Red Lines for Taking Files Offshore Under China's New Confidentiality Rules

On 29 May 2025, China’s State Council promulgated the Regulations on the Security Management of Confidential Data (hereafter, the “Confidentiality Regulations”), effective 1 October 2025. This piece of secondary legislation, enacted under the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), introduces a mandatory, State-led assessment regime for the cross-border transfer of “confidential data” — a newly defined category that sits between “state secrets” under the Secrecy Law and “important data” under the DSL. For any China-domiciled entity pursuing an offshore listing via a VIE structure or a direct Hong Kong IPO, the practical effect is immediate: the due diligence process, the transfer of audit working papers, and the disclosure of operational data in a prospectus (招股書) now face a new, opaque red line. Unlike the existing data exit security assessments (DESA) administered by the Cyberspace Administration of China (CAC), which focus on personal information and important data volumes, the Confidentiality Regulations trigger a separate, parallel review by the State secrecy authorities. The consequence for non-compliance is severe: a fine of up to CNY 10 million (approximately HKD 10.8 million) and potential criminal liability for responsible officers under Article 398 of the Criminal Law. For Hong Kong sponsors (保薦人) and PRC counsel structuring offshore offerings, the 2025 regime demands a fundamental re-evaluation of the data flow map within the offering circular and the sponsor’s verification procedures.

The Definitional Shift: What Constitutes “Confidential Data”

The core innovation — and the primary source of compliance risk — is the expansion of the definition of “confidential data” beyond the traditional scope of “state secrets.” Under the Secrecy Law (2010, amended 2024), state secrets are classified into three tiers (top secret, secret, confidential) and are exhaustively listed in a State Secrets Catalogue. The Confidentiality Regulations introduce a new, broader category: data that, while not formally classified as a state secret, could “cause harm to national security or public interests if disclosed, tampered with, or lost.” This is a purpose-based, not a catalogue-based, definition.

The “Harm to National Security” Test

Article 3 of the Confidentiality Regulations defines confidential data by reference to the potential consequences of its unauthorised disclosure. The test is not whether the data has been formally labelled, but whether its release could “harm national security, public interests, or the legitimate rights and interests of individuals or organisations.” This is a significant departure from the DSL’s “important data” regime, which relies on sector-specific catalogues (e.g., the Guidelines for the Identification of Important Data in the Financial Sector, published by the People’s Bank of China in 2023). For a VIE-structured technology company operating in China, the data held by its domestic operating entity (WFOE) — including user behaviour logs, supply chain data, and internal financial models — may now fall under this new test if a government authority determines that its disclosure could be used to infer broader economic or social vulnerabilities.

Exclusion from the Existing DESA Regime

Critically, the Confidentiality Regulations operate as a lex specialis to the DSL’s general data exit framework. Article 5 of the Regulations states that where a matter is governed by the Secrecy Law or these Regulations, the provisions of those laws shall prevail over the DSL. This means that a data transfer that qualifies as a “confidential data” transfer is not subject to the standard CAC DESA process; instead, it must undergo a separate, classified review by the State secrecy authorities. For a Hong Kong-listed company with a PRC subsidiary, this creates a bifurcated compliance burden: the company must simultaneously satisfy the CAC’s DESA requirements for personal information and important data (if thresholds are met) and the new secrecy authority review for any data that could be deemed confidential. The two processes are not mutually exclusive, and neither provides a safe harbour for the other.

Impact on the Offshore Listing Process

For a company pursuing a Hong Kong Main Board listing under Chapter 8 of the HKEX Listing Rules, the Confidentiality Regulations introduce a new, mandatory step in the pre-IPO due diligence and prospectus drafting phases. The sponsor (保薦人), the PRC legal counsel, and the company’s data compliance officer must now conduct a “confidential data mapping” exercise before any audit working papers or operational data are transferred to the offshore listing vehicle (typically a Cayman Islands or BVI incorporated holding company).

The Due Diligence Freeze

The most immediate operational impact is on the sponsor’s verification process. Under HKEX Listing Rule 3A.02, the sponsor must exercise “reasonable due diligence” to ensure the prospectus is accurate and complete. This typically involves the transfer of a substantial volume of raw data from the PRC operating entity to the sponsor’s Hong Kong office — including customer contracts, supplier agreements, employee records, and internal financial reconciliations. Under the Confidentiality Regulations, any such transfer that involves data which could be deemed “confidential” under the harm-to-national-security test now requires prior approval from the local secrecy authority at the provincial level (the “保密行政管理部门”). Without this approval, the transfer is illegal. A sponsor that proceeds with the verification process without this clearance risks being found in breach of both PRC law and, by extension, the HKEX’s requirement for the listing applicant to be “legally compliant” under Listing Rule 8.04.

Prospectus Disclosure Implications

The Regulations also impose a direct constraint on what can be included in the prospectus (招股書). Under HKEX Listing Rules 11.07 and 11.08, a prospectus must contain “all information necessary to enable an investor to make an informed assessment” of the issuer’s activities. However, the Confidentiality Regulations, via Article 12, prohibit the disclosure of confidential data in any public document, including a prospectus, unless the disclosure has been specifically authorised by the State secrecy authorities. This creates a direct conflict between Hong Kong’s disclosure obligations and PRC’s data secrecy requirements. The solution adopted by many VIE-structure issuers in the 2023-2024 cycle — using a “risk factor” section to generically warn investors about PRC data laws — is no longer sufficient. A specific, legally binding undertaking from the relevant PRC secrecy authority is now required to confirm that the data disclosed in the prospectus does not fall within the confidential data definition. This undertaking is not a standard document and its issuance timeline is unpredictable.

Practical Compliance Pathway for Issuers and Sponsors

Given the lack of guidance from the State secrecy authorities as of Q3 2025 — the Regulations are only four months from effectiveness — the compliance pathway is necessarily conservative. The following steps represent the minimum standard that a sponsor should expect from a PRC listing applicant.

Step One: Pre-Transfer Data Classification

Before any data is transferred from the PRC operating entity to the offshore listing vehicle or the sponsor, the issuer must conduct a formal data classification exercise. This should be documented in a written report prepared by the issuer’s internal data compliance team, reviewed by PRC external counsel, and filed with the local secrecy authority. The classification must apply the “harm to national security” test to each data category. For example:

• Customer transaction data: Likely not confidential, unless the aggregate volume or pattern could reveal macroeconomic vulnerabilities.
• Employee personal information: Subject to PIPL, but not automatically confidential under the new Regulations.
• Internal financial projections: Potentially confidential if they relate to a sector designated as “critical” by the State Council (e.g., semiconductors, telecommunications, energy).
• Supply chain data: High risk if it includes information on suppliers to state-owned enterprises (SOEs) or military-linked entities.

Step Two: Filing for a “Confidential Data Transfer Permit”

If the classification identifies any data as potentially confidential, the issuer must file an application with the provincial-level secrecy authority for a “confidential data transfer permit” (涉密数据出境许可). The application must include a detailed description of the data, the purpose of the transfer (e.g., “for inclusion in the listing prospectus”), the recipient entity (e.g., “Cayman Islands incorporated holding company”), and the security measures in place. Article 8 of the Regulations gives the authority 30 working days to respond, with a possible extension of 15 working days. This timeline must be factored into the IPO timetable. A sponsor that does not allow for this 45-day window in the pre-listing timeline is exposing the issuer to a material risk of delay or withdrawal.

Step Three: Contractual Protections and Data Localisation

Where a transfer permit is either denied or not applied for, the issuer must implement a data localisation strategy for the confidential data. This means that the data must remain within the PRC and cannot be accessed from the offshore listing vehicle. For the sponsor’s verification process, this requires the sponsor to conduct its due diligence on-site in the PRC, using a “clean room” arrangement where the sponsor’s team reviews the data on a PRC-hosted server without transferring it offshore. This is a recognised mechanism under the CAC’s 2022 Measures on Data Exit Security Assessment, and the Confidentiality Regulations do not prohibit it. However, the clean room arrangement must be documented in the sponsor’s verification plan and approved by the HKEX as part of the listing application, as it may limit the sponsor’s ability to independently verify the data.

The Hong Kong Regulator’s Position

The Securities and Futures Commission (SFC) and the HKEX have not issued specific guidance on the Confidentiality Regulations as of late 2025. However, existing regulatory instruments provide a framework for dealing with PRC legal constraints on disclosure.

The SFC’s Code of Conduct and the “Legal Impediment” Provision

Paragraph 17.6 of the SFC’s Code of Conduct for Persons Licensed by or Registered with the SFC requires a sponsor to disclose in the prospectus any “legal or regulatory impediment” that prevents it from fulfilling its due diligence obligations. The Confidentiality Regulations constitute such an impediment. A sponsor that cannot access certain data due to the new regime must disclose this fact in the prospectus, specifying the nature of the data withheld and the legal basis for the withholding. This disclosure must be specific — a generic statement about “PRC data laws” is insufficient. The sponsor must name the specific Article of the Confidentiality Regulations that prevents the transfer and state whether a permit application has been filed or denied.

The HKEX’s Approach to PRC Law Risk

The HKEX’s Guidance Letter HKEX-GL95-18 (updated 2024) on “Listing Applications from PRC Issuers” requires the listing applicant to confirm that it has obtained all necessary PRC regulatory approvals for the listing. The Confidentiality Regulations now add a specific item to this checklist. The listing applicant’s PRC legal counsel must issue a legal opinion confirming that either (a) no data being transferred is confidential under the Regulations, or (b) the necessary permits have been obtained. This legal opinion must be included in the listing application pack. A failure to do so will result in the HKEX rejecting the application as incomplete under Listing Rule 9.03.

Actionable Takeaways

1. Mandatory data mapping: Any PRC issuer planning an offshore listing must complete a formal confidential data classification exercise, documented by PRC external counsel, before initiating any data transfer to the offshore vehicle or sponsor.
2. 45-day permit buffer: The IPO timetable must include a minimum 45-day buffer for the secrecy authority’s review of any confidential data transfer permit application; failure to do so creates a material risk of withdrawal.
3. On-site clean room as fallback: Where a transfer permit is unavailable, the sponsor must conduct due diligence on-site in the PRC using a documented clean room arrangement, with the limitation disclosed in the prospectus under SFC Code of Conduct Paragraph 17.6.
4. Prospectus-specific legal opinion: The PRC legal counsel’s opinion must now explicitly address the Confidentiality Regulations — a generic “PRC law compliance” statement is no longer sufficient for HKEX Listing Rule 9.03.
5. Cross-border data flow renegotiation: Existing VIE agreements and data processing contracts between the PRC WFOE and the offshore holding company must be amended to include a clause requiring secrecy authority approval before any data transfer, effective 1 October 2025.