Navigating Data Compliance in Chinese M&A Transactions 

Posted by Written by Arendse Huld Reading Time: 7 minutes

China M&A data compliance has become a critical consideration for foreign acquirers, as obligations under the Cybersecurity Law, Data Security Law, and Personal Information Protection Law directly affect due diligence, deal structuring, and post-acquisition integration. This article outlines the key compliance requirements companies must address at each stage of a Chinese M&A transaction, from assessing a target’s data practices to managing cross-border data transfers.

As the landscape for data protection and cybersecurity in China has matured, these issues are becoming a crucial part of due diligence and compliance considerations for foreign companies seeking to conduct M&As in China. The myriad of obligations and requirements now tied to data collection and processing mean that data compliance can significantly affect deal timelines, transaction structuring, and post-acquisition integration.

Find Business Support
We help businesses verify partners and assess financial, legal, and data risks in China.

For foreign acquirers unfamiliar with China’s data protection framework, navigating these requirements can be particularly challenging, as they span from due diligence into the target company’s data compliance posture to ensuring that data transfers arising from the transaction don’t violate data protection laws.  

Understanding the key obligations under China’s three main data protection and cybersecurity laws, and how they interact with the M&A process, is therefore essential for any foreign company exploring M&As in China.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Due diligence on data compliance 

Companies in China are required to abide by a range of data protection and cybersecurity regulations, and it is paramount that this aspect is included in due diligence into any potential M&A target. Non-compliance with these laws and regulations can lead to significant penalties and, in serious cases, business closure.  

There are three main laws related to data protection: 

In addition to the above laws, there is a range of implementation regulations that also apply. 

While the compliance requirements under China’s data protection framework are far-reaching, there are a few core obligations that companies should focus on when conducting due diligence: 

  • Whether it stores all data collected from subjects in China locally
  • Whether it adheres to its MLPS obligations, including data classification and emergency response systems for cybersecurity incidents (for network and service platform providers)
  • Whether it has implemented technical and organizational data protection measures
  • Whether it has carried out regular data protection audits in line with its current obligations
  • Whether it has appointed a data protection officer (DPO)
  • Whether it adheres to regulations on cross-border data transfer (CBDT)

In addition to the regular data protection requirements, companies that process the PI of individuals in China must also have additional PI protection obligations. These rules apply to any company collecting PI from individuals in China, whether that be a consumer-facing company collecting information from customers, or a company’s HR department collecting, processing, and storing information on employees. 

To conduct due diligence on compliance with China’s PI protection regulations, the following issues should be focused on: 

  • Whether the company has a legal basis for the collection of PI, including obtaining informed consent from the PI subject and separate consent where necessary;
  • Whether it collects only the minimum PI necessary for the stated purpose;
  • Whether it provides PI subjects with clear disclosure of the purpose, scope, and method of PI processing;
  • Whether it conducts a PI Protection Impact Assessment (PIPIA) when required, including before processing sensitive PI;
  • Whether it has appointed a dedicated PI protection officer (if it processes the PI of more than 1 million people);
  • Whether it carries out a PI protection compliance audit at least once every two years (when processing the PI of more than 10 million people);
  • Whether it adheres to cross-border PI transfer regulations (when processing volumes in excess of certain thresholds). 

Assessing data compliance risk exposure 

While all companies must meet their cybersecurity and data protection obligations, risk exposure is higher for companies that operate in sensitive industries, in particular, critical information infrastructure operators (CIIOs), as well as companies that handle large volumes of PI.

Find Business Support
Get help with setting up and managing compliant digital infrastructure for your China business.

For this reason, assessing the risk exposure of a target company is an important aspect of due diligence. The due diligence team should seek to assess the scope of a target company’s data collection and processing activity to determine whether it is handling data that is considered “important” or “core” under China’s data protection regulations, or is handling large volumes of PI. Companies that are handling this type of data have much higher protection obligations, and M&As will potentially come under greater scrutiny. 

Both the CSL and the DSL require companies that provide online service platforms to carry out data classification and data grading. Data classification means classifying data first by industry sector and then by business attribute, while data grading means categorizing data by one of three risk levels: 

  • Important data
  • Core data
  • General data

set of standards released in 2024 by the State Administration for Market Regulation (SAMR) on data classification and grading sets out the definitions and mechanisms for determining the different types of data, which companies can refer to when carrying out due diligence into target companies. 

Definitions of Data Risk Levels
Important data  Data belonging to specific fields, groups, or regions, or data reaching a certain level of precision and scale, which, if leaked, altered, or damaged, could directly endanger national security, economic operations, social stability, and public health and safety.

 

Note: Data that only affects the organization itself or individual citizens is generally not considered important data. 
Core data  Critical data that has high de coverage, accuracy, scale, or depth across specific sectors, groups, or regions, and whose illegal use or sharing could directly impact political security.

 

Note: Core data primarily includes data related to key areas of national security, data vital to the national economy, important aspects of people’s livelihoods, and significant public interests, as well as other data determined by relevant national departments. 
General data  Other data, excluding important and core data. 
Source: Data Security Technology – Rules for Data Classification and Grading [GB/T 43697-2024] 

Compliance with data protection regulations during M&A transactions 

Abiding by CBDT rules 

China’s rules on cross-border data transfer (CBDT) can cause a range of compliance headaches for companies seeking to merge with or acquire a Chinese company, both during the due diligence phase and the procurement or merger processes.  

Under China’s DSLP, CSL, and PIPL, certain compliance procedures must be completed before certain types or volumes of data can be exported. CBDT rules apply even when an employee located outside China remotely accesses data collected and stored in China, not just when the data is transferred out of the country. This means many standard due diligence and post-acquisition integration procedures could violate China’s data and PI protection laws if this is done without the proper protocols.  

If, after the M&A process, the parent company needs to transfer data from the target company outside of China, the processes for abiding by CBDT rules will also kick into action. 

To export certain types of data or volumes of PI outside of China, companies must undergo one of the following compliance procedures:

  1. Undergo a security assessment carried out by the CAC;
  2. Sign a Standard Contract with the overseas recipient of the data; or
  3. Undergo a third-party data export protection certification. 

The first of the three procedures above is the most onerous, as it requires a self-assessment before applying for a review by the CAC. Signing a Standard Contract or undergoing third-party certification is generally more straightforward and requires fewer compliance procedures, although they still require the company to carry out a PIPIA. 

Mandatory Compliance Procedures for CBDT
Data type  Export compliance procedure 
CAC security assessment  Standard contract/certification  No procedure required 
PI  If, since January 1 of the current year, the company has exported a cumulative of: 

  • ≥ 1,000,000 people’s normal PI; or   
  • ≥ 10,000 people’s sensitive PI
 If, since January 1 of the current year, the company has exported a cumulative of:   

  • ≥ 10,000 people’s normal PI 
  • < 1,000,000 people’s normal PI; or 
  • < 10,000 people’s sensitive PI
 If, since January 1 of the current year, the company has exported a cumulative of: 

  • < 10,000 (normal PI)
Important data  Always  Never  Never 
Data from CIIOs  Always  Never  Never 

Note that China’s free trade zones (FTZs) have implemented simplified CBDT procedures and lowered PI thresholds for certain industries, meaning data due diligence and M&A procedures may be simpler in this regard if the target company is located within an FTZ, although this also depends on the sector. 

In addition to the above compliance procedures, before transferring PI overseas, companies must inform individuals and obtaining their separate consent and carry out a PIPIA. 

Rules for transferring PI to a third party

The PIPL outlines provisions for the handling of PI in the case of a transfer to a third party or a merger. This has direct implications for companies both in the due diligence stage of the M&A process and post-M&A procedures. 

First, companies must obtain separate and informed consent from the individuals before their PI can be transferred to a third party or be transferred due to a merger.

Find Business Support
We help businesses meet China's CSL, DSL, and PIPL requirements while strengthening cybersecurity defenses.

Specifically, Article 23 of the PIPL stipulates that when transferring PI to a third party, companies must inform users of the third party’s name, contact information, purpose for and method of processing the PI, and the type of PI being transferred, and obtain their consent for the transfer. Any subsequent processing of the PI must be within the scope set out in this information, and if there is any change to the scope, separate consent must be obtained from the individual again. 

Meanwhile, Article 22 of the PIPL requires companies that transfer PI due to a merger to inform individuals of the recipient’s name and contact information and obtain their consent for the transfer. The recipient must continue to fulfil the obligations of the original company, but if the new company changes the original purpose or method of processing, it must obtain the individual’s consent again. 

Article 23 means that the target company must obtain consent from the individuals on whom they have PI before they can transfer it to the acquirer. Article 22, meanwhile, means overhauls to operational or business scopes following an M&A may trigger additional informing and consent requirements. Companies are required to delete the PI of an individual if they withdraw consent to processing it. 

Companies must also carry out a PIPIA before they can transfer PI to a third party. 

How we can help 

Data compliance when acquiring companies in China requires a holistic approach spanning the entire M&A process, from auditing a target’s data practices to regulatory compliance in due diligence to post-acquisition operational restructuring.

Dezan Shira & Associates can support companies at each stage of the process. We conduct data compliance audits to identify gaps under the CSL, DSL, and PIPL before a deal closes, assist with cross-border data transfer procedures and PIPIAs triggered during the transaction, and help align the combined entity’s data infrastructure with applicable regulations post-acquisition. As an ISO27001-certified firm with legal, technical, and operational expertise across China’s regulatory environment, we can fulfil these requirements without disrupting deal timelines. 

Vivian Mao
DSA
quote

Navigating M&A transactions in Asia involves regulatory challenges, limited transparency, and complex market entry conditions. Our mergers and acquisitions advisory team delivers strategic, cross-functional support to help clients identify value-driven targets, manage risk, and build strategic partnerships across the region.

Vivian Mao
Partner
Talk to an expert at China@dezshira.com
Or request a consultation at +86 21 6358 8686

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.