Insight,

Designing Transaction Structures in China – Is your project “data” proof?

27 April 2022

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

M&A transactions in China generally require bespoke structuring. The structure will need to account for the circumstances of the specific project but also requirements under PRC law and practice.

One of the main purposes of designing of the transaction structure is to reduce uncertainty and minimize risks.

The rise in importance of data has resulted in M&A transaction structures needing to be updated to protect against new risks. This is particularly the case for targets where data assets are mission critical to operations (such as internet related, autonomous driving, artificial intelligence, big data, high-tech etc.) or if data comprises a large part of the target’s value.

1. Impact of data compliance

(1) Asset transaction

In PRC transactions there is a strong preference for share deals due to it being less disruptive, simpler and in most cases tax benefits. Despite this, asset transactions cannot always be avoided – in some cases, the buyer’s insisting upon an assets deal or the transaction is part of a carve-out. In such cases the buyer or an entity which it establishes directly purchases relevant assets, such as land and property, machinery and equipment, intellectual property etc. In addition, the buyer will also take over the existing employees.

There will be complexity if the assets to be purchased or business to be transferred includes personal information or important data or core data[1]. In such cases the transaction structure needs to be designed so as to take into account compliance requirements such as:

1) Personal information

If the target assets or business operations involve personal information, such as that of employees or users/customers/suppliers, then separate consent is required. This is particularly important if the seller is engaged in consumer facing business such as hotels, e-commerce, logistics or retail. Obtaining separate consent from employees/suppliers is usually straightforward but it can be more complicated for individual users/customers.

When considering the transaction structure, if such personal information of users/customers is critical, then the buyer needs to guard against negative impact upon the transaction caused by the seller’s failure to obtain the consent of most individual users/customers. Possible solutions or risk minimization strategies may include considering ways by which to obtain separate consent of individual users/customers. This may include the design of an interface with individual users/customers, wording providing relevant notice and providing channels by which any doubts or concerns can be dealt with. These measures should make it as easy as possible for an individual user/customer to give consent. In addition to safeguarding against the risk that a business without the relevant data being less valuable, the buyer should insist upon appropriate safeguards in the transaction documents (e.g., closing condition that a certain proportion of separate consents have been obtained etc.). In addition, the parties may also consider how to deal with the circumstance if consents are not obtained. In many cases this could be avoided if the parties agree to a share deal rather than an assets deal.

2) Important data or core data

If important data or core data is involved in a target’s assets or businesses, then the parties will need to consider if there are any restrictions or prohibited by law or if examination and approval or filings are required.

The Regulations for the Administration of Network Data Security (Exposure Draft) (the “Draft of Data Security Regulations”) released by the Cyberspace Administration of China (CAC) in November 2021 requires data processors to meet the following requirements when sharing or transferring important data:

(a) obtaining approval of the competent authority[2].

(b) completing a security assessment either self-conducted or conducted by a third-party data security service organization. If the assessment concludes it may harm national security, economic development or public interest, then the data processor shall not share or trade such important data[3].

In addition, the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) (Exposure Draft) (the “Draft of Data Security Administrative Measures”) promulgated by MIIT in February 2022 provides:

(a) a data processor in information technology sector which needs to transfer data due to merger, reorganization, bankruptcy or other reason is required to specify the data transfer plan and notify affected users by telephone, short message, mail, bulletin or other means.

(b) If important data and core data are involved, then the record-filing must be updated in a timely manner with the local competent department of industry and information technology (for the industrial sector) or the communication administrative bureau (for the telecom sector) or radio administrative authority (for the radio sector)[4].

Although the said draft regulations have not yet come into effect it is clear that the flow of important data or core data is subject to strict supervision and administration.

If the flow of important data or core data is restricted, then this may mean that an asset transaction is not feasible.

Who Owns the Data?

Establishing the ownership of data is far more complicated than for real estate or fixed assets. The ownership and use of data can be complicated by personal privacy, protection of personal rights and interests, national security, public interest. In addition, data may be easily copied and can be controlled by multiple subjects at the same time. For this reason, it can be highly complicated as to how to establish the ownership of the data. At present, there is no fully formed consensus as to how to define data ownership[5].

There have developments in this regard at the local level which set out how data-related property rights and interests[6] can be developed.

In addition, parties need to consider the tradability of data. The Regulations of Shanghai Municipality on Data stipulate the following data shall not be traded:

(i) Endangering the national security and public interest, or infringing upon personal privacy;

(ii) Without authorization and consent from the lawful right holders;

(iii) Other circumstances prohibited by laws and regulations.

(2) Equity transactions

Compared to an asset transaction, an equity transaction is straightforward. This also applies in respect of data assets.

However, in cases where the target company holds personal information, important data or core data, or where the target company falls within a special category (such as being a Critical Information Infrastructure Operator (“CIIO”)), then even an equity transaction may trigger obligations to notify or obtain consent from entities which have possessed the personal information and to report to or obtain approval from governmental authorities.

1) Target company holds personal information

Target companies holding personal information may need to provide notice or obtain consent from the subject of personal information if the target companies’ equity interests are acquired. The table below summaries requirements under current laws, national standards and relevant draft regulations:

The above provisions of the PIPL does not clarify whether these provisions apply to equity transactions. How the relevant provisions of the PIPL apply to different situations of flow of personal information in equity transactions needs to be further clarified and considered:

(i) The target company does not provide personal information to the buyer

In many M&A transactions, the Buyer intends to maintain the original business operation of the target company and does not request personal information of the target company be provided to the Buyer or its affiliates upon closing. In the context of data compliance, the identity of the personal information processor in such cases remains unchanged, and the target company will generally not be required to notify or obtain consent from the personal information subjects.

(ii) The target company shares its personal information to the Buyer

The term used in the foregoing provision of the PIPL is “transfer”. This implies that the original data processor (i.e., target company) no longer holds the relevant personal information. However, in many cases (such as M&As among different types of e-commerce platforms, or the Buyer’s use of the target company’s user data for user portrayal and targeted marketing, or the Buyer’s request for the target company to provide the personal information of their employees to the Buyer or its headquarters due to human resource management needs or meet group overall human resource management practices). In such cases the target company continues to possess the relevant personal information but it also shares the data with the Buyer or its designated entity. Such action or arrangement is closer to the meaning of “provision” (sharing) under PIPL[7], so that separate consent from the subject of the personal information would be required.

(iii) The target company transfers its personal information to the Buyer

This situation (i.e., the target company transfers all the personal information it holds to the buyer and itself no longer keeps any personal information) is not commonly seen in equity transactions. For instance, the Buyer will wind down the business of the Target Company or merge the business of the target into its own. In this case, the target company may need to transfer personal information to the Buyer or its affiliates, and no longer holds the relevant personal information. It is highly possible that Article 22 of the PIPL (i.e., the target company only needs to inform the subject of personal information of the name and contact information of the recipient) may apply in such circumstances.

It is unclear whether the relevant provisions of the Draft of Data Security Regulations apply to M&A transactions. It appears the primary issue is whether there has been a “transfer” of data. In particular, if the personal information of more than one million persons is transferred by the target company, then it is required to report this to the competent municipal authorities. Assuming the circumstances set out in the Draft of Data Security Regulations apply to the M&A and the target company “transfers” or “provides” the personal information of such individuals to the buyer, then this will trigger a reporting obligation to the competent authorities (assuming the Draft of Data Security Regulations comes into effect and does not change this provision).

On a practical level, many “data-driven” equity transactions involve data being combined. In one case, Company F, a well-known US social network platform, acquired Company W, an instant messaging software company in 2014.

When acquiring Company W in 2014, Company F promised that it would not link user data between the two services. Despite this in August 2016, Company W claimed an updated privacy policy included the possibility to associate a user’s phone number with Company F’s user identity. In early 2021, Company W further updated its privacy policy and shared more data with Company F. Users were not able to opt out as they needed to accept the updated terms before continuing to use Company W in the normal manner.

Company F’s behavior involved providing misleading information and infringing upon the rights of personal information subjects and was contrary to the policy of authorities across Europe.

Similarly, a Chinese company (“Company M”) acquired a bicycle company (“Company B”) in April 2018. Both companies held a large amount of personal information of users.

In April 2019 (approximately 1 year after the equity transaction), a Confirmation of Account Integration and User Confirmation appeared on Company B’s client terminal. Such terminal stated that in order to provide a more convenient user experience it connected the accounts on the companies’ respective platforms with the consent of users so data could be shared. If users withheld their consent, then they would continue to use the bicycle App of Company B and data would not be shared. In such case corresponding users would not be able to enjoy relevant services after account integration.

The above cases show that if a Buyer does not need to transfer or share personal information or change its purpose immediately after the closing, it may do so at some time after closing for data fusion based on business plan by obtaining consent from users.

2) Target company holds important data or core data, or is a CIIO or in another sensitive sector

If the target company holds important data or core data, or is a CIIO or in another sensitive sector, then an equity transaction may involve relevant filing or examination and approval.

The Regulations for Critical Infrastructure, requires that a “merger, division, dissolution and other circumstances” of a CIIO must be reported to the protection authority for the critical information infrastructure. It is unclear whether share deals fall within such scope. Accordingly, it may be prudent if the target company is a CIIO, then consultations with the competent authority (i.e., the protection authority) be held prior to acquisition.

The draft regulations above-mentioned require that if the target company holds important data or core data, and/or belongs to the category of Internet platform operator or data processor in the field of industry and information technology, then any merger, division, acquisition or reorganization requires approval or filing with the relevant government authority.

2. Major concerns for the design of transaction structures

According to the above analysis of the impact of data compliance on the design of transaction structures, it is suggested that the following factors should be considered when designing the transaction structures:

(1) Whether the Buyer’s intended use of data is applicable

In some cases, a Buyer will not need to obtain or use data directly, and such data remains within the target company post-closing. In some cases, if the Buyer is a financial investor, it primarily values sustained profitability or the potential performance growth of the target company but does not need to share data.

However, in some cases the Buyer may wish to amalgamate the data of the target company with its own data to explore further value creation and synergies.

In such cases, the transaction is very likely to proceed by way of a share deal. However, if the Buyer wishes to integrate the data of the target company, then it would be best to consider the feasibility of obtaining consent from the personal information subjects. If the relevant data also involves important data, or core data, then the difficulty of obtaining an approval from the relevant government departments or making the relevant filing should be considered.

In addition, as for data involved in M&A transactions, the Buyer shall also ensure that none of the data falls within data categorized as being specifically restricted or prohibited. These include:

  • State Secrets. According to Law of the People’s Republic of China on Guarding State Secrets “no organization or individual may commit any of the following acts: (2) purchase, sell, present or destroy without prior permission carriers of State secrets”; “It is prohibited to illegally copy, record or save State secrets. It is prohibited to transmit State secrets via the Internet or other public information network or the wire or wireless communications which are free of any secrecy measures.”[8]
  • Human Genetic Resources. According to Administrative Regulations on Human Genetic Resources of the People’s Republic of China, “Foreign organizations, individuals and the institutions established or actually controlled thereby shall not collector preserve China’s human genetic resources within the territory of China. Nor shall they provide China’s human genetic resources out of the country”. And “the purchase and sale of human genetic resources shall be prohibited.” [9]The Implementing Rules for the Administrative Regulation on Human Genetic Resources (Exposure Draft) may apply mutatis mutandis to the recognition of foreign organizations, individuals and institutions established or actually controlled thereby.[10]

(2) Types of data involved in the target company/assets

There is much more flexibility as to the structure of transaction and the selection of parties if the data held by the target company or included in the target assets do not fall within the scope of regulated data and there are no restrictions or special requirements on their transfer or sharing by current PRC laws and regulations.

If the target assets or businesses involve personal information, and important data/core data, they will be subject to more restrictions. In comparison, equity transactions appear to be subject to fewer regulatory restrictions than asset transactions with respect to data compliance requirements. For instance, under the circumstances involving personal information, if the target company does not need to transfer or share personal information with the Buyer or its affiliates, the equity transaction may not trigger notification to or consent from personal information subjects. However, in asset transactions, obtaining consent from personal information is usually required, because asset transactions generally involve data flow.

(3) Whether the target company/data has significant data compliance issues

A Buyer’s due diligence on the target company may identify significant data compliance issues.

An example is if the target company collects personal information illegally, then it may face legal risks such as administrative penalties. If the data is of low importance for business operations, then the Buyer could consider excluding data from the scope of acquisition. In such way the data related business with compliance issues would remain with the target company and thereby the Buyer avoids bearing historical risks in such regard.

(4) Whether transactions are cross borders

If the offshore Buyer directly acquires assets involving data, or transfers or shares data with the Buyer or its affiliates abroad, then this would be deemed as a data cross-border transmission.

If personal information or important data is involved, special requirements for data cross-border transmission will need to be complied with[11], including : (i) important data and personal information collected by personal information processors will need to be stored locally if thresholds are met - if triggered such cross-border transmission of personal information would be subject to a security assessment organized by the national cyberspace administration authority; (ii) for other personal information, the cross-border transmission is subject to the personal information protection authentication regulated in the PIPL or a standard contract based on the national cyberspace administration authority’s templates.

If the offshore Buyer acquires the equity of the domestic target company, then the data will still be stored and processed by the target company after closing then no data cross-border transmission issue will be raised.

3. Summary

M&A transactions can be structured in a variety of ways. In most the structure and contracts seek to minimize risk and improve deal certainty.

Generally, the transactions are considered from a commercial, liability, tax and operational perspective. To date data compliance has not usually been a decisive factor to consider when determining the structure of a PRC M&A transaction.

However, the importance of data and the risks of non-compliance means that it will need to be considered going forward. This is especially so in M&A transactions where data assets account for a large part of the value or are mission critical to operations or the business touches on sensitive areas.

The important data or core data herein refers to the data mentioned or defined in the Data Security Law of the People’s Republic of China and other relevant laws and regulations, rather than the classification and definition made by an enterprise according to the importance of its own business data.

Article 33 of the Regulations for the Administration of Network Data Security (Exposure Draft)

Article 32 of the Regulations for the Administration of Network Data Security (Exposure Draft)

Article 22 of the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) (Exposure Draft)

http://www.21jingji.com/article/20220312/herald/385074a90084ba6c98b55aa7adfc7c19.html

For instance, the relevant provisions of Article 12 of the Regulations of Shanghai Municipality on Data, which will come into effect on January 1, 2022, and the provisions of Article 4 of the Regulation of Shenzhen Special Economic Zone on Data, which will come into effect on the same day.

Please refer to Article 23 of Personal Information Protection Law.

Article 25 & 26 of Law of People’s Republic of China on Guarding State Secrets

Article 7 & 10 of Administrative Regulations on Human Genetic Resources of the People’s Republic of China

Article 12 of the Implementation Rules for the Administration Regulation on Human Genetic Resources (Exposure Draft)

Please refer to Articles 38 to 40 of the Personal Information Protection Law, Article 31 of the Data Security Law, and Articles 35 to 37 of the Regulation of Data Security (Exposure Draft)
Categories

Reference

  • [1]

    The important data or core data herein refers to the data mentioned or defined in the Data Security Law of the People’s Republic of China and other relevant laws and regulations, rather than the classification and definition made by an enterprise according to the importance of its own business data.

  • [2]

    Article 33 of the Regulations for the Administration of Network Data Security (Exposure Draft)

  • [3]

    Article 32 of the Regulations for the Administration of Network Data Security (Exposure Draft)

  • [4]

    Article 22 of the Administrative Measures for Data Security in the Field of Industry and Information Technology (for Trial Implementation) (Exposure Draft)

  • [6]

    For instance, the relevant provisions of Article 12 of the Regulations of Shanghai Municipality on Data, which will come into effect on January 1, 2022, and the provisions of Article 4 of the Regulation of Shenzhen Special Economic Zone on Data, which will come into effect on the same day.

  • [7]

    Please refer to Article 23 of Personal Information Protection Law.

  • [8]

    Article 25 & 26 of Law of People’s Republic of China on Guarding State Secrets

  • [9]

    Article 7 & 10 of Administrative Regulations on Human Genetic Resources of the People’s Republic of China

  • [10]

    Article 12 of the Implementation Rules for the Administration Regulation on Human Genetic Resources (Exposure Draft)

  • [11]

    Please refer to Articles 38 to 40 of the Personal Information Protection Law, Article 31 of the Data Security Law, and Articles 35 to 37 of the Regulation of Data Security (Exposure Draft)

    • SHOW MORE

MEET THE AUTHORS

LATEST THINKING
Insight
Key Points of the Anti-Foreign Sanctions Law Implementation Rule
Amid growing global complexity and instability, China enacted the Anti-Foreign Sanctions Law (AFSL) in 2021, providing a legal framework for countering undue foreign sanctions. Following four years of deliberation, the State Council introduced the Regulations on the Implementation of the Anti-Foreign Sanctions Law (New Regulations) on 23 March 2025, refining operational rules and strengthening enforceability. This article provides a practical analysis of the key aspects of the New Regulations from the perspective of financial institutions’ business operations, which are notable for financial institutions’ reference.Dispute Resolution and Litigation-Financial Disputes, Financial Institutions

25 March 2025

Insight
Navigating Copyright Challenges in AI Model Training: A Cross-Border Perspective
Whether training AI models with copyrighted materials constitutes copyright infringement is a heavily debated and litigated topic in China and around the world. In this article, we examine the matter with a step-by-step breakdown of the technical process for training AI models and reveal that copyrighted works may be stored only briefly in the memory of computing devices. Additionally, we discuss how AI model training temporarily uses stored copyrighted works for “understanding” and “extracting” concepts and ideas, rather than retaining particular expressions for “independent economic value,” and what this means under copyright laws. The article primarily focuses on Chinese law, while also briefly mentioning U.S. and EU laws.intellectual property-trademarks and copyright-intellectual property dispute resolution, artificial intelligence

24 March 2025

Publication
King & Wood Mallesons delighted to contribute to the 2025 China chapter of AI-Generated Content and Copyright published by Thomson Reuters Practical Law
On March 18, 2025, the renowned legal know-how provider Practical Law under Thomson Reuters published the updated version of “AI-Generated Content and Copyright (China)” (2025 Note).

20 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies