Cross-Border Due Diligence on Chinese Targets: A Working Brief for Non-PRC Counsel

Most cross-border deals where the target sits in mainland China get to the bid with a Western-built data room and a North-Atlantic-style diligence checklist. By the time the buyer's PRC counsel arrives, half of the workstreams need to be re-scoped. Five recurring issues are worth surfacing at the term-sheet stage.

1. Data export is not a diligence convenience — it is a regulated activity

The Data Security Law, the Personal Information Protection Law and the Cybersecurity Law together impose substantive restrictions on transferring data out of mainland China for diligence purposes. "Important data" and certain volumes of personal information can require either a security assessment by the Cyberspace Administration of China, standard contract filing, or certification, depending on the category and volume.

The practical implication: a typical due-diligence data room hosted on a US or Singapore platform, accessed from outside China, may itself constitute a cross-border data transfer. Workarounds include onshore secure rooms, redaction at source, and aggregation of sensitive datasets into anonymised summaries. Build the data-room architecture into the timeline; do not assume Q&A volume can run as it would in an EU or US deal.

2. Whether the target is "state-owned" is a layered question

A simple cap-table check is not enough. PRC state ownership operates through tiered holding structures, government guidance funds, and group-level state investment vehicles. A target that looks privately owned at the operating-company level may have an indirect state-affiliated parent two or three levels up — triggering SASAC consent processes, public-listing requirements for asset transfers, and special pricing rules.

Counsel should map the target's direct and indirect ownership to the level of the ultimate beneficial controller, identify any state-investment percentages crossing the threshold for SASAC oversight, and confirm whether the asset is on the published state-asset transfer register.

3. Operating licences in regulated industries can be non-transferrable

Education, healthcare, value-added telecommunications, media, financial services and an expanding list of data-handling industries each carry sector-specific licensing regimes. The licence frequently sits with a specific legal entity and a specific individual responsible person — it does not always travel with the equity.

The buyer needs to know, before signing, whether closing requires (a) a fresh licence application in the post-closing structure, (b) regulator notification, (c) consent to a change of control, or (d) all three. The lead time for any of these can be longer than the gap between signing and closing in a typical Western SPA.

4. The social-credit record is now a substantive line item

The corporate social-credit system aggregates regulatory penalties, court enforcement records, tax-default flags, and a growing list of sector-specific compliance ratings into publicly searchable profiles. A target with a serious-illegality record can be barred from bidding for government contracts, from receiving subsidies, and from cross-border investment approvals.

A diligence summary that says "no material litigation" is no longer sufficient. The standard check is the public credit-information system, the enforcement-default debtor list, the abnormal-operations directory, and, for listed targets, the CSRC and exchange disciplinary registers.

5. Privilege does not travel the way you may assume

Communications between a PRC company and its in-house counsel, and between a PRC company and its outside Chinese counsel, do not enjoy a generalised attorney–client privilege of the kind found in the US. Documents created in the diligence process may be discoverable in subsequent disputes or regulatory investigations. Foreign counsel running parallel privileged streams should structure communications, retention of advisers, and document flows with this in mind from day one.

Term-sheet checklist

Before signing, confirm with PRC counsel:

Question	If unresolved
Is the data-room architecture compliant with PIPL / DSL cross-border transfer rules?	Re-architect — likely an onshore room
What is the target's ultimate ownership and any state-investment percentage?	Map to UBO; flag SASAC implications
Which operating licences require change-of-control consent?	Time consents into the SPA timeline
What is the target's social-credit and enforcement record?	Pull the four public registers, summarise
Are diligence communications structured for privilege protection?	Adjust counsel retention and document flows

Closing

Chinese-target diligence is doable on a Western timeline only if the architectural decisions are made early. The work itself is not exotic; the sequencing is. The cheapest source of delay is to wait until the data-room is being set up to discover that it needs to be set up onshore.

---

This article is general commentary as of the date above. It is not legal advice and does not address the specifics of any particular transaction. For matters governed by PRC law, please engage qualified PRC counsel.