China passed its new Data Security Law ("DSL") in June 2021 and its new Personal Information Protection Law ("PIPL") in August 2021. Both new laws impact every business operating in or doing business with China, coupling extensive obligations with respect to the processing of all types of data, with potentially significant penalties for noncompliance. For buy-side transactions, the buyer should review and assess the target's data processing activities carefully to ensure compliance with applicable requirements under the DSL and PIPL. For sell-side transactions involving foreign-invested entities, the local subsidiary should be prepared for a buyer to request an indemnity for matters relating to data processing (including prior compliance with DSL and PIPL, if subject to the DSL and/or PIPL before the closing).

Both buyers and sellers should also be sensitive to compliance with the cross-border transfer requirements under the DSL and PIPL if there is any information to be transferred out of China through due diligence or otherwise as a condition for the acquisition. Assessment of DSL and PIPL compliance risk in the early stages of a transaction can help ensure deal certainty.

Read the full 2021 Transactional Year in Review and 2022 Forecast.

Originally published January 2022

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.