How to Use Standard Contractual Clauses for Cross-Border Data Transfers in an IPO

The 2024 finalisation of the Personal Information Protection Law (PIPL) implementing regulations by the Cyberspace Administration of China (CAC), coupled with the Hong Kong Monetary Authority’s (HKMA) December 2024 circular on cross-border data risk management, has created a binding legal framework for Chinese companies pursuing dual listings in Hong Kong and the United States. For any issuer with a PRC operating entity, the Standard Contractual Clauses (SCCs) under the Measures for Standard Contractual Clauses for Cross-border Transfer of Personal Information (the “SCC Measures,” effective 1 June 2023, as amended) are no longer optional—they are a mandatory condition for satisfying the Hong Kong Stock Exchange (HKEX) Listing Rule 19A.05(2) on regulatory compliance. This article provides a technical, step-by-step guide to structuring SCCs within a VIE or direct offshore holding structure specifically for an IPO context, covering the precise filing timeline, the interaction with the CAC’s security assessment threshold, and the documentation required by both the HKEX and the U.S. Securities and Exchange Commission (SEC) in a Form F-1 or 20-F filing.

The Regulatory Trigger: When SCCs Become Mandatory in an IPO

The trigger for SCC adoption is not the IPO filing itself but the issuer’s operational structure and the nature of data transferred. Under the SCC Measures, any PRC-based personal information processor that transfers personal information abroad must either (a) pass a CAC security assessment (triggered when processing data of more than 1 million individuals or transferring data of more than 100,000 individuals cumulatively), or (b) execute SCCs with the offshore recipient and file them with the provincial CAC office. For a typical China-incorporated operating company in a VIE structure—where the PRC entity (the “WFOE”) holds the data—the offshore parent (Cayman or BVI) is the data recipient. This triggers the SCC requirement unless the issuer qualifies for the security assessment exemption.

The HKEX’s 2024 Guidance Letter GL117-24 explicitly requires all listing applicants to disclose their data compliance measures, including whether SCCs have been executed. The HKEX will not accept a prospectus that omits this disclosure, as it falls under Listing Rule 19A.05(2)’s requirement that the issuer “complies with all applicable laws and regulations in the PRC.” The SEC, through its 2023 amendments to Form F-1, now requires a specific risk factor on “cross-border data transfer restrictions under PRC law,” which must reference the SCC Measures and any executed SCCs.

Distinguishing SCCs from the CAC Security Assessment

A common error in IPO legal due diligence is conflating the SCC filing with the CAC security assessment. The two are mutually exclusive thresholds. The CAC security assessment applies when the data processor handles “important data” (as defined under the Data Security Law, Article 21) or when the volume thresholds are met. For a SaaS company with 200,000 active users, the volume threshold of 100,000 individuals is crossed, making the security assessment mandatory—not SCCs. Conversely, a biotech company with 2,000 clinical trial subjects who are all patients (thus “sensitive personal information” under PIPL Article 28) may fall below the volume threshold but still require SCCs for transfers involving their health data.

The practical consequence for an IPO: if the issuer triggers the security assessment, the entire IPO timeline must account for a 60-90 business day review period by the CAC, which cannot be shortened. If the issuer uses SCCs, the timeline is controlled by the provincial CAC filing, which takes 15-30 business days. No issuer should assume SCCs are the default; a volume analysis must be conducted at least 12 months before the expected listing date.

Structuring the SCCs: Parties, Data Categories, and Legal Basis

The SCC Measures require a tripartite structure: the data exporter (the PRC operating entity), the data importer (the offshore listed entity or its Cayman holding company), and the data subjects (the individuals whose data is transferred). For a VIE structure, the exporter is the WFOE, not the VIE entity, because the WFOE controls data processing through contractual arrangements. The importer is the Cayman parent, which receives the data for purposes of consolidated financial reporting, investor relations, and regulatory filings.

Defining the Data Categories in the Schedule

The SCC template (Appendix A of the SCC Measures) requires a detailed schedule listing each category of personal information transferred, the purpose of transfer, the retention period, and the number of data subjects affected. For an IPO, the standard categories are:

• Employee data: payroll, benefits, and HR records for PRC-based staff (purpose: consolidated financial reporting under HKEX Listing Rule 14.03A; retention: 7 years per PRC Accounting Law Article 23).
• Customer data: transaction records, user IDs, and usage logs for PRC customers (purpose: investor reporting and regulatory filings; retention: 5 years per PIPL Article 47).
• Clinical data: for biotech or healthcare issuers, de-identified patient data used for trial reporting to the SEC or HKEX (purpose: clinical trial disclosure under SEC Regulation S-K Item 503; retention: 15 years per NMPA regulations).

Each category must specify the number of data subjects. Overstating this number can push the issuer into the security assessment threshold. Understating it risks a CAC penalty of up to RMB 50 million or 5% of annual revenue (PIPL Article 66). The IPO sponsor’s legal counsel must verify these numbers through a data mapping exercise conducted by a qualified PRC law firm.

The Legal Basis for Transfer Under PIPL

PIPL Article 38 requires that cross-border transfers be based on one of three legal grounds: (a) the CAC security assessment, (b) the SCCs, or (c) certification by a CAC-recognised body. For an IPO, the SCC route is the most common because certification is not yet operational for most sectors. The SCC must state that the transfer is based on the data subject’s “consent” (PIPL Article 13(1)) or on “performance of a contract” (PIPL Article 13(2)). For employee data, contract performance is the stronger basis because consent can be withdrawn. For customer data, consent is required unless the transfer is necessary for the contract.

The SCC template also requires a “data protection impact assessment” (DPIA) under PIPL Article 55. The DPIA must be conducted by the data exporter and filed with the CAC alongside the SCC. The DPIA must cover the necessity of the transfer, the risks to data subjects, and the mitigation measures. For an IPO, the DPIA must specifically address the risk that the offshore listed entity may be subject to foreign government data requests (a risk highlighted in the HKEX’s 2024 risk factor guidance).

Filing Process: Timeline, Documentation, and Provincial CAC Variations

The SCC filing is not a one-time event; it is a continuous compliance obligation that must be updated whenever the data categories or purposes change. For an IPO, the filing must be completed before the prospectus is filed with the HKEX. The HKEX requires a legal opinion from a PRC law firm confirming that the SCC has been filed and that no notice of non-compliance has been received from the CAC.

Step-by-Step Filing Timeline

1. T-12 months: Data mapping exercise begins. The issuer’s PRC counsel identifies all personal information transferred abroad and counts data subjects.
2. T-9 months: SCC draft is prepared. The schedule is populated with data categories. The DPIA is conducted.
3. T-6 months: SCC is executed between the WFOE and the Cayman parent. The Cayman parent must appoint a PRC-based representative for service of process (SCC Measures Article 8).
4. T-5 months: SCC and DPIA are filed with the provincial CAC office where the WFOE is registered. For issuers in Beijing, Shanghai, or Shenzhen, the processing time is typically 20 business days. For smaller provinces, allow 30 business days.
5. T-4 months: CAC issues a filing receipt. If no objection is raised within 15 business days, the SCC is deemed effective. The receipt is included in the prospectus exhibits.
6. T-3 months: The legal opinion confirming compliance is delivered to the sponsor and included in the A1 filing or F-1 draft.

Provincial Variations and Common Pitfalls

The CAC’s provincial offices have discretion over the review process. The Shanghai CAC, for example, requires a separate “data security self-assessment” report in addition to the DPIA, while the Beijing CAC accepts the DPIA as sufficient. The Shenzhen CAC has been known to request additional documentation for issuers in the financial services sector, citing the HKMA’s 2024 circular on data localisation for banks. For a fintech issuer, this means the filing timeline may extend by 15-20 business days.

A common pitfall is failing to update the SCC when the issuer acquires a new PRC subsidiary post-IPO. The SCC Measures require a new filing for each data exporter. If the issuer’s post-IPO acquisition adds a new WFOE, a separate SCC must be executed and filed for that entity. The HKEX’s continuing obligations under Listing Rule 14.34 require disclosure of any material change in data compliance, including a new SCC filing.

Disclosure in the Prospectus: What the HKEX and SEC Require

The prospectus must include a dedicated section on cross-border data compliance, typically under “Regulatory Compliance – PRC Data Protection Laws.” The HKEX’s 2024 guidance requires specific disclosure of: (a) whether SCCs have been executed, (b) the date of filing, (c) the CAC’s response (if any), and (d) the risk that the SCC may be invalidated by a future regulatory change.

Risk Factor Drafting

The SEC’s 2023 amendments to Form F-1 require a risk factor that states: “We rely on Standard Contractual Clauses under PRC law to transfer personal information from China to our offshore entities. If the CAC determines that our SCCs are invalid or that we have exceeded the volume thresholds, we may be required to cease data transfers, which could materially affect our ability to report consolidated financial results.” This risk factor must be cross-referenced to the SCC filing receipt in the exhibits.

For the HKEX prospectus, the risk factor must also reference the HKEX’s own data governance framework, specifically the 2024 “Guidance on Cybersecurity and Data Protection for Listed Issuers,” which requires issuers to maintain a data breach response plan that covers cross-border transfers.

Legal Opinion Requirements

The PRC legal opinion must be addressed to the sponsor and the issuer, and it must opine on three points: (a) the SCC has been validly executed and filed under the SCC Measures, (b) the data categories and volume do not trigger the CAC security assessment, and (c) the DPIA is adequate. The opinion must be dated within 30 days of the prospectus filing date. If the opinion is older, the CAC may require a new filing.

Actionable Takeaways for the IPO Team

1. Initiate the data mapping exercise at least 12 months before the expected listing date to determine whether SCCs or the CAC security assessment applies, as the latter adds 60-90 business days to the timeline.
2. Appoint a PRC-based representative for the offshore data importer before executing the SCC, as this is a mandatory condition under the SCC Measures Article 8.
3. File the SCC with the provincial CAC office where the WFOE is registered, not the offshore parent’s jurisdiction, and confirm the provincial office’s specific documentation requirements at least 6 months before filing.
4. Include the SCC filing receipt as an exhibit to both the HKEX prospectus and the SEC Form F-1, and ensure the risk factor explicitly cross-references this exhibit.
5. Update the SCC within 30 business days of any post-IPO acquisition of a PRC subsidiary that processes personal information, and disclose the update in the next HKEX annual report under Listing Rule 14.34.