數(shù)據(jù)資產(chǎn)作為要素驅(qū)動的跨境并購類交易將日益活躍�����,數(shù)據(jù)風(fēng)險(xiǎn)對盡職調(diào)查和交易估值亦提出了新的挑戰(zhàn)�,對買方的數(shù)據(jù)接受能力的反向盡職調(diào)查已成為新特色,數(shù)據(jù)風(fēng)險(xiǎn)影響投資人的估值���,數(shù)據(jù)轉(zhuǎn)移方案已成為并購交易文件主要新增的工作內(nèi)容����。
隨著人工智能技術(shù)不斷升級和應(yīng)用�,數(shù)據(jù)作為生產(chǎn)要素的經(jīng)濟(jì)性特征越來越明顯,并滲透到社會體系各方面�����,世界上不同國家與地區(qū)之間都在對數(shù)據(jù)作為要素的產(chǎn)品和服務(wù)加以規(guī)范�����,并對隨之帶來的對個人隱私與自由的權(quán)利侵蝕予以保護(hù)�����。不同于中國有單獨(dú)的數(shù)據(jù)安全和個人信息保護(hù)立法體系�����,歐盟與英國對數(shù)據(jù)產(chǎn)品和服務(wù)的規(guī)范除了GDPR,主要是外商投資安全審查制度與反壟斷審查��。本文將從跨境并購的角度入手���,淺析中國的數(shù)據(jù)法律規(guī)范對涉及中國元素的跨境并購交易的影響����。
對買方的數(shù)據(jù)接收能力的盡職調(diào)查
在傳統(tǒng)的并購交易盡職調(diào)查中��,我們一般只側(cè)重對賣方做全面的盡職調(diào)查�����,包括法律����、財(cái)務(wù)和業(yè)務(wù)方面的盡職調(diào)查,而甚少對買方做反向盡職調(diào)查�����,通常對買方僅限于基本背景了解和財(cái)務(wù)購買能力的要求�����。但在中國的數(shù)據(jù)法律規(guī)范體系下����,買方還需配合賣方做數(shù)據(jù)安全和隱私保護(hù)能力水平的評估,以確保在交易后�����,買方有能力承接和保護(hù)數(shù)據(jù)安全和個人隱私利益���。
根據(jù)《工信部工業(yè)和信息化領(lǐng)域數(shù)據(jù)安全管理辦法(試行)》(工業(yè)和信息化部2022年12月6日頒布)����,第22條 工業(yè)化信息處理者“因兼并����、重組、破產(chǎn)等原因需要轉(zhuǎn)移數(shù)據(jù)的�����,應(yīng)當(dāng)明確數(shù)據(jù)轉(zhuǎn)移方案”��。而制定數(shù)據(jù)轉(zhuǎn)移方案,不可避免需要對買方的數(shù)據(jù)承接能力做盡調(diào)����。因此這是不同于傳統(tǒng)盡職調(diào)查工作中的數(shù)據(jù)特色。
跨境數(shù)據(jù)轉(zhuǎn)移規(guī)范的沖突適用
對一個典型的跨境并購�,交易各方可能受不同法域的有關(guān)數(shù)據(jù)安全與隱私的保護(hù),不同的數(shù)據(jù)保護(hù)規(guī)范可能產(chǎn)生沖突�。假設(shè)我們的交易賣方是歐盟的一家企業(yè),買方是來自中國的買家���,處理英國企業(yè)的數(shù)據(jù)存儲在歐盟境內(nèi)�����,買方需要遵守歐盟的GDPR要求���,將數(shù)據(jù)轉(zhuǎn)移給不在歐盟境內(nèi)的中國買家時(shí)需要簽訂歐盟標(biāo)準(zhǔn)合同條款(SCC)。對于中國的買家來說�����,接受來自境外的信息和數(shù)據(jù)不屬于中國數(shù)據(jù)法律監(jiān)管的范圍�,只需要遵守歐盟標(biāo)準(zhǔn)合同條款,但根據(jù)GDPR的要求,仍需要配合歐盟的賣方提供符合歐盟SCC的有關(guān)信息和資料�,如果涉及到中國買家的個人信息出境,還要依據(jù)具體情況簽訂中國個人信息出境標(biāo)準(zhǔn)合同或做數(shù)據(jù)出境安全評估�����。
歐盟的SCC與中國的SCC確有不兼容的地方����,比如爭議的解決方式和適用法律��。對于同時(shí)簽訂了歐盟的SCC與中國的SCC的英國買方或者中國買方來說����,是否存在這兩種規(guī)范沖突呢?從規(guī)范內(nèi)容上的確有沖突��,但適用上沒有沖突����,對于不同法域的數(shù)據(jù)監(jiān)管要求,應(yīng)以數(shù)據(jù)來源為基準(zhǔn)判斷適用的規(guī)則�。對于來自中國的數(shù)據(jù),適用中國數(shù)據(jù)法律監(jiān)管規(guī)定��,對于來自歐盟的數(shù)據(jù)����,適用歐盟的數(shù)據(jù)規(guī)則���。
投資人會根據(jù)數(shù)據(jù)風(fēng)險(xiǎn)調(diào)整估值,數(shù)據(jù)安全與隱私保護(hù)合規(guī)水平高的企業(yè)會因此而增值���,反之亦然���。并購中涉及的數(shù)據(jù)轉(zhuǎn)移方案將是影響交易文件的主要新增內(nèi)容。
此外�����,依據(jù)具體交易情況�,數(shù)據(jù)風(fēng)險(xiǎn)將不同程度地影響交易交割條件設(shè)置、交割后義務(wù)����、陳述與保證、賠償機(jī)制等條款����。
Key Words: Cross-border M&A-type transactions driven by data assets are becoming increasingly active. Data risk poses new challenges to due diligence and deal valuation. Reverse due diligence on the buyer's ability to take control of data has become a new feature, data risk affects investor valuations, and data transfer solution has become a major addition to M&A transaction documents.
With the continuous upgrading and application of artificial intelligence technology, the economic characteristics of data as a production factor are becoming more obvious and penetrating all aspects of the social system. Various countries and regions in the world have started to regulate the products and services of data as a factor and take actions to protect against the consequent erosion of individual privacy. China has separate legislation on data security and personal information protection, unlike the EU, which regulate data products and services mainly through the foreign investment security review system and anti-monopoly review, in addition to the GDPR. This article analyzes the impact of China's data legislation on cross-border M&A transactions involving Chinese elements, starting from the perspective of cross-border M&A.
Due Diligence about Buyer's Ability to Take Control of Data
Under traditional M&A transaction due diligence, we generally focus only on seller side for a comprehensive due diligence, which includes legal, financial, and operational due diligence. We seldom do reverse due diligence on buyer side, and usually limited due diligence on buyer to basic background and financial purchasing power. However, under the Chinese data legislation system, the buyer also needs to cooperate with the seller to assess its level of data security and privacy protection to ensure that the buyer is capable of undertaking and protecting data security and personal privacy interests after the transaction.
According to the Measures for Data Security Management in the Industrial and Information Technology Sector (for Trial Implementation) (issued by the Ministry of Industry and Information Technology on December 6, 2022), Article 22 provides that where a data processor in the industrial and information technology sector “needs to transfer data due to merger, reorganization, bankruptcy, or other reasons, it shall formulate the data transfer plan.” The formulation of a data transfer plan inevitably requires due diligence on the buyer's capacity to take over the data. This is therefore a distinctive feature from traditional due diligence work.
Conflict of Laws on Cross-border Data Transfer
For a typical cross-border M&A, the parties to the transaction may be subject to different jurisdictions' protection of data security and privacy, and there is a possible conflict of laws on different data protection laws. Assuming that the Seller of our transaction is a company in the EU and the Buyer is from China, and the data of a UK company, processed by the Seller, is stored in the EU. The buyer needs to comply with the requirements of the EU GDPR. To transfer the data to the Chinese Buyer outside of the EU, the Chinese buyer needs to sign the EU Standard Contractual Clause (SCC). For the Buyer, receiving information and data from outside China does not fall under the jurisdiction of Chinese data law, thus the Buyer generally only needs to comply with the EU SCC. However, even according to GDPR, the Chinese Buyer needs to cooperate with the EU Seller to provide relevant information and data to show its capacity to comply with the EU SCC, and if the personal information controlled by the Chinese Buyer is involved and needs to be transferred outside of China, then based on the specific situation, the Chinese Standard Contract for Cross-border Transfer of Personal Information (China SCC) or the Security Assessment of Outbound Data Transfers should be handled.
There are indeed incompatibilities between the EU SCC and the Chinese SCC, such as dispute resolution and applicable law. For a UK buyer and a Chinese buyer, both of whom have signed both the EU SCC and the Chinese SCC, will there be a conflict between the two SCCs? Indeed, there will be conflicts regarding the content of the two SCCs; however, no conflicts will be found regarding the applicability of the SCCs. For data regulatory requirements in different jurisdictions, the applicable rules should be determined based on the source of the data. As such, for data from China, the Chinese data law applies; for data from the EU, the EU data law applies.
Valuation and Adjustment of Transaction Documents
Investors will adjust valuations based on data risk revealed through a due diligence. As a result, companies with sound data security and privacy protection compliance systems will be given extra value, and vice versa.
The data transfer solution involved in a M&A will be a major addition that will affect the transaction documents. In addition, depending on the specific transaction, data risks will affect, to varying degrees, the terms and conditions precedent to completion, post-completion obligations, representations and warranties, indemnification mechanisms, etc.
