Insight,

Due Diligence on Data in China Investment and M&A Projects

25 April 2022

Our People
CN | EN
Current site :    CN   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Data is now a crucial part of not only our lives but also critical to the operation of business. The digital economy has transformed the role of data into being a core business asset.

These data assets are attracting more attention for M&A transactions in China. This is especially in cases where the data assets account for a high proportion of the target’s overall value or if the data assets are mission critical to the target’s operations.

As data has become more valuable it has also become much more stringently regulated. Targets which have serious non-compliance data issues, such as deriving data from illegal/non-compliant sources, or non-compliant data processing can seriously affect or derail a M&A transaction. Such issues may require remedial actions, greater hold backs to cover potential liabilities. In some serious cases this may lead to a prior divestiture of non-compliant data assets or derailing of the entire transaction.

1. Why data compliance due diligence is needed in M&A transactions

a) Hidden Hazards

The importance of data compliance in M&A is illustrated by some recent cases:

The Hacked Hotel – in this case a well-known hotel’s ("Hotel Hacked") room reservation system was vulnerable and had been hacked in 2014. In 2016, a large international group ("Group Naïve") acquired Hotel Hacked but did not uncover the system vulnerabilities during the due diligence process. Subsequently in 2018 the hack was discovered and publicly disclosed. An assessment showed that more than 300 million personal information data points of Hotel Hacked's customers had been stolen.

In 2020, a personal data protection regulator imposed fines amounting to approximately USD 25 million on Group Naïve for data compliance issues (including the Hotel Hacked data breach). In addition to the fine, Group Naïve also faced class action lawsuits.

Group Naive's due diligence failed to identify the system’s vulnerabilities. If Group Naïve had paid more attention to data compliance due diligence, it is likely to have identified these vulnerabilities and structured the acquisition accordingly (e.g. limiting risk exposure by reducing the acquisition price or having a larger hold back).

Rainy Clouds - A similar case involves the acquisition of a cloud-based multi-channel payment platform ("Rainy Cloud Company"). The buyer ("Company Drenched") completed the acquisition in 2017 for a price exceeding USD 200 million. Post-acquisition Company Drenched discovered that hackers had stolen personal information (including personal financial information) of approximately one million users from Rainy Cloud Company’s servers. Security concerns led to Company Drenched suspending all of Rainy Cloud Company’s operations a few months after the transaction. Ultimately Company Drenched shut down the company entirely and the acquisition was a total write off.

Failing to carry out proper data compliance due diligence can lead to major risks in M&A transactions in the PRC. These risks include civil lawsuits, administrative penalties (fines of up to RMB 50 million or 5% of the previous year's turnover), suspending the business or even revocation of the business license.

b) How Data Compliance Due Diligence Impacts the Buyer

Data compliance due diligence can help buyers assess and protect against potential legal risks.

Mayday – In 2018 a large U.S.-based manufacturer of aircraft structural components ("Manufacturer Flying High") announced in May 2018 that it intended to acquire a Belgian manufacturer of aircraft components ("Manufacturer Too Low") for USD 650 million. However, the parties agreed to reduce the proposed price to USD 420 million in June 2019 due to a ransomware attack upon Manufacturer Too Low's systems. The ransomware attacks led to several plants halting operations. The transaction was ultimately cancelled in September 2020 due to Manufacturer Too Low failing to meet closing conditions (including obtaining consent of the European Commission – in this case data security issues even between EU and the USA were a key concern).

Similarly, a major telecoms group ("Group V") experienced major issues when it sought to acquire a multinational internet group ("Group Y"). A massive data breach was discovered during the due diligence and resulted in the final acquisition amount being adjusted downwards by USD 350 million. In addition, the parties agreed to share the costs arising from the data breach, including expenses for government investigation and compensations for third party claims.

These cases illustrate that cybersecurity or other data compliance issues (including personal information breaches) can materially affect the value of a deal and in some cases may derail a deal.

In many M&A transactions the buyer has an eye on an eventual listing of a target company. In such cases, data non-compliance can derail a target company's listing process. Data compliance is increasingly a key concern when considering a listing in the PRC, especially for high-tech companies which are particularly dependent on data.

c) How Data Compliance Due Diligence Impacts the Seller

In our experience, it is important for sellers to get ahead of data compliance issues before being detected by the buyer. Sellers that are proactive and provide solutions have better outcomes than those caught flat footed (except in those cases above where the buyer did not conduct appropriate due diligence).

2. Red Flags

Heightened risks are when the M&A transaction involves a target company which deals in sensitive data, connected to critical information infrastructure, or handles mass volumes of personal information.

Sensitive areas to consider include:

a) Critical Information Infrastructure

Critical information infrastructure refers to important network facilities and information systems related to public telecommunications, information services, energy, transportation, waterworks, finance sector, public services, e-government, national defense, science, technology and important industry. In addition, any businesses closely linked to important network facilities and information systems which could compromise national security, national economy or society or public interest.[1]

If the target company is a critical information infrastructure operator, then it will be subject to more stringent cybersecurity and data compliance requirements including localized storage of personal information and important data collected and generated during its PRC operations. In addition, security assessments will likely be required in case of the provision of important data or personal information outside the PRC and procurement of network products and services that may affect national security[2]. If the target company's business is related to critical information infrastructure (e.g. provides products or services to critical information infrastructure operators), then it will be subject to a review mechanism[3].

b) Important Data/Core Data

The concept of important data first appeared in the Cybersecurity Law of the PRC back in 2017[4]. Important data refers to data that if misused may endanger national security, public interest, or rights of individuals and organizations. In 2021, the Data Security Law of the PRC further introduced the concept of core data as data concerning national security, lifelines of the national economy, important livelihood of the public, major public interests, etc.[5]

Important and core data often attracts special attention from regulators and is subject to stricter compliance requirements. These restrictions may include restraint on cross-border transfers, localized storage requirements, periodic risk assessments, regular filings, etc. [6]Failure to meet such requirements may result in severe penalties.

In our opinion, the industry/field which the target company operates in is one of the important factors when identifying important data and core data. According to the Data Security Law, the State establishes a data classification and graded protection system. Core data requires a stricter management system than that for important data[7].

- Automotive Sector in the Driver Seat

In China at present, the automotive industry is taking the lead in clarifying the scope of important data. The definition encompasses geographic information of sensitive areas, traffic flow information, charging network operation data, video and images collected outside  vehicles containing facial or license plate information, personal information involving more than 100,000 people, etc. [8]Other industries have not yet issued effective departmental regulations or provisions to clarify the scope of core data and important data in their respective fields.

- Other Sectors Following

However, there are draft regulations and national standards [9]for important data and core data for a variety of industries, including manufacturing, science and technology, telecommunications, energy, transportation, waterworks, finance, national defense science and technology industry, customs, taxation, etc.

Data compliance is also very sensitive and important in businesses involving artificial intelligence, Internet platforms, autonomous driving, etc. [10]as these all have data as a key part of their operations.

Other sensitive business activities include health care, human genetic resources, mapping as the data handled is sensitive (e.g. health big data information, geographic information, etc.).

c) Volume of Personal Information Subjects

Another sensitive area is companies operating with mass volumes of personal information. These are typically consumer facing businesses such as hotels, education providers, e-commerce companies, logistics, airlines, retailers, and FMCG (Fast-moving Consumer Goods) companies. These consumer facing companies handle personal information as a matter of course during their operations and this means there are higher risks of non-compliance occurring. If the target company is involved in handling mass amounts of personal information during its operations, then it may need to comply with more stringent data compliance requirements such as localized storage of personal information collected and generated in its operations in the PRC, being subject to security assessment in provision of personal information outside the PRC as well as designating a person in charge of personal information protection[11]..

In addition, consumer facing companies generally have large numbers of employees and suppliers. Care must be taken in respect of handling such personal information. Common compliance issues include transferring of employee personal information to overseas headquarters, sharing or entrusting employee personal information to domestic third parties (such as external HR management service providers).

3. Frequently Asked Questions in Data Compliance Due Diligence

a) What Should We be "Checking for" in a Data Compliance Due Diligence?

Data compliance due diligence mainly focuses on three aspects:

  • Compliance for the full life cycle of data (i.e. data collection, storage, use, processing, transmission, provision, disclosure, deletion, etc.).
  • Whether systems and measures are in place to ensure cybersecurity and data compliance. Are measures in place to prevent data being illegally stolen, leaked, transferred, abused, tampered with or destroyed?
  • Have there been any cybersecurity incidents or personal information leaks (such as data security vulnerabilities)? Has any litigation arisen or whether there are any regulatory inquiries or administrative penalties?

b) What Issues Need to be Considered When Reviewing the Target Company?

The following factors should be considered when analyzing the risk level of the target company:

  • Is data especially important to the business or sector?
  • Are any products and/or services impacted by data? Are any of the customers particularly sensitive?
  • Is data transferred to overseas subsidiaries/branches?
  • Is the target company part of the critical information infrastructure or does it provide relevant products or services?
  • Does the target company use systems which are vulnerable (i.e. operation and maintenance, location of servers, main features, types of users, etc.)?
  • Are the target company's operating platforms (including APPs, mini programs, Official Accounts, websites, H5, etc.) secure?

c) How is Data Collected and Stored?

Issues to be considered include:

  • Types and circumstances of data collection and storage.
  • Is personal information collected within reasonable limits?
  • Whether personal information, sensitive personal information or personal information of minors is involved?
  • Whether important data is collected and stored?
  • Is data obtained from third parties? Whether required consents have been verified by any third party?
  • Whether any data has been obtained by web crawlers?
  • How the data is stored? For what duration? Location of Data? Is important data and personal information stored separately? Are there access restrictions to the data in place? How is data handled after the expiration of the storage period?
  • What use is made of third-party SDK?
  • Has privacy policy been updated?
  • Is the data classified? Is data backed up, desensitized/encrypted?

d) How is Data Used, Processed, Transmitted, Provided or Disclosed?

Issues to be considered include:

  • Do the operations involve the processing of data beyond the scope of authorization?
  • Has there been any non-compliant cross-border transfer of personal information or important data? If this is the case, had a security assessment taken place?
  • Is data processing conducted by a third party? If so, whether the target company has obtained relevant authorization/consent?
  • Whether the target company uses a third-party platform to store data, etc.?

e) Cybersecurity Considerations?

Issues to be considered include:

  • Are data security and cybersecurity policies in place?
  • Has a personal information security impact assessment system been established?
  • Whether cybersecurity and data compliance training has been provided to employees?
  • Whether data compliance and cybersecurity clauses are included in employment contracts with employees?
  • Whether departments and relevant persons in charge of cybersecurity and personal information protection have been identified?
  • Whether systems related to security protection have been deployed?
  • Do information systems meet the determined security protection grades and completed graded protection fillings?
  • Whether cybersecurity emergency plans are in place and cybersecurity emergency drills been regularly carried out?
  • Whether cybersecurity monitoring, early warning and information notification systems been established?
  • Does the target company conduct regular cybersecurity audits?
  • Are there any mechanisms in place to receive and handle user complaints and reports?

f) Cybersecurity Incidents?

Issues to be considered include:

  • Whether target company’s products or services been found to have malicious programs, security flaws, vulnerabilities or other risks?
  • Has there been a history of cyberattacks or network intrusions?
  • Whether there have been any personal information leakages or destruction or losses?
  • Has the target company been subject to civil lawsuits, administrative investigation or penalties, or criminal investigation or prosecution for violation of cybersecurity laws or infringement of personal information?

4. How Does Data Compliance Due Diligence Differ from Regular Due Diligence

Like regular due diligence, a data compliance due diligence will normally be based upon independent public investigations, document review, and personnel interviews.

However, additionally, a data compliance due diligence will normally involve a technical investigation. This will investigate the data security and cybersecurity systems of the target company from a technical perspective. In most cases, the technical investigation will be completed by a joint legal and technical team.

Regular due diligence often overlooks data compliance and only focuses on high level issues. These are typically limited to the following questions: Whether a privacy policy is in place? Whether the target company has been involved in the sale or purchase of personal data? Have there been cybersecurity incidents? Whether the most obvious laws and regulations on data compliance have been complied with? However, this is not sufficient if the target company falls within a sensitive area or is subject to special scrutiny.

Although not all transactions will require a dedicated data compliance due diligence, it is no longer wise to merely have a brief look at the target company’s data compliance. Enhanced data due diligence is warranted if the target company: 1) has operations that are dependent on data; 2) deals in mass data; 3) collects or processes sensitive data; 4) is a part of critical information infrastructure or sells products or services to it; 5) transfers data outside the PRC; or 5) processes data that comprises a large portion of the company’s asset value.

5. Summary

Deal teams need to be aware of how digital assets and compliance can impact transactions. Businesses are increasingly reliant on digital assets to operate their business and cyber-solutions to protect them. In addition, the importance of data has not gone unnoticed by regulators who are very aware of the potential harm that could be done to society, economy or national security that misuse or data hacks may result in.

For these reasons, data compliance and asset due diligence is becoming extremely important as it may affect valuations or structure of the deal or indeed whether the transaction is feasible.

Security Protection Regulations for Critical Information Infrastructure, Article 2.

Cybersecurity Law, Articles 31-39, Data Security Law, Article 31, Personal Information Protection Law, Article 40.

Cybersecurity Review Measures, Article 2.

 Cybersecurity Law, Articles 21 & 37.

Data Security Law, Article 21.

 

Regarding localized storage: Cybersecurity Law, Article 37, Regulations on Security Management of Automotive Data (for Trial Implementation), Article 11, Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft), Article 21, etc.; Regarding cross-border data transfer security assessment: Data Security Law, Article 11, Regulations on Security Management of Automotive Data (for Trial Implementation), Article 11,Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft), Article 21, Measures for Data Cross-Border Transfer Security Assessment (Exposure Draft), Article 4, Regulations for Network Data Security Management (Exposure Draft), Article 37, etc.; Regarding periodic risk assessments: Cybersecurity Law, Article 30, etc.; Regarding fillings of important data: Regulations for Network Data Security Management (Exposure Draft), Article 29, etc.

Data Security Law, Article 21.

Regulations on Security Management of Automotive Data (for Trial Implementation), Article 3.

Including but not limited to Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft)Information security technology - Guidelines for data cross-border transfer security assessment (Exposure Draft)Regulations on Network Data Security Management (Draft for Comments), etc.

According to the Statistical Classification of Digital Economy and its Core Industries, digital economy industries with data resources as key production factors include: (1) digital product manufacturing: including industrial robot manufacturing, wearable smart devices, smart vehicle equipment manufacturing, smart unmanned aerial vehicle system manufacturing, etc., (2) digital product service industry: digital product sales, leasing, maintenance, etc., (3) digital technology application industry: including software development, Internet services (such as Internet search, online gaming, online consulting, online data services), etc., (4) digital factor-driven industry: Internet platforms (such as Internet production service platforms, living service platforms, technology innovation platforms, public service platforms), online sales, online finance, etc., and (5) digital efficiency enhancement industry: intelligent manufacturing, intelligent transportation, intelligent logistics, intelligent medical care, etc.

Regarding localized storage: Article 40 of the Personal Information Protection Law stipulates that personal information processors whose quantity of processing of personal information reaches that as prescribed by the Cyberspace Administration of China shall store personal information collected and generated within the territory of the PRC. Article 27 of the Interim Administrative Measures for the Business of Online Taxi Booking Services provides that personal information collected and business data generated by the booking platform shall be stored and used in China. The Opinions of the Ministry of Industry and Information Technology on Strengthening the Management of Access to Intelligent Networked Vehicle Manufacturers and Products provides that personal information and important data collected and generated by intelligent networked vehicle manufacturers in their operations in the PRC shall be stored in the territory of PRC in accordance with relevant laws and regulations. Article 7 of the Cybersecurity Review Measures stipulates that network platform operators holding personal information of more than one million users going public abroad must declare cybersecurity review to the Cybersecurity Review Office; Regarding cross-border data transfer security assessment: Article 40 of the Personal Information Protection Law, Article 7 of the Cybersecurity Review Measures, Article 37 of the Regulations on Network Data Security Management (Exposure Draft), Article 4 of the Measures for Data Cross-Border Transfer Security Assessment (Exposure Draft) stipulate that personal information processors handling personal information up to one million people providing personal information abroad or processors providing personal information of more than 100,000 people or more or sensitive personal information of more than 10,000 people abroad in aggregate are required to conduct an security assessment; Regarding the designation of the person in charge of personal information protection: Personal Information Protection Law, Article 52.
Categories

Reference

  • [1]

    Security Protection Regulations for Critical Information Infrastructure, Article 2.

  • [2]

    Cybersecurity Law, Articles 31-39, Data Security Law, Article 31, Personal Information Protection Law, Article 40.

  • [3]

    Cybersecurity Review Measures, Article 2.

  • [4]

     Cybersecurity Law, Articles 21 & 37.

  • [5]

    Data Security Law, Article 21.

     

  • [6]

    Regarding localized storage: Cybersecurity Law, Article 37, Regulations on Security Management of Automotive Data (for Trial Implementation), Article 11, Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft), Article 21, etc.; Regarding cross-border data transfer security assessment: Data Security Law, Article 11, Regulations on Security Management of Automotive Data (for Trial Implementation), Article 11,Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft), Article 21, Measures for Data Cross-Border Transfer Security Assessment (Exposure Draft), Article 4, Regulations for Network Data Security Management (Exposure Draft), Article 37, etc.; Regarding periodic risk assessments: Cybersecurity Law, Article 30, etc.; Regarding fillings of important data: Regulations for Network Data Security Management (Exposure Draft), Article 29, etc.

  • [7]

    Data Security Law, Article 21.

  • [8]

    Regulations on Security Management of Automotive Data (for Trial Implementation), Article 3.

  • [9]

    Including but not limited to Measures for the Administration of Data Security in Industry and Information Areas (for Trial Implementation) (Exposure Draft)Information security technology - Guidelines for data cross-border transfer security assessment (Exposure Draft)Regulations on Network Data Security Management (Draft for Comments), etc.

  • [10]

    According to the Statistical Classification of Digital Economy and its Core Industries, digital economy industries with data resources as key production factors include: (1) digital product manufacturing: including industrial robot manufacturing, wearable smart devices, smart vehicle equipment manufacturing, smart unmanned aerial vehicle system manufacturing, etc., (2) digital product service industry: digital product sales, leasing, maintenance, etc., (3) digital technology application industry: including software development, Internet services (such as Internet search, online gaming, online consulting, online data services), etc., (4) digital factor-driven industry: Internet platforms (such as Internet production service platforms, living service platforms, technology innovation platforms, public service platforms), online sales, online finance, etc., and (5) digital efficiency enhancement industry: intelligent manufacturing, intelligent transportation, intelligent logistics, intelligent medical care, etc.

  • [11]

    Regarding localized storage: Article 40 of the Personal Information Protection Law stipulates that personal information processors whose quantity of processing of personal information reaches that as prescribed by the Cyberspace Administration of China shall store personal information collected and generated within the territory of the PRC. Article 27 of the Interim Administrative Measures for the Business of Online Taxi Booking Services provides that personal information collected and business data generated by the booking platform shall be stored and used in China. The Opinions of the Ministry of Industry and Information Technology on Strengthening the Management of Access to Intelligent Networked Vehicle Manufacturers and Products provides that personal information and important data collected and generated by intelligent networked vehicle manufacturers in their operations in the PRC shall be stored in the territory of PRC in accordance with relevant laws and regulations. Article 7 of the Cybersecurity Review Measures stipulates that network platform operators holding personal information of more than one million users going public abroad must declare cybersecurity review to the Cybersecurity Review Office; Regarding cross-border data transfer security assessment: Article 40 of the Personal Information Protection Law, Article 7 of the Cybersecurity Review Measures, Article 37 of the Regulations on Network Data Security Management (Exposure Draft), Article 4 of the Measures for Data Cross-Border Transfer Security Assessment (Exposure Draft) stipulate that personal information processors handling personal information up to one million people providing personal information abroad or processors providing personal information of more than 100,000 people or more or sensitive personal information of more than 10,000 people abroad in aggregate are required to conduct an security assessment; Regarding the designation of the person in charge of personal information protection: Personal Information Protection Law, Article 52.

    • SHOW MORE

MEET THE AUTHORS

LATEST THINKING
Insight
Key Points of the Anti-Foreign Sanctions Law Implementation Rule
Amid growing global complexity and instability, China enacted the Anti-Foreign Sanctions Law (AFSL) in 2021, providing a legal framework for countering undue foreign sanctions. Following four years of deliberation, the State Council introduced the Regulations on the Implementation of the Anti-Foreign Sanctions Law (New Regulations) on 23 March 2025, refining operational rules and strengthening enforceability. This article provides a practical analysis of the key aspects of the New Regulations from the perspective of financial institutions’ business operations, which are notable for financial institutions’ reference.Dispute Resolution and Litigation-Financial Disputes, Financial Institutions

25 March 2025

Insight
Navigating Copyright Challenges in AI Model Training: A Cross-Border Perspective
Whether training AI models with copyrighted materials constitutes copyright infringement is a heavily debated and litigated topic in China and around the world. In this article, we examine the matter with a step-by-step breakdown of the technical process for training AI models and reveal that copyrighted works may be stored only briefly in the memory of computing devices. Additionally, we discuss how AI model training temporarily uses stored copyrighted works for “understanding” and “extracting” concepts and ideas, rather than retaining particular expressions for “independent economic value,” and what this means under copyright laws. The article primarily focuses on Chinese law, while also briefly mentioning U.S. and EU laws.intellectual property-trademarks and copyright-intellectual property dispute resolution, artificial intelligence

24 March 2025

Publication
King & Wood Mallesons delighted to contribute to the 2025 China chapter of AI-Generated Content and Copyright published by Thomson Reuters Practical Law
On March 18, 2025, the renowned legal know-how provider Practical Law under Thomson Reuters published the updated version of “AI-Generated Content and Copyright (China)” (2025 Note).

20 March 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
CROSS-JURISDICTIONAL PRACTICE OFFICE
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies