Protecting Personal Information in M&A Transactions

Changes were made to protect their citizen's personal data, and the growth of personal information protection has now extended to areas such as M&A transactions

With the increasing digitization of personal information, there have been frequent reported cases all around the world of companies maliciously disclosing or selling personal information in their control in recent years. At the same time, new laws and regulations were enacted in the EU (the General Data Protection Regulation (GDPR)), as well as in China, in which case alignment is made with the GDPR. Changes were made to protect their citizen's personal data, and the growth of personal information protection has now extended to areas such as M&A transactions.

In China, the protection of personal information in M&A deals has been stated by relevant authorities. It was first mentioned in the Information Technology–Personal Information Security Specification (信息安全技术个人信息安全规范) promulgated in 2017, concerning the transfer of personal information in M&A deals and updated in 2020 (see Document No. GB/T 35273—2020) (the 2020 Specification).

However, the transfer of personal information is not the only issue regarding personal data protection that parties in an M&A transaction should pay close attention to and the following discussion will highlight other concerns that will need to be addressed.