Exhibit 23.8
Legal Opinion Upon
The Application & Enforceability of PRC Regulations
on Overseas Listing in Hong Kong
For the Kind Att.:
Voltage X Limited
September 15, 2025
Highly Confidential
Content
|1.
|Divergent Regulatory Regimes: Chinese Mainland and Hong Kong
|3
|2.
|Analysis of CSRC’s Regulatory Role in Overseas Listing Requirements
|5
|3.
|Analysis of the Applicability of Article 177 of the PRC Securities Law
|7
|4.
|Analysis of CAC’s Regulatory Role in Overseas Listing Requirements
|10
|5.
|Analysis of Data Outbound Transfer Requirements Under CAC
|14
|6.
|Conclusion
|21
DISCLAIMER
This opinion is limited to matters addressed herein and is not to be read as an opinion with respect to any other matter. Further, our opinion is subject to the following qualifications:
|a.
|The relevant PRC laws and regulations and the provisions before the issue of this opinion.
|b.
|There are no false records, misleading statements and major omissions in the communication, emails, documents and other correspondence provided to us.
This opinion is delivered solely for your benefit and may not be used or relied upon by any other person other than advisors and consultants you have retained for the captioned matter for any purpose whatsoever, other than in connection with regulatory requirements or in response to a court order, without in each instance, our prior written consent.
© 2025 Shanghai Highper Law Firm
All rights reserved.
2 / 22
Re: Legal Opinion upon the Application & Enforceability of PRC Regulations on Overseas Listing in Hong Kong
We, Shanghai Highper Law Firm (hereinafter referred to as “Our Firm” or “We”) have been instructed by Voltage X Limited (the “Company”) to prepare the legal opinion on the legislation, regulations and/or regulatory authorities of the People’s Republic of China (hereinafter referred to as the “PRC”, which for the purpose of this opinion refers to Chinese mainland jurisdiction only, excluding Hong Kong, Macau and Taiwan) with respect to the issues addressed in the Company’s Registration Statement on Form F-1 under the heading “Risks Associated with Conducting Business in Hong Kong” and on the issues addressed in the SEC’s comments.
Based on the information & files disclosed to us, we hereby provide the consolidated legal opinion as follows for your initial consideration.
|1.
|Divergent Regulatory Regimes: Chinese Mainland and Hong Kong
Pursuant to the “One Country, Two Systems” principle enacted on July 1, 1997, the Hong Kong Special Administrative Region maintains a legal and regulatory system distinct from that of the Chinese Mainland. With the exception of laws concerning national sovereignty—which are applied to Hong Kong under specific constitutional procedures—the national legislation of the PRC does not extend to Hong Kong. This clear jurisdictional separation ensures the continuity of Hong Kong’s common law tradition and its high degree of autonomy.
|1.1
|Hong Kong’s Legal Framework: A Distinct Entity from the Chinese Mainland
Pursuant to the Constitution of the PRC and the principle of “One Country, Two Systems,” Hong Kong maintains an independent legal and regulatory system separate from that of the Chinese mainland.
The legal foundation for this separation is enshrined in The Basic Law of the Hong Kong Special Administrative Region of the People’s Republic of China (the “Basic Law”), adopted at the 3rd Session of the 7th PRC National People’s Congress on April 4, 1990, and effective as of July 1, 1997, which serves as the constitutional document for Hong Kong.
3 / 22
Article 8 of the Basic Law stipulates that the laws previously in force in Hong Kong—including the common law, rules of equity, and ordinances—shall be maintained, thereby preserving its common law system.
Crucially, Article 18 of the Basic Law explicitly states that national laws of the PRC shall not be applied in Hong Kong. The only exception is for a limited number of laws relating to national sovereignty, defense, and foreign affairs, which are enumerated in Annex III of the Basic Law. These Annex III laws must be implemented locally by way of legislation or promulgation by Hong Kong.
|1.2
|Non-Applicability of PRC Regulatory Authorities and Regulations in Hong Kong
This constitutional framework means that the regulatory regimes governing areas such as finance, commerce, data security, and securities regulation on the Chinese mainland are not directly applicable or enforceable within Hong Kong. Chinese mainland regulatory authorities, including but not limited to the Cyberspace Administration of China (CAC) and the China Securities Regulatory Commission (CSRC), derive their jurisdiction from PRC domestic legislation that falls outside the scope of Annex III of the Basic Law.
Consequently, unless and until a specific national law is added to Annex III and transposed into Hong Kong law through its own legislative process, the rules, practices, and enforcement actions of such PRC regulatory bodies hold no direct legal force in Hong Kong.
4 / 22
|2.
|Analysis of CSRC’s Regulatory Role in Overseas Listing Requirements
Regarding the CSRC’s role in overseas listing, as well as the overseas listing filing requirements, the details are set forth as follows:
|2.1
|Overview of the CSRC’s Regulatory Role and Functions
The China Securities Regulatory Commission (CSRC) is the Chinese mainland’s paramount securities and futures market regulator, operating under the State Council. Its core functions encompass regulating the issuance, listing, and trading of all securities; supervising market intermediaries like brokerages and fund managers; enforcing laws against misconduct such as insider trading; ensuring transparent information disclosure by listed companies; and engaging in international regulatory cooperation to uphold global financial stability.
|2.2
|Requirements of Overseas Listing Activities by CSRC
The Trial Administrative Measures of Overseas Securities Offering and Listing by Domestic Companies (the “Trial Measures”) issued by CSRC, implemented on March 31, 2023, establishes a filing-based system for domestic companies seeking overseas listings, commanding that domestic enterprises issuing and listing securities in the United States are required to follow the filing system of the CSRC.
|1)
|Targeted Company & Overseas Listing Activity
According to Article 34 of the Trial Measures, “Domestic enterprises referred to in these Measures refer to enterprises registered and established within the territory of the People’s Republic of China, including domestic companies limited by shares directly issued and listed abroad and domestic operating entities that are the subject of indirectly issued and listed abroad.”
Article 2 of the Trial Measures mainly regulates two modes for domestic enterprises’ overseas listing: direct overseas listing and indirect overseas listing.
|a)
|Direct overseas listing: refers to the overseas issuance and listing of a limited liability company registered and established in the PRC.
|b)
|Indirect overseas listing: refers to the overseas issuance and listing of domestic enterprises with their main business activities in the name of overseas registered enterprises, based on the equity, assets, income or other similar rights of domestic enterprises.
5 / 22
Further, according to Article 15 of The Trial Measures, indirect overseas listing includes the following overseas listing activities:
|a)
|more than 50% of its audited financial indicators (operating revenue, profits, total assets or net assets) for the most recent accounting year is accounted for by the Domestic Companies; and
|b)
|major business activities or operations are conducted in the Chinese mainland, or main places of business are located in the Chinese mainland, or the majority of senior management are domiciled in the Chinese mainland or are Chinese citizens.
|2)
|Filing Requirements
Under this regulatory requirement, if a Domestic Company seeking an Overseas Listing must fulfil the filing procedures and submit relevant materials with the CSRC, which shall be made by the listing applicant in the case of a Direct Overseas Listing, or a designated major domestic operating entity in the case of an Indirect Overseas Listing.
Following the submission of an overseas listing application, trigger subjects must file with the CSRC within three working days. Required materials include a filing report and legal opinions from domestic counsel. The CSRC will then either issue a result within 20 working days or, within five working days, request supplemental information. Applicants have 30 working days to respond to any such request.
Thus, under the provisions of the Trial Measures, only companies registered in the Chinese mainland or that meet specified materiality thresholds (e.g., more than 50% of revenue, assets, or profits in the Chinese mainland, or primary business/management located in the Chinese mainland) that identified as “direct overseas listing and indirect overseas listing” are required to complete filings with the CSRC.
6 / 22
|2.3
|The Company’s Listing is not subject to the CSRC Requirements of Overseas Listing
As the Company is incorporated in the Cayman Islands, and the majority of its directors, executive officers, and employees of the Company, as well as its Hong Kong subsidiary Xact Digital Limited, are located in Hong Kong, and a significant portion of the revenues and major customers of Xact Digital Limited are also geographically concentrated in Hong Kong. Its financial/operational centre of gravity is not in the Chinese mainland; it does not satisfy the quantitative and substantive criteria of a “direct or indirect overseas listing”; therefore, the Company is not subject to the filing requirements with the CSRC.
Accordingly, as of the date of this opinion, the Company is not obligated to seek approval from or complete any filing procedures with the CSRC for the issuance of shares in the United States.
|3.
|Analysis of the Applicability of Article 177 of the PRC Securities Law
As regards to the application of Article 177 of the PRC Securities Law, we are in the view that the Company is not prohibited in terms of its submission of documents and/or materials for listing. Details are as follows:
|3.1
|Regulatory Requirements under Article 177 of the PRC Securities Law
Article 177 of the PRC Securities Law provides that “The securities regulatory authority under the State Council may establish cooperative arrangements for supervision and administration and implement arrangements for cross-border supervision and administration in conjunction with the securities regulatory bodies of any other country or region. Overseas securities regulatory bodies shall not directly conduct investigation and evidence collection activities within the territory of the People’s Republic of China. Without the consent of the securities regulatory authority under the State Council and the relevant competent department under the State Council, no entity or individual may provide documents and materials relating to securities business activities overseas without authorization.”
This Article is only a provision of principle and authorization, and the specific operational requirements can be further referred to in other provisions. In view of the fact that no relevant implementing rules and judicial interpretations have yet been issued, reference can be made to other similar provisions that are currently in force under PRC laws and regulations.
7 / 22
Pursuant to Item 2 of Article 177 of the PRC Securities Law, there are similar requirements in other provisions, such as Articles 3, 4 and 6 of the Provisions on Strengthening Confidentiality and File Management in relation to Offshore Issuance and Listing of Securities and Article 12 of the Interim Provisions for Accounting Firms Engaged in the Auditing of Overseas Listings of Mainland Chinese Enterprises. Pursuant to the foregoing laws and regulations, any overseas listed company that provides or publicly discloses to relevant securities companies, securities service organizations, and overseas regulatory bodies archives relating to national security or significant interests shall report to the State Archives Bureau for approval in accordance with the law.
In addition, Article 177 of the PRC Securities Law stipulates that foreign securities regulators shall not conduct investigation and evidence collection activities directly within the territory of China. If a foreign securities regulator wishes to conduct investigation and evidence collection activities in China, it may do so through the cross-border regulatory and law enforcement collaboration mechanism established with the CSRC.
According to Article 3 of the CSRC’s Reply to the reporter’s question on ‘Previsions on Strengthening the Confidentiality and File Management of Domestic Enterprises Issuing and Listing Securities Overseas(Exposure Draft)”, which was given by the person in charge of the relevant departments of the CSRC on 2 April 2022, Article177 is mainly intended to “make it clear that investigations, collection of evidence and inspections carried out by the overseas regulatory bodies in China should be conducted through the cross-border regulatory cooperation mechanism, and the CSRC and the relevant competent authorities should provide necessary assistance based on the bilateral and multilateral cooperation mechanism. The inspection should be carried out through the cross- border regulatory cooperation mechanism, and the CSRC and the relevant competent authorities will provide the necessary assistance based on the bilateral and multilateral co-operation mechanism reflects the consistent openness of the Chinese regulatory authorities to cross- border audit and regulatory cooperation, and is also in line with the relevant international practices, which will provide institutional safeguards for the safe and efficient development of cross-border regulatory cooperation, including joint inspections, regulatory co-operation, will provide institutional safeguards.”
8 / 22
As can be seen, Article 177 is specific to the requirements of national securities regulatory authorities, mainly providing for cross-border cooperation in cross- border regulatory supervision, especially when cross-border investigations and evidence collection are required.
|3.2
|The Company shall not be bound under this Article 177
According to Article 177 of the PRC Securities Law, it further stipulates that without the consent of the securities regulatory authority, no entity or individual may provide documents and materials relating to securities business activities overseas without authorization.
Pursuant to the Article 2 of Provisions on Strengthening Confidentiality and Archives Administration of Overseas Securities Offering and Listing by Domestic Companies(Announcement of the China Securities Regulatory Commission, the Ministry of Finance, the National Administration of State Secrets Protection and the National Archives Administration of China [2023] No. 44, Effective date: 03-31-2023), “domestic companies” that seek overseas offering and listing, and the securities companies and securities service providers that undertake relevant businesses shall strictly abide by applicable laws and regulations of the PRC and this Provisions, enhance legal awareness of keeping state secrets and strengthening archives administration, institute a sound confidentiality and archives administration system, and take necessary measures to fulfill confidentiality and archives administration obligations. They shall not leak any state secrets and working secrets of government agencies, or harm national security and public interest.
Further, the “domestic companies” in the preceding paragraph refer to either one of the following entities: a joint-stock company incorporated domestically that conducts direct overseas offering and listing, or a domestic operating entity of a company that conducts indirect overseas offering and listing; the securities companies and securities service providers in the preceding paragraph include such that, either incorporated domestically or overseas, undertake businesses related to overseas offering and listing by domestic companies. Kindly note that this definition is in line with the requirements as defined in the Trial Administrative Measures of Overseas Securities Offering and Listing by Domestic Companies (the “Trial Measures”) issued by CSRC, implemented on March 31, 2023.
9 / 22
As the Company is incorporated in the Cayman Islands, and the majority of its directors, executive officers, and employees of the Company, as well as its Hong Kong subsidiary Xact Digital Limited, are located in Hong Kong, and a significant portion of the revenues and major customers of Xact Digital Limited are also geographically concentrated in Hong Kong. Its financial/operational centre of gravity is not in the Chinese mainland, and it does not satisfy the quantitative and substantive criteria of a “direct or indirect overseas listing”.
Accordingly, as of the date of this opinion, we are of the view that Article 177 will not restrict the Company’s submission of documents and/or materials to Nasdaq in connection with the Company’s listing application.
|4.
|Analysis of CAC’s Regulatory Role in Overseas Listing Requirements
Regarding the CAC’s regulatory role in overseas listing, the details are set forth as follows:
|4.1
|Responsibilities and Competencies of CAC
The Cyberspace Administration of China (CAC) serves as China’s primary internet regulatory body, responsible for formulating cybersecurity review policies, organizing cybersecurity reviews, and coordinating with other regulatory agencies on cyber governance matters. The CAC operates under the leadership of the Central Cybersecurity and Informatization Commission and works alongside twelve other ministry-level agencies as part of the cybersecurity review working mechanism. This institutional structure highlights the CAC’s central role in national security assessments for data-related activities, particularly those with potential cross-border implications.
10 / 22
Despite these broad requirements, this analysis demonstrates that the Company operating primarily in Hong Kong seeking listing on US exchanges may not necessarily require permissions or approvals from the CAC under the current interpretation and application of PRC law. This conclusion is based on several key factors, including the territorial scope of the CRM, the definition of key terms, the specific operations and user base of the company, and the intended application of the national security provisions.
|4.2
|The Cybersecurity Review Requirements for Overseas Listing under CAC
Under the legislative framework encompassing civil, administrative, and criminal law, the PRC has developed a fundamental legal system for data security, anchored by three distinct laws: the Cybersecurity Law of the People’s Republic of China (CSL), the Data Security Law (DSL), and the Personal Information Protection Law (PIPL). The CSL governs all domestic network operators managing personal information and data, the DSL applies to all entities dealing with both network and non-network data, and the PIPL focuses on the protection of personal information.
Leveraging these three foundational laws, PRC has, in recent years, enacted a series of related regulations, departmental rules, and standards. These measures offer precise operational guidance for data compliance across various industries and specific scenarios, aiding enterprises and institutions in maintaining lawful and compliant data management practices, including cross-border data transfers.
Align the above basic legislative framework legal system for data security, the Cybersecurity Review Measures (CRM) enacted by CAC represent a significant evolution in China’s regulatory framework for cybersecurity and data governance for overseas listing. Promulgated on December 28, 2021, and effective from February 15, 2022, the CRM replaced the previous draft issued on July 10, 2021, and established comprehensive requirements for cybersecurity reviews in specific circumstances. Specifically, the CRM requires network platform operators handling personal information of over one million users who intend to list abroad to undergo a cybersecurity review.
11 / 22
According to Article 9 of the Trial Measures, Domestic enterprises engaged in overseas issuance and listing activities shall strictly comply with national security laws, administrative regulations, and relevant provisions on foreign investment, network security, data security, etc., and effectively fulfil their obligations to safeguard national security. If it involves a security review, relevant security review procedures shall be carried out in accordance with the law before submitting issuance and listing applications to overseas securities regulatory agencies, trading venues, etc.
Article 7 of the CRM further clarifies that network platform operators with access to personal information of more than one million users must apply for a cybersecurity review from the cybersecurity review office before going overseas listing. This provision has three key elements:
|1)
|Subject: Network platform operators, namely enterprises controlling large- scale user information;
|2)
|Condition: Possession of personal information of more than one million users;
|3)
|Conduct: Listing abroad, generally interpreted to mean foreign capital markets such as the U.S.
Thus, Article 7 signifies an application and enhancement of the broader national security review framework, introducing a mandatory threshold specifically tailored for overseas listings.
|4.3
|Analysis of Key Definitions and Thresholds
|1)
|Definition of “Network Platform Operators”
Though CRM and related laws and regulations do not provide a clear definition of “network platform operators”, enterprises need to make substantive judgments based on their business content and data processing activities. Normally, the CRM applies specifically to “network platform operators,” which implies entities operating platforms that involve network services or data processing activities, especially large ones, that possess and process a large amount of important data, core data, and massive personal information. To this end, the CRM have strengthened the national security risks that may arise from network platform operators going public abroad, and imposed mandatory cybersecurity reviews on network platform operators who have access to personal information of more than one million users going public abroad.
12 / 22
While this term is broad, its application to a Hong Kong company would depend on whether the company’s activities are considered to “affect or may affect national security” of the Chinese mainland. A Hong Kong company with exclusively Hong Kong operations and without substantial connections and data collection from the Chinese mainland would be unlikely to fall under this condition and would generally not be considered within the scope of this definition.
|2)
|Interpretation of “Foreign Listing”
The CRM specifically references “foreign listing” in Article 7 as triggering the cybersecurity review requirement for qualified network platform operators. While the United States listing would clearly constitute a “foreign listing,” the application of this requirement to a Hong Kong company is less clear. Hong Kong maintains its own separate financial regulatory system, and companies incorporated in Hong Kong typically fall under Hong Kong’s regulatory jurisdiction for securities offerings, even when listing abroad.
It is noteworthy that the Network Data Security Management Regulation (Draft for Comments) released in November 2021 specifically mentioned that data processors affecting or potentially affecting national security should declare a cybersecurity review when listing abroad, while also noting that listing in Hong Kong would be subject to different considerations. This suggests that regulators draw distinctions between different types of “foreign” listings, though the final version of this regulation has not been adopted.
13 / 22
|3)
|The “One Million Users” Threshold
Even if the CRM were considered applicable to Hong Kong companies, the threshold of “over one million users” requires careful analysis. According to interpretations of the CRM, the term “users” generally refers to registered users rather than casual visitors or intermittent users. Furthermore, for a Hong Kong company operating primarily in Hong Kong, the user count would primarily consist of Hong Kong residents rather than mainland Chinese users.
Based on the comprehensive analysis of the CRM and related regulations under PRC law, as the Company is registered in the Cayman Islands and its main business, executives and employees are concentrated in Hong Kong, according to our current information, if the Company does not comply with the scale and use of data transmission mentioned in the above regulations, nor does the record show important/core data implicated by a Chinese mainland business accordingly, the Company shall not be identified as “network platform operator” and is not required to apply for cybersecurity review with the CAC for its proposed U.S. listing.
Nevertheless, given the evolving nature of the PRC’s regulatory landscape in cybersecurity and data protection, Hong Kong companies contemplating a US listing should maintain vigilance regarding regulatory developments, conduct thorough legal assessments of their specific circumstances, and consider appropriate disclosures regarding potential regulatory risks.
|5.
|Analysis of Data Outbound Transfer Requirements Under CAC
Considering the Company’s HK subsidiary may collect and store certain data from our clients from mainland China, the Company’s compliance requirements are further analyzed as following in terms of data outbound transfer from Chinese mainland under the CAC.
14 / 22
|5.1
|The Applicability of Article 41 of PIPL and Article 36 of DSL
The PIPL and the DSL, together form the core pillars of China’s data governance framework, establishing a series of important concepts and rules that have far-reaching implications for all organizations (including foreign businesses) that process data in the PRC. Among them, Article 41 of PIPL and Article 36 of DSL seem to impose strict restrictions on foreign law enforcement and judicial authorities accessing domestic data. However, the applicability of the regulatory requirements under PIPL 41 and DSL 36 to the Company are as follows:
|1)
|Legal restrictions on the providing of data to foreign judicial or law enforcement authorities
Article 41 of the PIPL and Article 36 of the DSL both provide that the competent authority of the PRC shall process a request for data from a foreign judicial or law enforcement authority in accordance with relevant laws and international treaties and agreements entered into or acceded to by China, or under the principle of equality and reciprocity. Without the approval of the competent authority, a domestic entity shall not provide data stored in the territory of China to any foreign judicial or law enforcement authority. As indicated, PRC laws impose strict restrictions on foreign law enforcement and judicial authorities accessing domestic data. By restricting the transfer of data to foreign judicial or law enforcement agencies without approval, China aims to maintain its sovereignty over data within its territory.
The PRC Ministry of Justice made an additional clarification regarding international civil and commercial judicial assistance on 30 March 2023, stating that a foreign judicial or law enforcement authority is not allowed to obtain domestically generated or stored data unless requested through channels stipulated in the Convention on the Taking of Evidence Abroad in Civil or Commercial Matters. The transfer of the evidence shall be executed by the competent court upon permission granted. Given these points above, we can also deduce that domestic entities are not allowed to transfer documents directly to foreign law enforcement or judicial authorities unless they follow the designated channels upon permission.
15 / 22
|2)
|Applicability analysis for filing with Nasdaq under this provision
As we understand, the Nasdaq Stock Market is a securities self-regulatory organization, not a United States government agency or enforcement authority. Therefore, it seems that the mere act of submitting listing information to Nasdaq may not be directly equivalent to providing data to a “foreign judicial or law enforcement agency”.
Therefore, based on the initial analysis, Article 41 of the PIPL and Article 36 of the DSL regarding the providing of data to foreign judicial or law enforcement authority, seem not applicable to the listing related to Nasdaq under this provision. While this shall be subject to further enforcement practice to clarify.
Besides the above compliance requirements under Article 41 of the PIPL and Article 36 of the DSL, the other provisions of the PIPL and the DSL also contain other compliance requirements for providing data or personal information out of the PRC that constitutes outbound data transfer, which need to be further discussed in the following according to the Company’s data processing activities related to the PRC.
|5.2
|Regulatory Requirements of Data Outbound Transfer
According to the Article 3 of DSL and Article 4 of PIPL, data processing includes the collection, storage, use, processing, transmission, provision, disclosure, and deletion, etc., which means any kinds of data collection and transfer activity shall be regulated accordingly; Personal Information refers to all kinds of information related to the identified or identifiable natural persons recorded by electronic or other means, excluding the information that has been anonymized.
The DSL establishes a data classification and protection system, requiring data to be classified into three levels, namely, general data, important data and core data. For “important data”, which is related to national security, the lifelines of the national economy, important livelihoods, and significant public interests, and for “national core data”, which includes data related to national security, the lifelines of the national economy, important livelihoods, and significant public interests.
16 / 22
A company that conducts business operations outside of China while collecting data in the Chinese mainland will almost certainly be involved in data processing activities as defined by the DSL & the PIPL and will be considered a “data processor”. Therefore, the legal requirements based on the DSL and the PIPL of the data outbound transfer are discussed as following.
|1)
|Requirements for the CIIO
As PIPL and DSL impose stricter obligations on Critical Information Infrastructure Operators (CIIOs), in particular data localization storage requirements, they are the most heavily regulated data processors, and we need to determine whether the Company is a CIIO in the first place.
Refer to ‘Regulations on the Security Protection of Critical Information Infrastructure’, the “critical information infrastructure” shall refer to the key network facilities and information systems in important industries and areas such as public telecommunication and information service, energy, transport, water conservancy, finance, public service, e-government and science and technology industry for national defense, which may seriously endanger the national security, national economy, people’s livelihood or public welfare once they are subject to any damage, loss of function or data leakage.
The security protection departments shall be responsible for organizing the identification of critical information infrastructure in their respective industries and areas in accordance with the identification rules, timely notify the identification results to the operators and report such results to the public security department under the State Council.
17 / 22
|2)
|Requirements on Important Data
The DSL defines “important data” as data related to national security, the lifeblood of the national economy, important livelihoods, and significant public interests. The specific catalogue is formulated by the national data department in conjunction with relevant departments.
Usually, the company itself needs to clarify whether they handle information classified as “important data” according to their industry and business type. For example, important data may be involved in areas such as finance, transport, health and geographic information. If it contains “important data”, a security assessment has to be declared.
If the current field of business does not involve the processing of “important data”, the company is only a general data processor and needs to be further defined based on the information content of the data processes to determine whether the Company is required to file a security assessment.
|3)
|Requirements on Sensitive Personal Information
According to the Article 28 of the PIPL, sensitive personal information refers to personal information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.
Further pursuant to the PRC national standards, Information security technology- Personal information security specification (GB/T 35273—2020), and Data security technology—Security requirements for processing of sensitive personal information (GB/T 45574-2025), sensitive personal information includes biometric, religious beliefs, specific identities, medical and health information, financial accounts, and tracking information, as well as personal information of minors under the age of fourteen. The Company confirmed that its HK subsidiary may collect certain data (including certain personal information) from individuals from the Chinese mainland, however, the Company clarifies that it does not qualify as a CIIO under PRC law and has not processed any “important data” or “sensitive personal information” from the Chinese mainland. Consequently, further clarification and discussion are necessary regarding the type and volume of normal data collected, in line with the CAC compliance requirements for outbound data transfer.
18 / 22
|5.3
|Compliance Review Steps for the Outbound Data Transfer
Under the DSL and the PIPL, as well as the rules of Provisions on Facilitating and Regulating Cross-border Data Flow, which regulate how data (especially important data and personal information) is sent outside of China, the compliance requirements and pathways basically depend on the type and volume of data processed. Key compliance mechanism include passing a security assessment, signing standard contracts, or obtaining protection certification or whether falling under the exemptions. The overall process for data outbound transfer compliance requirements in China can be a step-by-step approach to determine data outbound transfer compliance requirements.
|1)
|First, it checks whether an entity is a CIIO. This is a crucial starting point because such operators have stricter compliance obligations when dealing with data cross-border. If they transfer personal or important data, they must go through a national-level safety assessment, while non-relevant data transfers are not subject to these specific compliance measures.
|2)
|Next, for non-CIIO, the nature of the data being transferred is evaluated. Non-personal and non-important data has the least compliance burden as it is exempt from most measures. Important data, due to its significance, always requires a safety assessment before cross-border transfer within the CAC.
|3)
|Finally, when dealing with personal data, a further breakdown into sensitive and non-sensitive types is made, along with considering the quantity of data transferred annually. Sensitive personal data is more strictly regulated, with a lower threshold for triggering a security assessment. Non-sensitive personal data has a tiered system based on transfer quantity, with different compliance measures at each level, ranging from a full security assessment to complete exemption.
19 / 22
This structured approach helps to clearly understand their data cross- border compliance obligations based on the specific circumstances.
|a)
|If the personal information type is sensitive personal data:
|Ø
|If it is estimated that starting from January 1st of that year, the cumulative amount of data provided to overseas countries will be 10,000 or more; it must pass the security assessment organized by the CAC.
|Ø
|If it is estimated that from January 1st of that year, the cumulative amount of data provided to overseas recipients will be less than 10,000 people, entering into personal information outbound transfer standard contracts with overseas recipients or obtaining personal information protection certification.
|b)
|If the personal information type is non-sensitive personal data:
|Ø
|If it is estimated that starting from January 1st of that year, the cumulative amount of data provided to overseas countries will be 1 million or more; it must pass the security assessment organized by the CAC.
|Ø
|If it is estimated that from January 1st of that year, the cumulative amount of data provided to overseas recipients will be 100000 or more, but less than 1 million, entering into personal information export standard contracts with overseas recipients or obtaining personal information protection certification.
|Ø
|If it is estimated that from January 1st of that year, the cumulative amount of data provided to overseas will be less than 100,000 people, exempt from security assessment, standard contract filing, and certified personal information protection.
20 / 22
Based on the information disclosed by the Company, it has neither been designated nor notified as a CIIO by regulatory authorities, nor does its business operations engage with China’s critical infrastructure sector; hence, the Company does not meet the criteria for being classified as a CIIO.
Regarding the personal data gathered by the Company, the primary types include names, email addresses, and phone numbers, excluding biometric data, financial account details, personal location tracking, and other sensitive personal information as previously mentioned. Notably, sensitive personal information is not included in the Company’s collection, with an annual volume of approximately 300-400 individuals, significantly below the exemption threshold of 100,000 individuals per year.
Consequently, the Company does not qualify as a CIIO. The data it collects in Chinese mainland does not encompass important data or sensitive personal information, and the collection volume remains well below the regulatory thresholds that would necessitate a security assessment by the CAC.
As such, it appears that the Company is currently exempt from the relevant personal information or data requirements stipulated by the PIPL, the DSL, and the CAC. However, should the Company’s presence in Chinese mainland, data categories, or processing volumes expand significantly in the future, this assessment and the corresponding obligations may require revision.
|6.
|Conclusion
Taking into account the case facts, background materials and our prior discussions, and subject to the assumptions and qualifications of this Opinion, we conclude that the PRC regimes referenced in “Risks Related to Doing Business in Hong Kong” (specifically the CSRC and CAC) are not listed in Annex III to the Basic Law and are therefore not directly applicable or enforceable in Hong Kong; accordingly, based on the current facts, the Company is not obligated to seek CSRC approval or make a CSRC filing for its U.S. issuance.
21 / 22
Based on our analysis of the Cybersecurity Review Measures and related rules, together with the Company’s Cayman incorporation and Hong Kong-centred operations and personnel, a CAC cybersecurity review is not required for the proposed U.S. listing, provided statutory trigger conditions are not otherwise met, and any cross-border data transmissions remain within the contemplated scale and purposes.
Furthermore, Article 177 of the PRC Securities Law, PIPL Article 41 and DSL Article 36 do not restrict the Company’s from listing to Nasdaq, which we understand to be a securities self-regulatory organization rather than a U.S. governmental or law- enforcement authority, subject to further clarification in enforcement practice.
With respect to outbound data transfer compliance, the Company has confirmed it is not a CIIO. The Company does not collect “important data” and collects only a small amount of non-sensitive personal information, which appears to be below the quantitative thresholds that would trigger a security assessment or standard contract mechanism required by the CAC. The Company shall be under exemption from the compliance requirements of the CAC in terms of outbound data transfer.
Given the dynamic nature of China’s cybersecurity and data rules, the Company should maintain enhanced monitoring efforts. Should there are significant changes in the Company’s own operating environment or scope of operations that affect the above conditions for regulatory exemption, such as substantial expansion of its mainland presence, data categories or processing volume resulting in a significant change in the existing analytical scenarios, it will need to be more cautious in responding to the corresponding changes in regulation. We therefore recommend that the Company maintain control over its risks and conduct a pre-transaction legal review before making any strategic or operational changes.
We trust that the above analysis and thoughts are of assistance. Should you have any further inquiries, please feel free to contact us. Thank you for your attention.
****** THE END ******
22 / 22