Our previous article outlined the increasing need to cover data compliance in due diligence in M&A transactions in China.
However, buyers and sellers also need to consider data compliance when conducting the due diligence process itself.
A good due diligence process is by its nature intrusive. Buyers need to collect detailed information about the target company's equity/assets, business, employees, intellectual property, and financials. Hence, the due diligence process normally involves transferring of a large amount of information and data to the buyer and the buyer's external consultants. If such data involves personal information, important data or core data, then the parties need to consider how such disclosure can be properly dealt with.
I. Personal Information
1. Disclosure and transfer of employee personal information
Employment related data is one of the common issues in a PRC M&A transaction. Buyers will generally request sellers to provide full labor-related documentation so as to understand the overall situation of the target company's employees. This includes the salary structure, labor compliance (such as salary, social security fund, personal income tax payment, labor contracts etc.), labor disputes, etc. These disclosures inevitably mean personal information of the employees will be shared.
Can the personal information of these employees be provided to the buyer during the due diligence process?
According to the PRC Personal Information Protection Law (PIPL), a personal information processor needs to inform the individuals of the name and contact information of the recipient, purpose and method of processing and type of personal information and shall obtain the individual's separate consent[1].
The PIPL also provides solutions for the transfer of personal information under specific circumstances, such as transferring personal information due to a merger, division, dissolution or declaration of bankruptcy, etc. In such cases, the individual concerned will need to be informed (consent not necessarily needed) with the name and contact information of the recipient and the recipient is required to continue to fulfill obligations as a personal information processor[2].
In addition, the recommended national standard Information Security Technology Personal Information Security Specification (GB/T35273-2020)[3], which has been widely applied in recent years (especially before the introduction of the PIPL), has similar requirements. That is, if the personal information controller[4] changes due to an acquisition, merger, reorganization, or bankruptcy, etc., then the employees must be informed and the new controller of the personal information is required to continue to perform the responsibilities and obligations of the original controller.
However, this is post-transaction. Accordingly, this provision does not apply to due diligence (or any other pre-transaction) stage.
Commercially, it is very difficult to seek individual employee’s consent in the case of a potential M&A transaction. Normally, sellers will not be willing to disclose a potential sale to employees until the deal is signed and sealed.
Accordingly, the following solutions are normally used:
a) Providing relevant personal information anonymously
According to the PIPL, personal information does not include information that has been anonymized. Anonymization refers to the process of processing personal information that cannot identify a specific natural person and cannot be recovered, such as blacking out/deleting information that can identify a specific natural person in documents like employment contracts, confidentiality contracts and non-compete agreements, employee rosters, or only providing statistical data of employees, such as the total number of employees, the number of core employees, the number of employees to be retired, the number of interns and part-timers, the number of foreign employees, the number of employees in each department, the average salary of each type of employees, the age structure, the percentage of different education levels, the gender ratio, etc.
In the early stage of due diligence, this anonymization approach will usually satisfy a buyer's need to understand the employment situation of the target company. There may be more complexity in the later stages of due diligence as the buyer may have legitimate business needs to verify detailed aspects of the target company. This may be in relation to the employment arrangements for key employees (such as the signed employment-related agreements; whether they are bound by confidentiality and non-compete obligations). It may be that the anonymized data may not meet the buyer's requirements.
Anonymization processing is often confused with de-identification processing. According to the PIPL, de-identification refers to the process in which personal information is processed so that it is impossible to identify certain natural persons without the aid of additional information. In principle, de-identified personal information may still be personal information, as it is still possible to identify a specific natural person with the help of additional information. If the due diligence process does not allow the buyer to access such additional information then it might be arguable (subject to further analysis on a case-by-case basis) that the de-identified information is not personal information and therefore does not require the personal consent of the employees.
b) Setting up a graded approach to providing employee data
i. Due diligence stage gradient
Sellers are recommended to plan the manner and scope of how employee personal information is disclosed. During the early stage of due diligence, the seller should adopt anonymization of data. In the middle and later stages of due diligence, the personal information of key employees can be moderately disclosed. As the number of key employees is limited, such persons may be taken into confidence in the late stage of a transaction and individual consent obtained.
ii. Employee attribute gradient
It needs to be noted that individual consent also applies to key employees. While for other employees, anonymized information may be sufficient for the potential buyer, this is unlikely to be the case for key employees.
The seller may wish to limit the information to be provided to the buyer. Requests for information for employees may be restricted to employment conditions and non-compete restrictions. Information such as home address, ID/passport number, marital status, etc. could easily be excluded as they would not be of business value.
2. Disclosure and transfer of customer/supplier personal information
The handling of personal information of natural person customers and the employees or representatives (contacts) of corporate clients or suppliers is similarly protected as that of employees (i.e. needs individual consent).
However, such data would rarely be required to be provided in full and it would be sufficient if the data is anonymized.
II. Providing Important Data and Core Data
Important data and core data face far stricter regulatory requirements if their disclosure could jeopardize national security or public interest.
Seller need to consider the below issues prior to providing the buyer with core/important data about the target company:
1. Determine whether the data to be provided is important or core data. If yes, then determine whether such data is permitted to be provided to the buyer;
2. If the data is to be provided then it is important to ensure compliance with all relevant laws and regulations. This may include the use of encryption to protect important and core data; prior security assessments and complying with reporting procedures to government agencies[5];
3. In addition, the buyer should sign a data sharing agreement with the seller, requiring the seller to ensure the security and confidentiality of the relevant important data or core data, clarify the purpose, scope and handling of such data. In addition it should include a duty to delete and destroy relevant important data or core data in a timely manner upon the seller's request.
III. Cross-border data transfer
A further complexity in a PRC M&A transaction may arise if an international buyer is involved. Typically, a potential overseas buyer may result in relevant personal information, important data or core data being transferred overseas. This may include transmission to a foreign organization, foreign natural persons or uploading to servers overseas. Such transmission may constitute a cross-border data transfer and would be subject to relevant laws and regulations.
These issues will normally arise in following cases:
1. Critical information infrastructure operator
If the target company is a critical information infrastructure operator or connected thereto then the personal information and important data collected and generated during its operation within the territory of the PRC must be stored locally. This data can only be transmitted overseas for business purposes if there has been a security assessment organized by the CAC[6]. This CAC security assessment may be sufficient to jeopardize the entire M&A transaction process.
2. Personal information
Similarly, if the target company provides personal information to a buyer outside the PRC then this will similarly trigger relevant provisions for cross-border data transfer under the PIPL. These include:
i. The target company informing the individual of the nature and extent of the transfer overseas;
ii. Obtaining the individual's consent;
iii. Passing a security assessment organized by the CAC, or being certified by a specialized agency for protection of personal information, or entering into a contract with the overseas recipient under the standard contract formulated by the CAC;
iv. The target company is required to conduct an impact assessment of personal information protection beforehand and to record the processing activities[7].
Considering the above requirements, we recommend sellers avoid passing on personal information held by the target company to offshore buyers.
3. Important data or core data
As mentioned earlier, transfer of important or core data is treated very stringently under PRC law, this is especially so in respect of cross-border transfers of such data.
According to existing regulations and related draft regulations[8], cross-border transfer of important data will trigger a security assessment organized by the CAC. For core data, the requirements will be even more stringent as such core data may not even be allowed to leave China. If due diligence triggers a security assessment by the CAC then this will result in due diligence being stalled until such process can be completed. This will inevitably affect the transaction timeline and add costs. In addition, a security assessment by the CAC will increase the uncertainty of the transaction as it may not ultimately be able to be completed successfully.
Complexity could be avoided in a cross-border transaction if the international buyer could arrange for its Chinese based employees or external advisors to verify the data stored in the target company and prepare the due diligence report in China. If the due diligence report is to be transmitted to the buyer's offshore team for review, the buyer should ensure that the due diligence report does not contain personal information or important data/core data.
IV. Compliance Issues with Virtual Data Rooms ("VDRs")
VDR is a web-based tool commonly used in M&A transactions to provide information for the buyer to review the target company's information and documents. Usually provided by a VDR service provider (e.g. Intralinks, Venue, Merrill Datasite, iDeals, etc.) the VDR allows the seller to upload information and documents about the target company to an external web platform allowing access to the buyer and/or the buyer's external consultants (such as lawyers, accountants, financial consultants, etc.).
The use of VDRs in M&A transactions is common, especially in times of COVID-19 as it is more efficient than traditional on-site due diligence. Professional VDR service providers can generally provide a secure web space and ensure the security and traceability of the data provided by the seller by setting rules for the use of VDRs by the buyer and the buyer's external consultants (e.g., setting document viewing, printing, downloading permissions and access after downloading as well as adding watermarks to protect documents from being copied, etc.).
Parties should consider the following issues when using a VDR:
1. Clarifying the rights and obligations of VDR service providers
In most cases the VDR service provider will not be a data processor (a codified concept under PRC law, similar to “controller” under the GDPR). In most cases the VDR service provider is only entrusted by the seller to act as an agent to store the relevant data uploaded by the seller during the due diligence period and provides access to the relevant data to the buyer and/or the buyer's external consultants according to the seller's instructions.
VDR service providers generally have standard privacy policies and data processing standard form contracts, which tend to protect the interests of VDR service providers.
We recommend sellers enter into a tailored data entrustment agreement with the VDR service provider stipulating the purpose, time limit and method of entrusted processing, type of personal information and protection measures, as well as the rights and obligations of both parties (including the right of the seller to hold the VDR service provider responsible for breach of contract in case of a breach by the VDR service provider, and the obligation of the VDR service provider to return or delete the relevant data upon the seller's request after completion of due diligence process).
If the VDR service provider has other rights over the data (such as autonomous modification, disclosure, utilization, transfer, etc.), the identity of the VDR service provider will not be limited to that of a data processing agent but could actually constitute an independent data processor. In such cases, it is recommended to analyze the arrangement on a case-by-case basis.
2. Avoid cross-border data transfer
At present, most of the more established VDRs are based abroad. If the seller directly enters into a data processing agreement with a foreign VDR service provider or if the seller enters into a data processing agreement with a domestic affiliate of a foreign VDR service provider but the relevant data is transferred to a server outside the PRC this will constitute a cross-border data transfer. Even if the server is located in the PRC, if the buyer is an offshore entity and allows its offshore employees to log in or access the VDR then this too is likely to constitute a cross-border data transfer.
As analyzed above, cross-border transfer of data (especially if personal information or important data/core data) usually triggers more stringent compliance requirements. In order to avoid cross-border data transfers during the use of VDR as much as possible, it is recommended that the seller enter into a data processing agreement with a domestic VDR service provider in PRC or a domestic affiliate of an overseas VDR service provider, and that the relevant data (especially if personal information and important data/core data are involved) be uploaded to a server in PRC (this requirement can be specified in the data processing agreement). If the buyer is an overseas entity then it should be further obliged to restrict its employees outside of PRC to view, download or process the relevant data on VDR.
V. Summary
A PRC M&A transaction’s due diligence process will usually involve the seller providing a large amount of information and data to the buyer, which may contain personal information and important data/core data. As data compliance requirements become increasingly stringent, the M&A transaction due diligence process should ensure that the data provision activities themselves meet the relevant data compliance requirements.
In the case of employee or customer/supplier derived personal information, the most compliant approach would be for the seller/target company to obtain the individual consent of the subject of such personal information but this is almost all cases unrealistic. The more likely approach is to anonymize the processing and/or set up a graded approach to dealing with data provision given the confidentiality and time requirements of the transaction.
In addition, it is important to consider the importance of important and core data and the stricter regulatory requirements which apply. Accordingly, in such cases sellers will need to be cautious as to how such important and/or core data is provided to buyers during the due diligence phase.
The final main challenge for parties dealing with data during a PRC M&A transaction is in respect of cross-border transfers of personal information and important data/core data. In general, such due diligence phase should be carried out within China so as to avoid triggering regulatory requirements such as security assessments.
Personal Information Protection Law, Article 23.
Personal Information Protection Law, Article 22.
Information Security Technology Personal Information Security Specification (GB/T35273-2020), Article 9.3.
Personal information controller refers to the organization or person that is in a position to determine the purpose, means, etc. of personal information processing, which corresponds the definition of “personal information processor” under the Personal Information Protection Law.
Please refer to the Regulations for Network Data Security Management (Exposure Draft) issued by the CAC on Nov. 14th, 2021 as well as the Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft) issued by the MIIT on Feb. 10th, 2022 for further details.
Cybersecurity Law, Article 37, Data Security Law, Article 31, Personal Information Protection Law, Article 40.
Personal Information Protection Law, Article 55.
e.g., Cybersecurity Law, Article 37, Data Security Law, Article 31, Measures for Data Cross-Border Transfer Security Assessment (Exposure Draft) issued on Oct 29th, 2021, and Regulations for Network Data Security Management (Exposure Draft) issued on Nov. 14th, 2021 by the CAC.
