數據資產作為要素驅動的跨境并購類交易將日益活躍,數據風險對盡職調查和交易估值亦提出了新的挑戰,對買方的數據接受能力的反向盡職調查已成為新特色,數據風險影響投資人的估值,數據轉移方案已成為并購交易文件主要新增的工作內容。
隨著人工智能技術不斷升級和應用,數據作為生產要素的經濟性特征越來越明顯,并滲透到社會體系各方面,世界上不同國家與地區之間都在對數據作為要素的產品和服務加以規范,并對隨之帶來的對個人隱私與自由的權利侵蝕予以保護。不同于中國有單獨的數據安全和個人信息保護立法體系,歐盟與英國對數據產品和服務的規范除了GDPR,主要是外商投資安全審查制度與反壟斷審查。本文將從跨境并購的角度入手,淺析中國的數據法律規范對涉及中國元素的跨境并購交易的影響。
一
對買方的數據接收能力的盡職調查
在傳統的并購交易盡職調查中,我們一般只側重對賣方做全面的盡職調查,包括法律、財務和業務方面的盡職調查,而甚少對買方做反向盡職調查,通常對買方僅限于基本背景了解和財務購買能力的要求。但在中國的數據法律規范體系下,買方還需配合賣方做數據安全和隱私保護能力水平的評估,以確保在交易后,買方有能力承接和保護數據安全和個人隱私利益。
根據《工信部工業和信息化領域數據安全管理辦法(試行)》(工業和信息化部2022年12月6日頒布),第22條 工業化信息處理者“因兼并、重組、破產等原因需要轉移數據的,應當明確數據轉移方案”。而制定數據轉移方案,不可避免需要對買方的數據承接能力做盡調。因此這是不同于傳統盡職調查工作中的數據特色。
二
跨境數據轉移規范的沖突適用
對一個典型的跨境并購,交易各方可能受不同法域的有關數據安全與隱私的保護,不同的數據保護規范可能產生沖突。假設我們的交易賣方是歐盟的一家企業,買方是來自中國的買家,處理英國企業的數據存儲在歐盟境內,買方需要遵守歐盟的GDPR要求,將數據轉移給不在歐盟境內的中國買家時需要簽訂歐盟標準合同條款(SCC)。對于中國的買家來說,接受來自境外的信息和數據不屬于中國數據法律監管的范圍,只需要遵守歐盟標準合同條款,但根據GDPR的要求,仍需要配合歐盟的賣方提供符合歐盟SCC的有關信息和資料,如果涉及到中國買家的個人信息出境,還要依據具體情況簽訂中國個人信息出境標準合同或做數據出境安全評估。
歐盟的SCC與中國的SCC確有不兼容的地方,比如爭議的解決方式和適用法律。對于同時簽訂了歐盟的SCC與中國的SCC的英國買方或者中國買方來說,是否存在這兩種規范沖突呢?從規范內容上的確有沖突,但適用上沒有沖突,對于不同法域的數據監管要求,應以數據來源為基準判斷適用的規則。對于來自中國的數據,適用中國數據法律監管規定,對于來自歐盟的數據,適用歐盟的數據規則。
三
交易估值和交易文件的調整
投資人會根據數據風險調整估值,數據安全與隱私保護合規水平高的企業會因此而增值,反之亦然。并購中涉及的數據轉移方案將是影響交易文件的主要新增內容。
此外,依據具體交易情況,數據風險將不同程度地影響交易交割條件設置、交割后義務、陳述與保證、賠償機制等條款。
Key Words: Cross-border M&A-type transactions driven by data assets are becoming increasingly active. Data risk poses new challenges to due diligence and deal valuation. Reverse due diligence on the buyer's ability to take control of data has become a new feature, data risk affects investor valuations, and data transfer solution has become a major addition to M&A transaction documents.
With the continuous upgrading and application of artificial intelligence technology, the economic characteristics of data as a production factor are becoming more obvious and penetrating all aspects of the social system. Various countries and regions in the world have started to regulate the products and services of data as a factor and take actions to protect against the consequent erosion of individual privacy. China has separate legislation on data security and personal information protection, unlike the EU, which regulate data products and services mainly through the foreign investment security review system and anti-monopoly review, in addition to the GDPR. This article analyzes the impact of China's data legislation on cross-border M&A transactions involving Chinese elements, starting from the perspective of cross-border M&A.
1
Due Diligence about Buyer's Ability to Take Control of Data
Under traditional M&A transaction due diligence, we generally focus only on seller side for a comprehensive due diligence, which includes legal, financial, and operational due diligence. We seldom do reverse due diligence on buyer side, and usually limited due diligence on buyer to basic background and financial purchasing power. However, under the Chinese data legislation system, the buyer also needs to cooperate with the seller to assess its level of data security and privacy protection to ensure that the buyer is capable of undertaking and protecting data security and personal privacy interests after the transaction.
According to the Measures for Data Security Management in the Industrial and Information Technology Sector (for Trial Implementation) (issued by the Ministry of Industry and Information Technology on December 6, 2022), Article 22 provides that where a data processor in the industrial and information technology sector “needs to transfer data due to merger, reorganization, bankruptcy, or other reasons, it shall formulate the data transfer plan.” The formulation of a data transfer plan inevitably requires due diligence on the buyer's capacity to take over the data. This is therefore a distinctive feature from traditional due diligence work.
2
Conflict of Laws on Cross-border Data Transfer
For a typical cross-border M&A, the parties to the transaction may be subject to different jurisdictions' protection of data security and privacy, and there is a possible conflict of laws on different data protection laws. Assuming that the Seller of our transaction is a company in the EU and the Buyer is from China, and the data of a UK company, processed by the Seller, is stored in the EU. The buyer needs to comply with the requirements of the EU GDPR. To transfer the data to the Chinese Buyer outside of the EU, the Chinese buyer needs to sign the EU Standard Contractual Clause (SCC). For the Buyer, receiving information and data from outside China does not fall under the jurisdiction of Chinese data law, thus the Buyer generally only needs to comply with the EU SCC. However, even according to GDPR, the Chinese Buyer needs to cooperate with the EU Seller to provide relevant information and data to show its capacity to comply with the EU SCC, and if the personal information controlled by the Chinese Buyer is involved and needs to be transferred outside of China, then based on the specific situation, the Chinese Standard Contract for Cross-border Transfer of Personal Information (China SCC) or the Security Assessment of Outbound Data Transfers should be handled.
There are indeed incompatibilities between the EU SCC and the Chinese SCC, such as dispute resolution and applicable law. For a UK buyer and a Chinese buyer, both of whom have signed both the EU SCC and the Chinese SCC, will there be a conflict between the two SCCs? Indeed, there will be conflicts regarding the content of the two SCCs; however, no conflicts will be found regarding the applicability of the SCCs. For data regulatory requirements in different jurisdictions, the applicable rules should be determined based on the source of the data. As such, for data from China, the Chinese data law applies; for data from the EU, the EU data law applies.
3
Valuation and Adjustment of Transaction Documents
Investors will adjust valuations based on data risk revealed through a due diligence. As a result, companies with sound data security and privacy protection compliance systems will be given extra value, and vice versa.
The data transfer solution involved in a M&A will be a major addition that will affect the transaction documents. In addition, depending on the specific transaction, data risks will affect, to varying degrees, the terms and conditions precedent to completion, post-completion obligations, representations and warranties, indemnification mechanisms, etc.
北京
北京市朝陽區東三環中路5號財富金融中心35-36層
電話:+86 10 8587 9199
上海
上海市長寧區長寧路1133號長寧來福士廣場T1辦公樓37層
電話:+86 21 6289 8808
深圳
廣東省深圳市福田區金田路榮超經貿中心4801
電話:+86 755 8273 0104
天津
天津市河西區郁江道14號觀塘大廈1號樓17層
電話:+86 22 8756 0066
南京
南京市江寧區秣周東路12號7號樓知識產權大廈10層1006-1008室
電話:+86 25 8370 8988
鄭州
河南省鄭州市金水區金融島華仕中心B座2樓
電話:+86 371 8895 8789
呼和浩特
內蒙古呼和浩特市賽罕區綠地騰飛大廈B座15層
電話:+86 471 3910 106
昆明
云南省昆明市盤龍區恒隆廣場11樓1106室
電話:+86 871 6330 6330
西安
陜西省西安市雁塔區翠華路500號佳和商務大廈A座26層07室
電話:+86 29 8931 3353
杭州
浙江省杭州市西湖區學院路77號黃龍國際中心B座11層
電話:+86 571 8673 8786
重慶
重慶市兩江新區慶云路2號國金中心T6寫字樓8層8-8
電話:+86 23 6752 8936
海口
海南省海口市龍華區玉沙路5號國貿中心11樓
電話:+86 898 6850 8795
日本東京
日本國東京都港區虎之門一丁目1番18號HULIC TORANOMON BLDG.
電話:0081 3 3591 3796
加拿大愛德華王子島省
加拿大愛德華王子島省夏洛特頓市皇后街160號B座
電話:001 902 518 2988
阿聯酋迪拜
迪拜伊瑪爾商業園1號樓505號
電話:971 52 8372673
Copyright 2001-2026 Anli Partners. All Rights Reserved 京ICP備05023788號-2 京公網安備11010502032603號
聲明:本官網文章僅供交流,不構成安理律師對特定事項的法律意見或建議。如您面臨法律問題,建議您聯系安理律師或其他具有相關資格的專業人士尋求法律幫助。安理法律咨詢電話:400-800-5639。
