As the digital economy is penetrating various sectors and leading new economic development, the importance of data is increasingly prominent, and its massive commercial value, and value as a form of asset, are now appreciated by the market. But frequent data breaches incur staggering losses on companies in M&A transactions. Marriott, which acquired Starwood with US$12.2 billion in November 2015, was fined £99 million (US$128.7 million) by the UK data regulator in 2018 for a Starwood data breach that happened before the takeover. Later, in March 2020, Marriott announced further that the information of approximately 5.2 million guests may have been compromised.
East & Concord Partners Counsel
In this light, in M&A transactions, particularly data-driven ones, a rigorous due diligence on data assets is indispensable for the acquirer to both assess the associated legal risks and determine the value of data assets. Since due diligence in this area is highly professional and technical, the author will highlight key issues that arise during the process and provide recommendations for M&A decisions and investigations.
Applicable laws
The Cybersecurity Law is the overriding law that determines and evaluates the safety and compliance of data assets. The Civil Code also sets a separate chapter laying down basic principles for personal information protection. The Data Security Law (draft) is now publicized for consultation, and the Personal Information Protection Law is on the annual legislation agenda.
East & Concord Partners Trainee Associate
These laws, together with numerous administrative rules, regulations and national standards that have been in force or are under formulation, compose a legal system of data security protection. There are also other special laws and regulations targeting specific sectors or groups, such as the E-commerce Law and the Law on the Protection of Minors.
In consideration of the mobility of data and the business scope of the target companies, foreign laws such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act in the US may apply alongside Chinese laws and regulations in defining and assessing data assets.
Key due diligence points
The procedure of due diligence on data assets is more or less the same as that of general due diligence. The contents in this area should include, among others: Detecting any defects in the title of the target company’s data assets; evaluating the economic benefits that data assets would bring to the company; and identifying any compliance risks that might impact the value of the data assets. In consideration of the particularity of data assets, acquirers are recommended to frame their due diligence based on the following key points:
(1) The compliance status of different types of data throughout the whole lifecycle merits attention. An investigation into the compliance of the data in different milestones throughout the whole lifecycle, based on the type of data involved, is necessary to determine whether there are defects in the target’s ownership or controlling right of the data, and to assess corresponding risks. For example, if personal information is involved, the acquirer needs to understand the way in which the personal information is collected, used and provided, how the informed consent is obtained during the whole process, and whether these methods are in line with other statutory conditions.
(2) Analysis and assessment of compliance in different application scenarios and different business models. There are different needs for data process in different scenarios and business models. In credit research companies, user profiles will be used, while in multinational companies the cross-border flow of data may be involved for the needs of business and internal communication. Therefore, in due diligence, how data is processed in specific scenarios and business models should be identified before analyzing and assessing the economic value of the data assets to the target company, and associated risks.
(3) Consideration of special rules in the sector. Regulators may issue special rules for data processing based on the characteristics of different sectors, so sector-specific rules should be part of the due diligence. For example, financial institutions should process personal financial information as per the Technical Specifications for Personal Financial Information Protection. Companies providing key information infrastructure may trigger the review requirements of online products and services in the Cybersecurity Review Measures.
(4) Pay attention to the safe operation of network. Network operation safety is a compliance requirement embodied in the Cybersecurity Law on network operators, and also an important guarantee for the data security of companies. Most corporate data breaches are caused by network operation problems. Therefore, in due diligence, it is necessary to make sure that the target company has put in place a network safety protection mechanism, and to protect the safe operation of the network following basic requirements.
Data are a new production factor, equally important as land, labour force, capital, technology and other traditional factors. More and more cases prove that data assets can boost corporate development, but they can also become a roadblock if not compliant.
Ye Peng is a counsel, and Dong Chenhui is a trainee associate at East & Concord Partners
East & Concord Partners
20/F, Landmark Building Tower 1
8 East 3rd Ring Road North
Chaoyang District, Beijing 100004, China
Tel: +86 10 6590 6639
Fax: +86 10 6510 7030
E-mail:
“Welcome to follow Concord official account”
