In the business world, "Know yourself and know your enemy, and you will fight a hundred battles without danger." This famous saying from "The Art of War" is not only applicable to war, but also has a profound impact on due diligence in commercial mergers and acquisitions. Behind every acquisition transaction, there is a lot of information waiting to be mined. Especially when acquiring non-listed targets, due diligence (DD) is not only a legal and financial review, but also involves many complex compliance requirements.
American Goheal M&A Group
Goheal is well aware that in the rapidly developing capital market, data security and antitrust regulations have become key factors for the success of transactions. Therefore, this article will explore in depth the key points of due diligence for data security law and antitrust declaration when acquiring non-listed companies, and provide actionable risk prevention and control suggestions.
Key points of due diligence for data security law: compliance and protection in parallel
With the advent of the digital age, data has become one of the most important assets of a company. However, with the increase in data utilization, the legal requirements for data security and privacy protection have become increasingly stringent. The "Data Security Law" and the "Personal Information Protection Law" have set high standards for the legal collection, storage, transmission and use of data. When acquiring non-listed targets, data security due diligence is undoubtedly a crucial link.
jrhz.infoFirst, the compliance of the target company's data source must be verified. It is necessary to ensure that the user data collected by the company complies with the "legal, legitimate and necessary" principle in Article 32 of the Data Security Law. For example, crawling without user consent or unauthorized third-party data use may lead to compliance risks and may even lead to legal proceedings. In M&A projects, Goheal often communicates with clients to clarify the compliance of all data collection links to avoid legal disputes.
Secondly, whether the target company involves the processing of sensitive data is equally important. According to the requirements of Article 29 of the Personal Information Protection Law, if the data involves sensitive information such as personal biometric information and financial account data, there must be clear user authorization and compliance with relevant legal provisions. For companies involved in cross-border data transmission, it is necessary to verify whether they have passed the security assessment or certification of the national Internet information department, otherwise, this part of the business may face legal obstacles to cross-border transmission.
In actual operations, how to evaluate the data security internal control system is another key point. Whether the target company has established effective data security protection measures, such as firewalls, encryption technology, and access rights management, is directly related to the security of its data assets. It is worth mentioning that the data security qualifications of cloud service providers and other third-party partners are also necessary for review. The due diligence program provided by Goheal to customers often requires a detailed review of the security certification of the partners to ensure the security of data sharing.
Finally, whether the target company has a history of violations is also an important aspect that needs to be paid attention to in data due diligence. If the target company has been subject to regulatory penalties for violating the "Data Security Law", it may lead to potential legal liabilities after the acquisition and even affect subsequent mergers and acquisitions. Therefore, when conducting due diligence, historical violations must be thoroughly checked and their potential impact on future transactions must be assessed.
Key points of due diligence for antitrust declaration: precise review and compliance program
Unlike the data security law, the focus of the antitrust law is on market competition and fairness after the acquisition. When acquiring non-listed targets, whether an antitrust declaration (operator concentration declaration) is required is a core issue that must be paid attention to. According to the provisions of the Anti-Monopoly Law, once the market share of the acquirer reaches a certain standard, it must be reported to the regulatory authorities.
First, whether the acquisition involves the acquisition of control is the primary issue for declaration. Generally, if the acquirer obtains control of the target company (for example, more than 50% of the board seats or veto power) through equity acquisition, agreement acquisition or other means, an antitrust declaration must be made. In this process, evaluating the turnover of each party is also a key factor. The current declaration threshold is that transactions with a total global turnover of more than 10 billion yuan or a turnover in China of more than 2 billion yuan require antitrust declaration.
In addition, for step-by-step acquisitions, it is necessary to verify whether the acquisitions in each stage need to be combined into one declaration. For example, in a staged acquisition, if the initial shareholding ratio reaches 15% and there is joint control, the declaration procedure should be initiated immediately. In these complex transaction structures, Goheal usually works with clients in advance to ensure that each step of the transaction complies with the requirements of antitrust regulations and avoids compliance issues caused by untimely declarations.
For known monopoly risks, how to avoid or mitigate their impact is another important issue in antitrust due diligence. Specifically, if the market share after the acquisition exceeds the prescribed threshold, especially the horizontal competition analysis (i.e. the market concentration after the acquisition) needs to be analyzed in detail. For example, in industries such as platform economy, a market share of more than 15% may constitute a merger review subject under the Antitrust Law. In these cases, by preparing antitrust relief plans in advance (such as asset divestiture or patent licensing, etc.), the probability of passing the review can be effectively increased.
Synergy between data security and antitrust declaration: risk mitigation and strategic planning
When acquiring non-listed companies, how to effectively coordinate data security and antitrust due diligence is a key step to avoid compliance risks. Goheal usually designs a comprehensive risk mitigation plan in this process.
Goheal Group
For example, in terms of data security risks, the most common mitigation measure is to require the target company to complete data compliance rectification before delivery through the transaction agreement. For example, the target company is required to complete user authorization and store user data in an independent database. Through these rectification measures, the risk of data security violations after the transaction can be effectively reduced. In terms of antitrust, if the scale of the transaction may reach the declaration threshold of the Antitrust Law, Goheal usually designs transition plans such as "first equity participation and then increase holdings" or "voting rights delegation" in advance to avoid transaction delays or failures due to antitrust approval issues.
In addition, the due diligence report should reserve policy update interfaces in advance. For example, as the draft of the "Network Data Security Management Regulations" gradually enters the implementation stage, changes in relevant regulations may affect the compliance requirements of data security. Therefore, due diligence reports need to have a flexible update mechanism to adjust at any time according to changes in regulatory policies.
Summary: Compliance due diligence makes successful mergers and acquisitions
Through detailed due diligence on data security laws and antitrust declarations, the risks of listed companies acquiring non-listed targets can be effectively identified and controlled. Goheal believes that compliance is the cornerstone of successful mergers and acquisitions. Whether it is compliance checks on data security or declaration requirements of antitrust laws, in-depth analysis is required at the beginning of the transaction to avoid uncontrollable risks in the future.
In the future, with the further improvement of the regulatory environment and the intensification of global competition, compliance due diligence will become a key part of mergers and acquisitions that cannot be ignored. For investors and entrepreneurs, how to conduct efficient due diligence under a complex regulatory framework will directly affect the success of the transaction. Therefore, how to design M&A strategies under a compliant framework has become the core competitiveness of enterprises in the sustainable development of the capital market.
[About Goheal] Goheal is a leading investment holding company focusing on global mergers and acquisitions. It has deep roots in the three core business areas of acquisition of controlling rights of listed companies, mergers and acquisitions of listed companies, and capital operations of listed companies. With its profound professional strength and rich experience, it provides companies with full life cycle services from mergers and acquisitions to restructuring and capital operations, aiming to maximize corporate value and achieve long-term benefit growth.
