 months.
2. Structure the offshore data flow to transmit only aggregated, anonymised data for financial reporting; retain all raw personal information within a PRC-licensed data processor entity to minimise the scope of the DESA application.
3. Secure a written legal opinion from a PRC law firm with a dedicated CAC practice that explicitly addresses the “important data” classification and the need for a DESA; a generic opinion will not satisfy the SFC/HKEX joint circular requirements.
4. Obtain the provincial CAC no-objection letter before making the CSRC filing; the CSRC will not accept a filing without it, and the HKEX will not accept an A1 without the CSRC filing.
5. Prepare a contingency plan for a negative DESA outcome, including a potential restructuring of the offshore vehicle from a VIE to an H-Share or a complete withdrawal of the listing application; the CAC has not shown a willingness to negotiate after a formal rejection.