Protecting Personal Information in M&A Transactions

Pre-Signing Valuation

Before launching an M&A deal, a buyer will estimate the value of the target company and consider the applicable strategy and structure of the transaction.

1 .   Whether the target company is legally compliant and protects personal information in its daily operation may influence its value.

The target company's leakage or misuse of information may reduce its market value because it may bring the company into disrepute. In 2017, Verizon, a leading telecom company, was scheduled to purchase Yahoo!; however, the deal was delayed because of Yahoo!'s serious user information leak during the period from 2013 to 2016 and the deal was finally closed with a price deduction of US$350 million. Yahoo! was penalized by the US Securities Exchange Commission for the information leak and entered into a settlement agreement with the plaintiffs in court.

If the target company has been subject of scandalous business news or has encountered administrative sanctions or lawsuits relating to personal information protection, it should raise alarm bells for the buyer that there may be potential legal risks associated with the target company…

The case provides a good example to a buyer that it should not ignore the value risk arising from personal information protection. If the target company has been subject of scandalous business news or has encountered administrative sanctions or lawsuits relating to personal information protection, it should raise alarm bells for the buyer that there may be potential legal risks associated with the target company, and to ensure that incidents such as these will not happen again which may affect the value, as well as the operation of the target company.

2 .   A buyer should consider whether there are any restrictions on the use of the data controlled by the target company, especially if the main asset of the target company is personal information.

In the digital age, personal information can make up the bulk of a company's capital assets because of its significant value. A buyer's aim may be to acquire the personal information from the target company and use it to make money. However, Article 9.3 of the 2020 Specification requires the buyer to get explicit consent from the personal information subject before the information can be used in another way. It is possible that the personal information subject will not give consent to the new use, which means that the buyer may not be able to fulfill its original purpose of the M&A. Therefore, a buyer should assess the market value of the target company cautiously and keeping in mind that it may not be able to achieve all its acquisition objectives.

Due Diligence

The purpose of due diligence on the target company is to gain comprehensive knowledge of the target company, as well as to assess the risks of purchasing the target company. With the increasing risk of cybersecurity and strengthening protection of personal information by relevant authorities, the importance placed on due diligence on personal information protection compliance is rising.

To avoid such reputational damage and economic loss, a buyer shall conduct comprehensive due diligence on personal information protection compliance of the target company

The Marriott Case serves as an imperative reminder to the buyer of the importance of due diligence. In 2016, Marriott International acquired Starwood Hotel and Resorts without carrying out sufficient cybersecurity due diligence. In 2018, Starwood's database was hacked, which caused approximately 339 million guest records globally to be exposed including combinations of name, mailing address, phone number, email address, passport number and other sensitive information. On July 9, 2019, the UK Information Commissioner's Office imposed a fine of around GBP 99 million on Marriott for infringements of the GDPR.

To avoid such reputational damage and economic loss, a buyer shall conduct comprehensive due diligence on personal information protection compliance of the target company. The key due diligence issues are the following:

1 .   Identify which industry the target company belongs to.

• Different industries and business require various levels of personal information protection. For example, industries that collect and process a large quantity of personal information such as e-commerce, express delivery, hotels, etc., have higher legal risks of personal information protection and requires closer attention when it comes to due diligence.

• In addition, requirements for data protection in relation to critical information infrastructure (CII, 关键信息基础设施) operators are more stringent. Both the Cybersecurity Law (网络安全法) and Regulations for Protection of the Security of Critical Information Infrastructure (Draft for Comments) (关键信息基础设施安全保护条例 (征求意见稿）) provide that the CII must be primarily protected based on (see Article 31 and Article 6). Therefore, a buyer should identify the industry the target company belongs to and the applicable law before carrying subsequent due diligence.

2 .   Examine how the target company collects, stores and uses the personal information.

• According to Article 41 of the Cybersecurity Law, the consent of the subjects must be obtained, and the purpose, method and scope of such collection must be explicitly expressed before the collection of personal information. Furthermore, collection of personal information that is irrelevant for the services provided by the network operator is prohibited. During the conduct of due diligence, compliance with these rules must be strictly adhered to.

• According to Article 37 of the Cybersecurity Law, personal information and important data collected and produced by CII operators must be stored within China. The subsequent draft measures specify the requirements for cross-border transfer of personal information, which will be further discussed in the following sections.

• Use and process. In addition to the general requirements provided in the Cybersecurity Law, the 2020 Specification provides a more detailed guide for companies to follow. For example, during due diligence, issues such as the scope of use of personal information, the internal limitation of access to personal information and the degree of fusion of different types of personal information are worth examining based on the situation of the target company.

3 .   Assess whether the target company has a well-developed personal information protection mechanism. Article 42 of the Cybersecurity Law provides that in the event that personal information has been or is likely to be divulged, damaged or lost, the operator must immediately take remedial measures and promptly report the matter to the relevant government authorities. An effective protection mechanism is helpful to comply with Chinese laws and regulations, as well as the elimination of legal risks relating to personal information protection. During due diligence, it is recommended that the buyer consider  key issues such as, whether the target company has comprehensive emergency plans and internal training systems with regard to personal information protection, and whether there are professional staff in charge of personal information protection in the target company.

Although due diligence is mainly conducted by the buyer to determine the legal risks existing in the target company, the seller may also be exposed to some potential legal risks. Article 42 of the Cybersecurity Law prohibits the network operators from providing other entities with personal information of which the subjects do not give consents. Therefore, when providing materials that are required by the buyer, the seller must take necessary precautions to protect personal information such as the redaction of personal information or provide template documents instead of originals.

Reps and Warranties Clauses or Pre-conditions

For an M&A transaction that involves a large amount of personal information, conducting comprehensive due diligence on personal information protection compliance cannot guarantee the safety of the transaction. It is highly recommended that the buyer incorporate necessary representation and warranty clauses or a pre-condition clause to reduce legal risks. For example, the buyer may require the seller to ensure the legality of the operation of the target company, its compliance with laws and regulations relating to personal information protection, and an adequate internal mechanism for safeguarding the personal information. Furthermore, remedy and compensation clauses can also be added to better protect the interests of the buyer.

Data use Post-Closing

As mentioned earlier, a buyer does not have the right to use data assets unconstrained. According to the Article 9.3 of 2020 Specification, the new personal information controller must continue to fulfill the responsibilities and obligations of the original personal information controller. If the purpose of using personal information has been altered, express consent from personal information subject must be obtained again.

With the increasing emphasis on data security globally, a cross-border M&A transaction that involves the transfer of personal information between different countries may encounter greater supervisory pressure from government authorities

Cross-Border transfer of Personal Information in M&A transactions

Among all the legal risks existing in an M&A transaction, the cross-border transfer of personal information is no doubt a big concern. With the increasing emphasis on data security globally, a cross-border M&A transaction that involves the transfer of personal information between different countries may encounter greater supervisory pressure from government authorities. In 2018, the US blocked China's Ant Financial's US$1.2 billion bid to buy MoneyGram because of the growing vigilance towards cross-border transfer of personal information. In addition to the U.S., it is also clear that the EU has taken strong measures to regulate cross-border transfer of personal information.

Since the Cybersecurity Law became effective in 2017, China has been gradually developing a regulatory system of cross-border transfer of personal information and important data. Article 37 of the Cybersecurity Law regulates the personal information and important data collected and produced by critical information infrastructure operators and numerous draft measures have been published to specify the requirements of cross-border transfer of personal information. According to Article 2 of the Measures for Security Assessments of the Transfer of Personal Information and Important Data Overseas (Draft for Comments) (个人信息和重要数据出境安全评估办法 (征求意见稿）) (2017 Measures) , personal information collected and generated by operators in the operation within the territory of the People's Republic of China must be stored within the territory in principle. Where cross-border transfer of personal information is necessary, a security assessment must be carried out.

Later in 2019, the Measures for Security Assessments of the Transfer of Personal Information Overseas (Draft for Comments) (个人信息出境安全评估办法 (征求意见稿）) (2019 Measures) were published. According to Article 3 of the 2019 Measures, network operators must apply for the security assessment of personal information cross-border transfer to a local network and information department at provincial level before the transfer of personal information. Also, pursuant to Article 2 of the 2019 Measures, if a personal information cross-border transfer is determined by a security assessment as having potential damage to national security, public interests, or it would be incapable of ensuring security of personal information, then such a transfer is prohibited.

Although the 2017 Measures and 2019 Measures are not officially adopted and binding, the provisions in these Measures reveal the strict attitudes of Chinese regulatory bodies towards cross-border transfer of personal information. Transaction parties must bear in mind the legal risks of personal information cross-border transfer throughout the whole process of an M&A transaction, and seek professional advice regarding the relevant policies and laws in jurisdictions where it may involve cross-border transfer.

Since the protection of personal information is crucial in some M&A transactions and various legal risks relating to it may arise during the transactions, it is recommended that both the buyer and seller focus on personal information protection compliance

Recommendations

Since the protection of personal information is crucial in some M&A transactions and various legal risks relating to it may arise during the transactions, it is recommended that both the buyer and seller focus on personal information protection compliance. The following main points should be taken into account when engaging in an M&A transaction in China:

(1) Take personal information protection into consideration in the early phase of an M&A transaction by choosing a proper strategy and structure. Asset purchases will be more complex compared with share purchase, since the owner of the personal information and the method of use may change. Relevant laws and regulations may place more restrictions in asset purchases.

(2) Necessary cybersecurity due diligence. In the pre-signing phrase, the purchaser should ensure comprehensive cybersecurity due diligence on the target company is conducted by including its computer system and personal information and data flow and assessing the protection level of the target company. When the target company is a TMT company or its main business relies on the personal information, due diligence should be conducted carefully.

(3) Provide company documents with caution. Generally, the target company will provide some company documents for the law firm or other third-party institution engaged by the buyer to review. Such company documents may contain personal information, such as the personal information of management, employees and customers. The target company should avoid directly providing these types of personal information to the buyer. Alternatively, the target company should fully notify the personal information subject or only provide template documents to the buyer (documents without personal information).

(4) Personal information protection agreement or reps and warranty clauses. Target companies may intentionally hide known issues with their personal information protection. To protect the interest of the buyer with a guarantee, the buyer can enter into an agreement with the seller or add a rep or warranty clause.

Communicate with the regulator before the closing of a transaction. Generally, personal information will be transferred from the target company to the buyer. If it is a cross-border transfer or a transfer of a large quantity of personal information, it is necessary to communicate with the local regulator and follow the instructions of the regulator.