A PYMNTS Company

Data Compliance Due Diligence in M&A Transactions

By  |  May 22, 2026
A Review Of Recent Merger Control Enforcement In China

By: Samuel YangChris Fung & Xinyu Xia (China Law Vision)

    Get the Full Story

    Complete the form to unlock this article and enjoy unlimited free access to all PYMNTS content — no additional logins required.

    yesSubscribe to our daily newsletter, PYMNTS Today.

    By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions.

    In this analysis for the China Law Vision blog, authors Samuel Yang, Chris Fung & Xinyu Xia (AnJie Broad) explore how cybersecurity and data-compliance due diligence has become a critical factor in mergers and acquisitions involving Chinese companies. The authors explain that China’s rapidly evolving data governance framework — strengthened by new laws, regulations, and enforcement actions between 2016 and 2026 — now has the power to materially affect company valuations and even block transactions altogether. Recent developments, including amendments to China’s Cybersecurity Law and the government’s decision to block Meta’s attempted acquisition of Manus on national security grounds, underscore the growing importance of data compliance in dealmaking.

    The article outlines China’s “three-pillar” data governance system, consisting of the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL). Together, these laws impose extensive obligations relating to cybersecurity protections, data classification, cross-border transfers, and personal information processing. The authors note that the revised Cybersecurity Law now includes stronger penalties, extraterritorial reach, and provisions linked to artificial intelligence, while the PIPL creates especially strict consent requirements for sharing personal information during pre-merger due diligence processes.

    Yang, Fung, and Xia identify five core areas that buyers must examine during cybersecurity due diligence. These include data classification and grading, the lawful origin and handling of data assets, compliance with cross-border data transfer requirements, national security and cybersecurity review exposure, and implementation of technical safeguards such as encryption and Multi-Level Protection Scheme (MLPS) compliance. The authors emphasize that failures in these areas can expose acquirers to substantial regulatory, financial, and operational risks, particularly where companies process “important” or “core” data tied to national security or critical infrastructure.

    The analysis also reviews recent enforcement actions and case studies illustrating the practical consequences of non-compliance. The blocked Meta-Manus transaction demonstrated that offshore corporate structures may not shield acquisitions from Chinese national security scrutiny if core technology, engineering teams, or sensitive data remain connected to China. Meanwhile, Shanghai regulators recently penalized companies for conduct ranging from exposing databases to the public internet to manipulating user consent through misleading interface design. The authors further highlight growing concerns around successor liability, warning that acquiring companies may inherit responsibility for historical cybersecurity and data-protection violations committed by target businesses…

    CONTINUE READING…