When Regulators Outnumber Bankers
Cross-border M&A’s new deal-breakers: data transfers, IP exports, and regulators who all think they’re your in-laws.
👋 Welcome to the OnlyLawyer newsletter! Each week I tackle legal topics for the tech industry — cybersecurity, data privacy, AI stuff, and other current legal issues
The New Jurisdictional Jenga
In the old days (like 2019), cross-border M&A risk meant export controls and maybe some antitrust filings. Now? It’s data.
EU: Thanks to Schrems II fallout, regulators still treat every U.S. data transfer like a crime-in-progress. Meta’s €1.2B fine in 2023 set the tone: even the biggest players can’t move employee or customer data without a 400-page Transfer Impact Assessment. In 2024, a U.S. SaaS buyer tried to scoop up a German adtech firm. Deal was ready to close in Q2. Instead, it limped across the finish line in Q4 because the lawyers were still arguing whether metadata counted as personal data. Spoiler: of course it did. And here’s the kicker…the “metadata” debate wasn’t about names or emails. It was about log files. Imagine trying to explain to your CEO why server logs just delayed their acquisition by six months.
China: Under PIPL, even hypothetical transfers need a security assessment. Bain Capital’s sale of a consulting unit stalled for months under CAC review. Another Hong Kong buyer went after a logistics SaaS with mainland ops and got handed a 300-question homework packet from the regulator. Half the questions looked like they were pulled from a law school exam. Deal clock: +9 months. One question literally asked for “a list of all future data categories you might process.” Predicting future data types? That’s not diligence, that’s fortune-telling.
India: With the DPDP Act now live, Delhi is in the game. A pharma acquisition froze in late 2024 because the target’s clinical trial data couldn’t leave the country without ministry approval. The buyer walked. Déjà vu for anyone who remembers when WhatsApp’s privacy update got regulators in Delhi hotter than a July monsoon. The ministry didn’t reject the deal, they just never approved it. Silence as a regulatory tactic. Try explaining to your board that you lost a deal because the government ghosted you.
So you’re not just structuring a merger. You’re negotiating with three sets of in-laws, all convinced they own jurisdiction. And unlike your actual in-laws, you can’t just nod, refill their wine glass, and sneak out early.
The First Casualty: Speed
Deals used to move fast when the money was right. Now, cross-border data makes everything crawl.
EU buyers pause for TIAs and DPA addenda that make War and Peace look like light beach reading.
Chinese sellers stall for approvals that move slower than a Windows XP boot screen.
Indian regulators sometimes don’t publish guidance until after your scheduled closing date. (Yes, that’s happened.)
One deal lawyer told me their “closing binder” for a $75M deal was literally smaller than the stack of Data Transfer Impact Assessments. That’s not a binder anymore, it’s a doorstop.
Before 2020: deal teams argued about price and earn-outs. After 2025: they argue about whether “server logs” are personal data.
“Sign and close in 90 days” is now “sign and pray we close before the interns quit.”
Why This Matters for GCs
Here’s the blunt reality: cross-border data/IP transfer is now an enterprise risk that can kill deals outright.
Valuation impact: If a target can’t lawfully export its customer or employee data, the buyer is basically purchasing desks, laptops, and a slightly used espresso machine. (Congrats, you’ve acquired a WeWork.)
Integration risk: Without certainty on data flows, synergies vanish. Try running a global CRM when half the customer base is stuck in Shanghai and the other half can’t legally leave Frankfurt.
Litigation risk: Add in CFIUS for inbound U.S. deals, which has already blocked semiconductor and AI-adjacent acquisitions, and suddenly you’ve got three regulators all telling you, “We’ll get back to you in 180 business days.” That’s if they “get back to you” at all. Regulators are increasingly comfortable with radio silence. It’s like waiting on hold with the world’s strictest call center, except the music is your quarterly forecast ticking down.
For investors, this isn’t compliance fluff. It’s deal math. A target with shaky transfer approvals is worth less than one with squeaky-clean paperwork.
The Deal Documents Are Changing
Cross-border headaches aren’t just slowing deals; they’re rewriting deal terms.
1. Representations & Warranties
Buyers now demand reps like: “Target is in full compliance with EU SCCs, China PIPL filings, and India DPDP obligations.”
Sellers who can’t back that up should expect indemnity escrows the size of small nations. And yes, I’ve already seen escrow asks so large they might as well rename the deal “we’re just holding your purchase price indefinitely.”
2. Closing Conditions
Once it was “antitrust clearance.” Now it’s: “Please wait while three data regulators consult their horoscopes.” Longstop dates are stretching like yoga instructors. Some are so long that by the time you actually close, half the leadership team has already left for a competitor.
3. Earn-Outs
Some deals now condition earn-outs on regulators approving transfers. Translation: “Congrats on hitting your revenue targets…unfortunately the CAC ghosted us.” Which means earn-outs are basically being drafted in pencil. And if you’ve ever seen litigation over an earn-out, you know pencil marks turn into full-blown depositions real quick.
4. Covenants
Buyers force sellers to maintain separate data silos until approvals land. Double the infrastructure, double the cost, and IT teams one coffee away from open rebellion. I’ve literally seen IT leads joke about building a “compliance bunker” just to keep regulators happy while the rest of the company tries to integrate.
Practical GC Playbook
Short-Term (next deal):
Ask sellers for proof of outbound data compliance (China filings, India approvals, EU TIAs). If the response is, “We’ll get back to you,” start drafting escrow provisions.
Add a data/IP transfer schedule to your diligence checklist. (Yes, another Excel tab. Sorry. And make sure it’s the tab you actually read. More than one GC has been burned by finding the “non-compliant transfers” buried in Row 187 the night before signing.)
Medium-Term (6–12 months):
Build a data transfer risk matrix meaning literally map where regulators can veto your integration plan.
Standardize data/IP reps in your templates so you’re not writing them from scratch mid-negotiation.
Train your deal team to stop assuming “metadata isn’t personal data.” Regulators love to say it is. In fact, if you’re betting on metadata being safe, you’re basically betting against the EU. That’s a bad bet.
Long-Term (12+ months):
Expect sector-specific overlays: health, finance, and defense deals will face regulator stacking.
Budget for local data infrastructure silos. The dream of “one global system” died sometime around Schrems II.
Position Legal as a deal enabler, not blocker. Show up with options: phased integrations, JV shells, or local carve-outs that still let the deal close. “We can’t do it” won’t fly anymore. “Here are three legally possible but painful ways to do it” will at least keep the bankers from panicking.
Closing Thought
The bottom line: cross-border data/IP transfer is no longer a footnote. It’s the headline.
If you’re a GC, don’t let your deal implode because someone assumed data could move like it’s 2015. It can’t.
Your new job title? Chief Regulator Wrangler. Because every global deal now has three negotiations: one with your counterparty, one with the bankers, and one with regulators who all think they own your data.
And like real in-laws, they’ll never actually leave the house. They’ll just keep asking if you’ve thought about “alternative structures” while you’re trying to eat dinner.