The regulatory landscape in China around data protection and flows continues to develop. Since the 2017 Cybersecurity Law, China has been refining the legal and regulatory framework for data protection—it has implemented new laws and regulations that set comprehensive rules for data processing activities across all industries in China and cover the rules regarding cross-border data transfers and data localization, which are essential for critical information infrastructure operators^[1] and other data processors.

Multinationals are expected to deal with more stringent data regulation requirements and procedures in  M&A transactions where cross-border corporate structures or cross-border data transfers are involved. In particular, these types of transaction parties, including but not limited to sellers, buyers, and their advisors, should closely review and understand the relevant data protection requirements, and conduct the necessary risk assessments as part of compliance with data privacy laws and regulations in China.

How is M&A Being Impacted?

Businesses are more and more frequently depending on information technologies and data processing. When attempting to meet the challenges of the regulatory requirements involved in acquisitions, companies find that their transaction targets’ products and applications often contain commercial information that is processed and generated from various sources and, to a certain extent, may pertain to China national security concerns.

In the healthcare sector, for instance, healthcare applications often manage highly sensitive financial and health-related data. The same is true of the automotive sector where car sharing can be a source of highly sensitive information, such as traffic violations, payment behavior models, or movement profiles. There are similar instances across many other important industries, such as energy, transportation, water and utility services, public communications, finance, government affairs and defense technologies, etc., where general information is processed through mass data collection and turned into a valuable source of knowledge.

Innovation can create value but, without proper compliance and effective data protection mechanisms and procedures, may become a significant risk factor for different stages of M&A transactions, including due diligence, deal structuring, completion hand-over, and post-completion operation. Investors should plan, deploy, and implement protection measures and establish a security management scheme to retain, disseminate, process, and/or analyze the commercial information that is retrieved in the course of a transaction. For instance, we have seen more arrangements where the investors prefer localizing the due diligence exercise (e.g., local team, server and data storage, etc.) to minimize cross-border data transfer risks at a preliminary stage of the deal. Investors may also consider alternative deal structures instead of equity investment, in order to safeguard buyers’ interests against historical liabilities, and formulate a suitable data compliance strategy for the target business. If any commercial data that originates in China is required to be transferred, processed, or analyzed outside of China, investors need to consider, for instance, adding data protection warranties to their purchase agreement and/or reviewing disclosures to ensure all the information set forth therein aligns with the relevant data protection requirements and will not lead to potential problems in post-completion operation.

Potential Regional Compliance Issues

We have also seen a trend that China will be more involved in participating regional, multilateral, and cross-border data transfer systems, particularly in the APEC region. If China were to participate, investors are encouraged to take into account the enforceable privacy code of conduct developed for businesses by the regional economies when carrying out the proposed business investments/M&A transactions in China.  These include the APEC Cross-Border Privacy Rules (“CBPR”)^[2] and the Privacy Recognition for Processors (“PRP”)^[3], pursuant to which APEC designed the APEC Privacy Framework to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.

Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the standards of “data controller” and “data processor” under CBPR and PRP respectively. They will be required to apply to a recognized APEC Accountability Agent, which is a third-party certification body with an APEC economy that has formally joined the CBPR (or PRP) system. The Accountability Agent will evaluate whether the business’s privacy policies and practices comply with CBPR (or PRP) program requirements and will assist the business to come into compliance with them if they do not.

[1] Pursuant to Article 2 of Critical Information Infrastructure Security Protection Regulations, critical information infrastructure refers to important network infrastructure, information systems, etc., in important industries and sectors, such as public telecommunications and information services, energy, transportation, water, finance, public services, e-government, national defense science, technology, and industry, etc. and where their destruction, loss of functionality, or data leakage may gravely harm national security, the national economy and people’s livelihood, or the public interest.

[2] CBPR is a comprehensive privacy certification that provides organizations with a mechanism for cross-border data transfer and can be used for intra-company transfers, for transfers between unaffiliated companies, as well as for transfer to non CBPR-certified companies anywhere in the world.

[3] PRP is a companion certification to the CBPR designed specifically for data processors that process personal data on behalf of data controllers and focus mostly on data security and the ability to implement the relevant CBPR requirements and other data privacy instructions of controller. Its main purposes are to serve as a due diligence tool for data controllers that are looking for qualified and accountable data processors, as well as assisting small or medium-sized processors that are not widely known in gaining visibility and credibility.