AG真人国际-(china)官方网站

ag真人国际官网观法
ag真人国际官网观法丨跨境并购交易之数据影响篇/Data Impact Specials on Cross-border M&As
作者:ag真人国际官网律师事务所 2023-05-10

1.png





中文版



数据资产作为要素驱动的跨境并购类交易将日益活跃,数据风险对尽职调查和交易估值亦提出了新的挑战,对买方的数据接受能力的反向尽职调查已成为新特色,数据风险影响投资人的估值,数据转移方案已成为并购交易文件主要新增的工作内容。


随着人工智能技术不断升级和应用,数据作为生产要素的经济性特征越来越明显,并渗透到社会体系各方面,世界上不同国家与地区之间都在对数据作为要素的产品和服务加以规范,并对随之带来的对个人隐私与自由的权利侵蚀予以保护。不同于中国有单独的数据安全和个人信息保护立法体系,欧盟与英国对数据产品和服务的规范除了GDPR,主要是外商投资安全审查制度与反垄断审查。本文将从跨境并购的角度入手,浅析中国的数据法律规范对涉及中国元素的跨境并购交易的影响。


对买方的数据接收能力的尽职调查


在传统的并购交易尽职调查中,我们一般只侧重对卖方做全面的尽职调查,包括法律、财务和业务方面的尽职调查,而甚少对买方做反向尽职调查,通常对买方仅限于基本背景了解和财务购买能力的要求。但在中国的数据法律规范体系下,买方还需配合卖方做数据安全和隐私保护能力水平的评估,以确保在交易后,买方有能力承接和保护数据安全和个人隐私利益。 


根据《工信部工业和信息化领域数据安全管理办法(试行)》(工业和信息化部2022年12月6日颁布),第22条 工业化信息处理者“因兼并、重组、破产等原因需要转移数据的,应当明确数据转移方案”。而制定数据转移方案,不可避免需要对买方的数据承接能力做尽调。因此这是不同于传统尽职调查工作中的数据特色。


跨境数据转移规范的冲突适用


对一个典型的跨境并购,交易各方可能受不同法域的有关数据安全与隐私的保护,不同的数据保护规范可能产生冲突。假设我们的交易卖方是欧盟的一家企业,买方是来自中国的买家,处理英国企业的数据存储在欧盟境内,买方需要遵守欧盟的GDPR要求,将数据转移给不在欧盟境内的中国买家时需要签订欧盟标准合同条款(SCC)。对于中国的买家来说,接受来自境外的信息和数据不属于中国数据法律监管的范围,只需要遵守欧盟标准合同条款,但根据GDPR的要求,仍需要配合欧盟的卖方提供符合欧盟SCC的有关信息和资料,如果涉及到中国买家的个人信息出境,还要依据具体情况签订中国个人信息出境标准合同或做数据出境安全评估。


欧盟的SCC与中国的SCC确有不兼容的地方,比如争议的解决方式和适用法律。对于同时签订了欧盟的SCC与中国的SCC的英国买方或者中国买方来说,是否存在这两种规范冲突呢?从规范内容上的确有冲突,但适用上没有冲突,对于不同法域的数据监管要求,应以数据来源为基准判断适用的规则。对于来自中国的数据,适用中国数据法律监管规定,对于来自欧盟的数据,适用欧盟的数据规则。


交易估值和交易文件的调整


投资人会根据数据风险调整估值,数据安全与隐私保护合规水平高的企业会因此而增值,反之亦然。并购中涉及的数据转移方案将是影响交易文件的主要新增内容。


此外,依据具体交易情况,数据风险将不同程度地影响交易交割条件设置、交割后义务、陈述与保证、赔偿机制等条款。


111.png





English version



Key Words: Cross-border M&A-type transactions driven by data assets are  becoming increasingly active. Data risk poses new challenges to due diligence and deal valuation. Reverse due diligence on the buyer's ability to take control of data has become a new feature, data risk affects investor valuations, and data transfer solution has become a major addition to M&A transaction documents.


With the continuous upgrading and application of artificial intelligence technology, the economic characteristics of data as a production factor are becoming more obvious and penetrating all aspects of the social system. Various countries and regions in the world have started to regulate the products and services of data as a factor and take actions to protect against the consequent erosion of individual privacy. China has separate legislation on data security and personal information protection, unlike the EU, which regulate data products and services mainly through the foreign investment security review system and anti-monopoly review, in addition to the GDPR. This article analyzes the impact of China's data legislation on cross-border M&A transactions involving Chinese elements, starting from the perspective of cross-border M&A.


1

Due Diligence about Buyer's Ability to Take Control of Data


Under traditional M&A transaction due diligence, we generally focus only on seller side for a comprehensive due diligence, which includes legal, financial, and operational due diligence. We seldom do reverse due diligence on buyer side, and usually limited due diligence on buyer to basic background and financial purchasing power. However, under the Chinese data legislation system, the buyer also needs to cooperate with the seller to assess its level of data security and privacy protection to ensure that the buyer is capable of undertaking and protecting data security and personal privacy interests after the transaction.


According to the Measures for Data Security Management in the Industrial and Information Technology Sector (for Trial Implementation) (issued by the Ministry of Industry and Information Technology on December 6, 2022), Article 22 provides that where a data processor in the industrial and information technology sector “needs to transfer data due to merger, reorganization, bankruptcy, or other reasons, it shall formulate the data transfer plan.” The formulation of a data transfer plan inevitably requires due diligence on the buyer's capacity to take over the data. This is therefore a distinctive feature from traditional due diligence work. 


2

Conflict of Laws on Cross-border Data Transfer


For a typical cross-border M&A, the parties to the transaction may be subject to different jurisdictions' protection of data security and privacy, and there is a possible conflict of laws on different data protection laws. Assuming that the Seller of our transaction is a company in the EU and the Buyer is from China, and the data of a UK company, processed by the Seller, is stored in the EU. The buyer needs to comply with the requirements of the EU GDPR. To transfer the data to the Chinese Buyer outside of the EU, the Chinese buyer needs to sign the EU Standard Contractual Clause (SCC). For the Buyer, receiving information and data from outside China does not fall under the jurisdiction of Chinese data law, thus the Buyer generally only needs to comply with the EU SCC. However, even according to GDPR, the Chinese Buyer needs to cooperate with the EU Seller to provide relevant information and data to show its capacity to comply with the EU SCC, and if the personal information controlled by the Chinese Buyer is involved and needs to be transferred outside of China, then based on the specific situation, the Chinese Standard Contract for Cross-border Transfer of Personal Information (China SCC) or the Security Assessment of Outbound Data Transfers should be handled. 


There are indeed incompatibilities between the EU SCC and the Chinese SCC, such as dispute resolution and applicable law. For a UK buyer and a Chinese buyer, both of whom have signed both the EU SCC and the Chinese SCC, will there be a conflict between the two SCCs? Indeed, there will be conflicts regarding the content of the two SCCs; however, no conflicts will be found regarding the applicability of the SCCs. For data regulatory requirements in different jurisdictions, the applicable rules should be determined based on the source of the data. As such, for data from China, the Chinese data law applies; for data from the EU, the EU data law applies.


3

Valuation and Adjustment of Transaction Documents


Investors will adjust valuations based on data risk revealed through a due diligence. As a result, companies with sound  data security and privacy protection compliance systems will be given extra value, and vice versa. 


The data transfer solution involved in a M&A will be a major addition that will affect the transaction documents. In addition, depending on the specific transaction, data risks will affect, to varying degrees, the terms and conditions precedent to completion, post-completion obligations, representations and warranties, indemnification mechanisms, etc.


联系我们

北京 

北京市朝阳区东三环中路5号财富金融中心35-36层  

电话:+86 10 8587 9199 

上海 

上海市长宁区遵义路150号虹桥南丰城C栋2006室

电话:+86 21 6289 8808 


深圳

广东省深圳市福田区金田路荣超经贸中心4801  

电话:+86 0755-82730104

天津 

天津市河西区郁江道14号观塘大厦1号楼17层

电话:022-87560066

南京

江苏省南京市江宁区庄排路159号2号楼601室

电话:+025-83708988


郑州 

河南省郑州市金水区金融岛华仕中心B座2楼

电话:+86 371 8895 8789 


呼和浩特

内蒙古呼和浩特市赛罕区绿地腾飞大厦B座15层

电话:0471-3910106


昆明

云南省昆明市盘龙区恒隆广场11楼1106室

电话:+0871-63306330


西安

陕西省西安市高新区锦业路11号绿地中心B座39层

电话:+029-68273708 


杭州 

浙江省杭州市西湖区学院路77号黄龙国际中心B座11层 

电话:+86 571 8673 8786


重庆

地址:重庆市江北区庆云路江2号国金中心T6写字楼8层8-8 

电话:+86 23 67528936


海口 

海南省海口市龙华区玉沙路5号国贸中心11楼

电话:0898-68508795


东京

日本国东京都港区虎之门一丁目1番18号HULIC TORANOMON BLDG.

电话:+81 3 3591 3796


加拿大

加拿大爱德华王子岛省夏洛特顿市皇后街160号

电话:001-902-918-0888

  • 首页
  • 电话
  • 返回顶部
  • 友情链接: