2022年初，赴香港上市的中国内地企业招股书中开始出现一类“新角色”：即数据合规中国律师，他们在上市项目中单独为公司出具和网络安全及数据保护相关的意见。这一角色的具体职能是什么？未来又会否成为赴港上市项目中的标配？

 

2022年2月25日，中国最大的在线健身平台Keep向港交所递交招股书，其中首次单独列出了“数据合规中国律师”这一角色。据了解，在近期的多个港交所上市项目中，公司也单独了聘请中国律所就网络安全和数据保护提供专项服务。

环球律师事务所合伙人孟洁律师、李来祥律师近期合作主导了一系列上市项目过程中的数据合规专项服务，他们告诉ALB，上市项目中数据合规律师的独立出现其实是某种历史趋势的“必然”。伴随过去几年中数据合规重要性不断显著，资本市场律师在向潜在客户推广服务时都会把“律所拥有专业的数据合规专家作为一大亮点”。不过此时数据合规仍作为资本市场法律打包服务中的一部分，尚未分化为独立的上市中介角色。

这种情况在去年7月出现了变化。“‘滴滴事件’后，数据合规及网络安全审查成为发行人及投行关注的重中之重，从那时起，数据合规律师的角色更被关注，数据合规也逐渐成为单独报价的服务项目。”李来祥律师说。

世辉律师事务所合伙人王新锐律师和多位同事合作，近年也完成并参与多个港股上市项目中的数据合规专项服务，他对此有着相似观察。王律师告诉ALB，他目前正在处理的上市专项服务普遍“集中于去年下半年启动，尤其‘滴滴事件’后，大家对这个事情的关注度有了明显提升”。

合规必要性

今年2月15日，《网络安全审查办法》正式生效，其中明确规定掌握一百万用户数据的企业赴国外上市需展开网络安全审查，这极大提高了券商和交易所对于拟上市企业数据及网络安全合规情况的重视。但事实上，监管及市场已达成共识，《办法》之下，除非特殊情况，赴港上市企业无需主动申报审查，这似乎将他们排除在了网络及数据安全的上市强制性规定以外，那么赴港上市企业又为何要主动聘请中介机构，特别展开专项调查？

环球的孟洁律师指出，首先，赴港上市其实绕不开《网络安全审查办法》。在掌握超出一百万用户个人信息这一标准外，《办法》还规定“关键信息基础设施运营者采购网络产品和服务、网络平台运营者开展数据处理活动，影响或者可能影响国家安全的，应当按照本法进行网络安全审查”，“这个标准其实更宽泛，上市过程中香港联交所和券商会反复问及，需要借助数据律师过往的项目经验和具体审查做出合理判断”。

此外，无论一家公司是否涉及网络安全审查，伴随中国数据安全和网络安全立法日臻完善，执法愈加严格、细化，尤其在数字经济领域企业的上市过程中，一家企业的数据合规达标程度也会遭遇来自交易所、监管机构和券商的反复询问。

因此，“上市各方已经达成共识：数据合规律师在上市中不能只出具一个背书意见，而要实质性判断公司整体运营中数据处理活动的合规性，并协助公司提升能力”，世辉的王新锐律师说。他指出，对于以数据为核心资产的拟上市企业来说，保障在《网络安全法》《数据安全法》《个人信息保护法》“三大法”下的合规本身就关乎公司的持续稳健运营；此外，上市项目容错率低，如果在数据合规问题上掉链子，可能会影响全局，“例如一家公司的核心资产就是它的App，如果在上市过程中因数据合规问题遭遇下架及整改，会造成极大的负面影响，直接冲击上市项目”。

主要服务内容

那么，服务于上市数据合规专项的律师具体要做些什么？

孟洁律师指出，这根据团队对公司数据合规情况的了解程度而有所不同。“如果拟上市企业的日常数据合规服务本身就是我们提供的，我们对这家公司不同产品线可能用到的数据类型、处理方式、运营逻辑、产品设计、风险机制等都相对清楚，会在此基础上做一次上市前的复盘或尽调，重点检查此前已为公司提出整改方案的完善效果，并对薄弱点、新合规点查缺补漏。”

但如果是此前未合作过的企业，孟律师指出，那么更加需要“在一开始就培育和管理层间的信任，在最短时间内对存在的风险进行“治愈”。她解释道，数据合规工作要求多方配合，外部律师可以从监管要求、同行经验角度为拟上市企业提供“药方”，如果管理层只把数据合规视为对投行要求的应付，必然难以取得好效果。

孟律师因此建议，企业管理层应该借上市契机，对数据合规情况做整体盘点或风险识别。她告诉ALB，有些企业会借此开展运营改良、产品优化，包括优化审查流程、提升人员风险意识并加强培训、进一步搭建数据合规体系、完善和供应商及客户间的合同，建立内控制度等一系列配套方案，为上市后的海内外发展打下坚实基础。

“我最近常和客户说：由于三大法已经在中国构建起比较完整的数据保护体系，一家公司也需要以体系对体系，搭建数据合规体系逐项回应法律要求。上市相当于对合规体系的一次‘大考’。”王新锐律师说。因此，数据合规律师需要考察公司在三大法律及配套规则的“考试大纲”下是否有明显问题，并判断公司是否有足够完备的内控流程，此外，就上市过程中可能颁布的新法律法规下的合规问题，律师也要有能力做出一定预判。

“一个值得关注的现象是，有些知名公司对数据合规很重视，已经在行业中达到了比较高的合规水准，但往往越是有市场影响力的公司，在上市过程中越会获得市场更高的期待（也有可能是更具有针对性的攻击），尤其当你是某个赛道的第一家上市公司，还要考虑能否在数据合规领域做到标杆水平。”王律师接着说，“这也给数据律师带来挑战和难点。”

如何做好上市数据合规

更高的深度和广度之外，上市数据合规专项服务还有其他特点。

“上市阶段的数据合规一定要和公司的业务内容、模式、流程等高度融合，也要和招股书其他内容自洽，因此数据合规专项律师也需要深入了解公司，熟悉上市流程和各方关注点，并和其他团队做好协同。”王新锐律师指出。

此外，上市项目时间表通常十分紧张，“要从最开始就投入足够人力，并在每件事情上给公司留足调整时间。数据合规的一个难点就在于如何最小限度影响业务。有的公司会在上市前一年就聘请律师，考虑的就是不要让合规工作对业务的影响特别集中地爆发出来”，王律师说，“此外数据合规律师也要抓住本质，识别重大问题并提出快速整改意见，有效提升项目效率。”

孟洁律师对此表示认同，尤其在时间点上，她指出，“部分公司在最初有上市计划时就会聘请数据合规律师，对数据全生命周期安全与合规情况、数据整体运营和治理情况、数据被第三方利用或传输给第三方情况等展开尽调”。她因此建议道，如果经数据律师“诊断”后发现风险，不如经过整改后再推动上市申报流程，“一旦开启上市，一系列安排紧锣密鼓到来，再去做数据地图、分类分级，可能涉及到对数据库底层逻辑、产品运营体系的整体翻盘，时间上就不允许了”。

尽早开启项目之外，面对紧张的时间表，受访律师也提到了纳入资本市场律师的重要性：即在数据合规团队中也搭配一位来自自家律所的资本市场律师，他/她熟悉流程和各方需求，能够协助掌握上市时间表、和其他中介律师团队沟通，并将自身知识快速输出给数据律师，实现更好的服务效果。

更多的业务机会

与“互联网企业才需要做好数据合规”的惯常想象不同，受访律师告诉ALB，需要展开上市数据合规专项服务的企业类型如今越来越广泛。“如今没有什么企业是完全不和数据打交道的。”孟洁律师坦言，“我们通常接触的企业分三类，一是互联网企业；二是专门从事数据业务，如大数据、云服务的企业；三是正经历数字化转型的传统企业。三类企业在诉求和评估角度上也有所不同。”

王新锐律师则指出，他和团队所接触的客户包括多个行业，其共同特点是数据驱动，而这样的企业越来越多。“比如我们服务的项目涉及企业服务类公司，他们面对的是B端客户，而这些B端客户本身可能拥有庞大数据”。此外，他所服务客户中也包括了越来越多的医疗企业，“无论医疗器械，还是药物的研发、临床过程，都会涉及大量数据”。

谈到在此类数据专项服务中客户青睐怎样的律师团队，王律师坦言：“客户非常关注数据团队是否处理过一定体量的市场领先项目，甚至是否长期服务过某个细分领域，对具体业务场景是否熟悉。这也就意味着，如果一家律所在数据合规领域刚刚开始做，项目积累肯定不够。”

客户类型更丰富外，王律师观察到数据合规律师的服务场景也更广阔了。不仅局限于上市融资，“我们近期在一些投融资项目中也遇到数据合规需求，包括许多一线的基金投资人，对数据问题非常关注”；此外一些审计机构在准备公司年报时，也会要求展开相应的数据合规调查。

这也是孟洁和李来祥律师的感觉。“以前都是上市律师带着数据合规律师一起进场，现在则出现了部分项目数据律师带上市律师进场的情况，反哺了上市业务，这是个蛮有意思的事情。”李律师说。

“今年我最深的一个体会是，我的团队开始能够以数据为原点，到其他领域去做延伸。除了资本市场，数据律师还会和金融、反垄断、反腐败、经济制裁与出口管制、知识产权、争议解决等领域律师合作。”孟律师感慨道，“反过来，这也要求律所平台足够大，每一方面都足够强。未来综合性大所的优势会越来越明显。”

 

RISE OF THE DATA COMPLIANCE LAWYER

Since early 2022, a new role has found its way into the prospectuses of Mainland Chinese companies that are seeking to list in Hong Kong: Chinese data compliance lawyers who separately issue opinions on cybersecurity and data protection for companies being listed. What do these lawyers do? Will they become a permanent fixture in all future Hong Kong listings?

 

On Feb. 25, Keep, China's largest online fitness platform, submitted its prospectus to the Hong Kong Stock Exchange (HKEX) in which the role of "Chinese data compliance lawyer" was listed separately for the first time. Other companies in recent HKEX listing projects have also hired Chinese firms to advise on cybersecurity and data protection issues.

Maggie Meng and Joseph Li, partners of Global Law Office, have recently co-led data compliance services in a series of listing projects. They tell ALB that the emergence of data compliance lawyers as an independent role in listing projects is actually an "inevitable" trend. With the importance of data compliance increasing in the past few years, capital market lawyers have been highlighting professional data compliance experts in their firms when pitching to potential clients. However, data compliance was then still part of the capital market legal service package, not yet an independent listing intermediary.

That changed last July. "After the 'Didi Incident,’ data compliance and cybersecurity review have become top priorities for issuers and investment banks. Since then, the role of data compliance lawyers has been thrust into the spotlight, and data compliance has gradually become a separately quoted service,” says Li.

Raymond Wang, partner of Shihui Partners, has worked with colleagues in recent years to provide specialized data compliance services in many HKEX listing projects. He shares similar observations. According to Wang, the special listing services he is currently providing are generally "launched in the second half of last year, especially after the 'Didi Incident' which significantly increased everyone's attention on this matter.”

COMPLIANCE NECESSITY

On Feb. 15, the Measures for Cybersecurity Review came into effect, which clearly stipulate that companies with one million user data must conduct cybersecurity review if they wish to go public overseas. On the other hand, however, regulators and the market have reached a consensus that except under special circumstances, companies seeking Hong Kong listing are not required to proactively apply for review under the Measures. Then why do companies looking to list in Hong Kong still voluntarily hire intermediaries and carry out such self-inspections?

Meng of Global Law Office points out that it is actually not possible for a Hong Kong listing to bypass the Measures. In addition to the threshold of possessing the data of one million users, the Measures also stipulate that "critical information infrastructure operators procuring network products and services and network platform operators conducting data processing activities shall conduct cybersecurity review in accordance with this Law if such procurement or activities will or may affect national security.”

"This is a much wider standard and a point that will be repeatedly questioned by the HKEX and underwriters during the listing process. Lawyers need to make reasonable judgments," says Meng.

Moreover, regardless of whether a company’s business involves cybersecurity review, with China's data security and cybersecurity legislation gradually improving and law enforcement becoming more stringent and detailed, the degree of a company's data compliance will also be subject to repeated inquiries from exchanges, regulators and underwriters.

Therefore, "all parties to a listing project have reached a consensus that data compliance lawyers can no longer just issue an endorsement opinion during the listing process. They should give substantive judgement on the compliance of data processing activities in a company's overall operation," says Wang of Shihui Partners. In addition, listing projects have low tolerance for errors. Any mistake in data compliance may affect the entire project. "For example, if a company's core asset is its app, and the app is taken down or subject to rectification due to data compliance issues during the listing process, it will be hugely negative and directly affect the listing project."

KEY SERVICES

What exact does a data compliance lawyer do in a listing?

Meng explains that services vary according to lawyers’ knowledge of a company: "If the routine data compliance services of a company that seeks listing are already provided by us, we will conduct a pre-listing review or due diligence, focusing on checking the improvements made according to the rectification plan we have proposed, and beefing up weak points and new compliance aspects."

On the other hand, for a company that lawyers have not worked with, it is more important to "build trust with the company’s C-suite from the beginning,” explains Meng. According to her, data compliance work requires cooperation from multiple parties. External lawyers can provide "prescriptions” based on regulatory requirements and experience of industry peers for a company that is seeking listing status. However, if the C-suite only regards data compliance as a response to the requirements of the underwriters, it will be difficult to achieve good results.

Meng thus advises companies to take the opportunity of listing to make an overall stocktaking or risk identification of data compliance. She tells ALB that some companies will use this occasion to improve operations and optimize products, and even establish internal control systems to lay a solid foundation for their development at home and abroad in the future.

"I have often told clients recently: since the three main laws have already established a relatively complete data protection system in China, a company also needs to respond by building a data compliance framework in a systematically manner. Listing is a major ‘exam’ of a company’s compliance framework,” says Wang. In addition, lawyers should also be able to make certain predictions regarding compliance issues under new laws and regulations that may be promulgated during the listing process.

"Some well-known companies have already reached a relatively high level of compliance in their respective industries. However, the more influential a company is, the higher the market's expectations for it during listing, especially if the company is the first to be listed in a certain field because it is necessary to consider whether the company can set a benchmark in the field of data compliance," continues Wang, "This also brings challenges and difficulties to data lawyers."

DEEPER UNDERSTANDING

Apart from more depth and breadth, listing data compliance services also have other features.

"Data compliance at the listing stage must be highly integrated with a company's business offerings, models and processes, and must be consistent with the other contents in the prospectus. Therefore, data compliance lawyers also need to have an in-depth understanding of the company, be familiar with the listing process and the concerns of all parties, and coordinate with other teams," explains Wang.

In addition, listing projects usually have very tight timelines. "It is necessary to invest enough manpower from the beginning and give companies enough buffer for adjustment. Some companies will engage lawyers one year before listing so that the impact of compliance work on the business will not burst out during a particularly concentrated period," says Wang.

Meng concurs, especially when it comes to timing. She points out that "some companies will engage data compliance lawyers the moment they draw up the plan to go public.” Therefore, she advises companies to rectify the risks, if any, detected after "diagnosis" by data lawyers first before pushing ahead the listing application process. This is because "once the listing process begins, a series of events will happen in quick succession, and there will not be time to rectify risky business models.”

In addition to starting a listing project as soon as possible, lawyers also highlight that the tight schedule calls for the inclusion of capital market lawyers. In other words, having a capital market lawyer from one’s own firm in the data compliance team. The capital market lawyer usually is familiar with processes and the needs of all parties and can assist in managing the listing timetable and communicating with the legal teams of other intermediaries, so as to achieve better results.

MORE OPPORTUNITIES

Contrary to the conventional assumption that "only Internet companies need to do a good job in data compliance,” lawyers mention that more and more types of enterprises now need special services for listing data compliance. "There is now no company that does not deal with data at all," Meng points out. "The companies we usually work with fall into three categories: Internet companies, companies specializing in data services, such as big data and cloud services, and traditional enterprises undergoing digital transformation. These three types of enterprises differ in their needs and assessment perspectives."

According to Wang, the clients that he and his team work with come from a variety of industries, but they are all data-driven, and there are more and more such companies: "For example, the projects we serve involve business service companies. These companies face business customers, and those business customers themselves may possess huge volumes of data." In addition, Wang is advising more and more medical and healthcare companies. "Whether medical devices or drug research and development and clinical processes, a large volume of data will always be involved," he says.

As to what kind of legal team clients prefer for such data services, Wang shares that "clients pay particular attention to whether a data team has worked on a certain number of market-leading projects, and even whether it has served a certain industry for a long time and whether it is familiar with specific business scenarios. This means that a firm which has just started data practice will not have accumulated enough project experience."

Meng and Li feel the same way. "In the past, listing lawyers took data compliance lawyers under their wings. Now the dynamics have shifted in certain projects where data compliance business supports listing services, which is interesting,” says Li.

"One thing that stands out for me this year is that my team has begun to be able to extend data services to other fields. In addition to capital markets, we also work with lawyers in finance, anti-monopoly, anti-corruption, economic sanctions and export control, intellectual property and dispute resolution," says Meng. "In turn, this requires a firm to have a large enough platform and to be strong enough in every practice area. In the future, large full-service firms will have more and more obvious advantages."