Identifying and addressing the key challenges of processing personal data in the context of a due-diligence investigation in China.
Written under the supervision of Charlotte Mantoux and Jean-Philippe Engel, Partners at Leaf.
Following the footsteps of the EU and the adoption of its renowned GDPR in 2018, the People’s Republic of China has opted to modernize and update its regulations about the use, provision, and protection of “personal information”. This modernization has led to several new challenges, obstacles, and obligations for any market actor who may handle personal data remotely or incidentally.
What is considered as handling personal information? The Personal Information Protection Law (PIPL) defines personal information in a fairly standard and general manner as “all kinds of information related to identified or identifiable natural persons recorded by electronic or other means”.[1]
The Chinese regulations have set up a non-exhaustive list of activities to be considered as handling personal information. Such list namely includes without being limited to the following: collection, storage, use, processing, transmission, provision, disclosure and deletion of personal information.[2]
Any person who sees or accesses to, any personal information during a due-diligence process, regardless of its position in the prospective deal, is likely to be considered as a personal information handler as per the PIPL.
What does it mean for the actors of the due-diligence process? Any actor in a due-diligence process acts as a personal information handler and shall consequently comply with the rules set in the PIPL.
These obligations include that such personal information be handled according to the general and usual principles of lawfulness, legitimacy, necessity, good faith, transparency and openness. The PIPL also provides that personal information shall not be handled through misleading, coercion or fraud[3]. Handling of personal information shall be for a definite and reasonable purpose, be directly related to the purpose of handling and shall be conducted in a way that minimizes the impact on personal rights and interests, and last but not the least, consensual.[4]
However, beyond the mere existence of obligations lie considerable risks of several and joint liability for any actor – including individuals being responsible for the handling – of the due-diligence process that would fail to handle personal information up to the standards of the PIPL[5].
| FOR LEGAL ENTITIES | FOR INDIVIDUALS |
| Confiscation of illegal gains | Fines up to 1 million yuan on the individual directly in charge of such handling as well as any other persons deemed liable depending on the seriousness of the circumstances |
| Fines up to 50 million yuan or up to 5% of the entity’s turnover of the previous year depending on the seriousness of the circumstances | Prohibition of the said persons from acting as directors, supervisors, senior executives and persons-in-charge of personal information protection of relevant enterprises for a certain duration |
| Business suspension | Tort liability towards the individual whose rights were infringed |
| Revocation of the business permit or license | |
| Tort liability towards the individual whose rights were infringed |
It is to be noted that such penalties may be exacerbated even more if the breach concerns a large number of individuals, or should it constitute a public security violation. In the latter case, such a breach could lead to criminal investigations and prosecution.[6]
It is important to differentiate how each actor may tackle the challenges of this regulation to reduce exposure to penalties and litigation. For the sake of this article, we have identified three main actors, each with their own key challenges, in the due-diligence process: the Seller (1), the Buyer and the Advisor (2). Furthermore, any due-diligence actor should keep in mind that the PIPL and the GDPR set a very different set of rules and that in the event of a cross-border due-diligence, the handling of personal information may get even trickier (3).
- Areas of attention and practical considerations as a Seller
As a Seller, you will most likely be the main provider of personal information throughout the due-diligence process, and, consequently, face the greatest risks of non-compliance with the provisions of the Chinese regulation. Various methods and principles to minimize those risks shall be reviewed.
Proper anonymization of the information. Anonymizing the information you intend to transfer is indeed, on paper, a clever and tempting way to avoid handling personal information, and therefore, to escape the grasp of the PIPL altogether. Unfortunately, it is not a reliable solution in the long run and on larger-scale operations. This method has two significant drawbacks that can heavily backfire should you decide to rely on anonymization alone: it is both very time-consuming, and subject to mistakes and oversights.
Both above-mentioned drawbacks may not only result in a massive slowdown of your deal but could also leave you unprepared and exposed should any personal information have somehow slipped through the net. Anonymization may only be realistic at an early stage before a letter of intent is signed and if used meticulously.
Proper contractualization of the data transfer. Rather than anonymization, you should also ensure that the transfer of any potential personal information is properly dealt with by contractual provisions.
Proper Non-Disclosure Agreements shall be signed. They should contain provisions stating that the transferred personal information shall be deleted after a reasonable amount of time. Any LOI or other relevant further agreements must clearly set the principles of lawfulness, legitimacy, good faith, etc… Finally, transfers shall also be properly recorded together with their conditions and justified internally.
Employee’s information and consent. Where a personal information handler needs to transfer personal information due to merger, division, dissolution or declaration of bankruptcy, etc., it shall inform the individual concerned of the name and contact information of the recipient[7].
However, the above only applies post-transaction. While in the mere phase of due-diligence, the information of the employee is not sufficient. Indeed, the explicit and separate consent of the given employee must also be collected[8].
This can prove quite challenging since sellers and buyers may not be willing to disclose the existence of M&A discussions to the employees in the earlier stage of negotiations. To avoid such disclosure, the seller should aim to minimize the amount of personal information transferred until it becomes strictly necessary.
Minimization of the amount of personal information. Because of the above, a Seller should aim to only transfer the personal information that is strictly necessary to the success of the due-diligence as both the interest of the company and of the individual may be put in balance. The Seller should, in any case, try to refrain from transferring “sensitive personal information” which includes biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14.[9]
- Areas of attention and practical considerations as a Buyer and/or an Advisor
As a Buyer or an Advisor, although you may not be required to provide a large amount of personal information, you shall still abide by the rules set out in the PIPL for any personal information that you receive and store, as a personal information handler. Therefore, it is also necessary to act in order to reduce your risks and exposure.
Minimization of the amount of personal information. Just as exposed in the case of the Seller, as a Buyer or an Advisor you should not request any personal information that would not be strictly necessary when it comes to the due-diligence as you will be considered as a personal information handler and therefore be liable for every personal data that is transferred your way, putting yourself at risk of non-compliance with the PIPL rules as soon as such personal information is received.
Investing in a proper cyber security infrastructure. Since, as a Buyer or an Advisor, you are considered a personal information handler, you are personally liable for any breach and/or leak of personal information that may happen on your end.[10] Therefore, you should ensure the proper safety of the personal information that was entrusted to you during the due-diligence process by investing in a proper cyber security infrastructure, or, at least, by auditing such infrastructure.
Proof of a state-of-the-art cyber-security infrastructure should serve as a reliable means to sustain the absence of fault in case of a malicious leak of personal information from your systems. Thus, significantly reducing your potential exposure to liability.
Restraining the internal flow of personal information. Just like the amount of personal information received shall be minimized, the internal flow of such data within the Buyer’s or the Advisor’s structure and team, shall be strictly limited. Indeed, the personal information transferred by the Seller shall only be accessed scarcely by key members of the operation who have a clear and unavoidable need to access such personal information.
Having a clear due-diligence personal information policy. It is recommended for Advisors or Buyers involved in several due-diligence processes to have a fixed and clear process regarding not only the safety and the flow of the data within its organization but also regarding the deletion of such data.
The absence of a clear process may lead to a situation in which the Buyer or Advisor finds itself overwhelmed by the amount of personal information flowing through its system and is therefore not able to keep up. Consequently, having a systemic approach to the handling of personal information transferred during due-diligence processes should significantly lower the risks of infringement of the PIPL.
- Specific difficulties of cross-border due-diligence and key differences between the GDPR and the PIPL
Due-diligence, and M&A deals are not always domestic: many transactions are multi-jurisdictional as soon as a holding company in Europe and one strategic partnership in China are involved. Involving foreign parties in due-diligence means that personal information will, almost inevitably, start crossing borders.
The Chinese regulators have specifically addressed the case of cross-border data provision in both the PIPL, and the Security Assessment Measures for Data Provision Abroad which provide for even stricter and stringent requirements in the handling and transfer of personal information once such information exits the territory of the PRC.
As such, it is strongly recommended to try and keep any personal information that may be exchanged during due-diligence, within the territory of the PRC by keeping in mind the elements outlined below.
Confirming the compliance of the IT tools and IT structure. Microsoft 365 is often used by company groups, with only one tenant account. However, in the case of an international structure based both inside and outside of the PRC, the use of a single tenant account entails risks, especially if such foreign and PRC entities are conducting due diligence processes.
Indeed, should the main company, based abroad, have the possibility to access the personal information stored by its Chinese entity, this access could be considered as a cross-border data transfer.
The Chinese entities should use a distinct Chinese Microsoft 365 account which cannot be freely accessed by its foreign bureaus when conducting due diligence involving personal information.
Prefer the use of a local entity for your due diligence purposes. To avoid the restrictions pertaining to the cross-border data transfer set out by the Chinese regulation, it may be wiser to have an autonomous onshore entity to handle your due diligence process.
Key common items and differences between the GDPR and the PIPL
| GDPR | PIPL | |
| Scope | Extraterritorial Targeting Criterion Establishment Criterion | Extraterritorial Targeting Criterion Processing Activity Criterion |
| Cross-Border Protection | The receiving party shall provide adequate protection of the personal information and prove that there is an equivalent level of protection of the PI in place Appreciation of the above: Adequacy decisions; Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) | The receiving party shall provide adequate protection of the personal information and prove that there is an equivalent level of protection of the PI in place Appreciation of the above: Security assessments; Certification; Standard Contract |
| Supervisory Authorities | Single Supervisory Body | Multiple Supervisory Bodies with interrelated responsibilities |
| Penalties | Companies only, except in some quite specific cases it may be extended to Directors/GM/self-employed individuals as per ECJ interpretations | Both the companies and the responsible person. Additional sanctions too: shutdown of website, suspension of business license… |
For more detailed information, contact Charlotte Mantoux (Paris) and Jean-Philippe Engel (Shanghai).
About Leaf
Leaf is a multi-awarded corporate law firm specialized in cross-border M&A transactions in Asia.
Leaf is advising international corporations and mid-cap enterprises to safely complete their cross-border operations and their joint ventures with state-owned and private partners. We also assist our clients in their strategic operations across Asia or in structuring investments in Asian-based start-ups.
The team is composed of international corporate lawyers based in China and in France.
[1] Article 4 of the PIPL
[2] Ibid.
[3] Articles 5 and 7 of the PIPL
[4] Articles 6 and 13 of the PIPL
[5] Articles 9, 20 and 69 of the PIPL
[6] Articles 70 and 71 PIPL
[7] Article 22 of the PIPL
[8] Article 23 of the PIPL
[9] Articles 6 and 28 of the PIPL
[10] Article 9 of the PIPL
