January 31, 2019
EU and California privacy laws have become major factors for corporate executives weighing mergers and acquisitions, amid increased fears of regulatory scrutiny and potentially enormous fines.
The EU’s General Data Protection Regulation has heightened the importance of the potential privacy and regulatory implications of any transaction. Companies looking to make deals also have to look at California’s new law, which takes effect next Jan. 1, attorneys told Bloomberg Law.
“This change we’re seeing in the M&A landscape is the most drastic change I’ve seen,” Daniel Ilan, a partner with Cleary Gottlieb Steen & Hamilton with experience in cybersecurity and privacy questions in mergers and acquisitions, said.
The GDPR requires companies to get consent before collecting or using individuals’ data, be transparent in personal data use, and notify regulators 72 hours after learning of a data breach, among other provisions. The California privacy law includes some similar obligations, including transparency obligations. Businesses will have to tell individuals what data it holds on them and delete personal information upon request under California’s law.
Tackling both laws is crucial for all sides in a merger. Buyers should pay close attention to the seller’s data trove to avoid problems after the deal closes, attorneys said. Sellers should be clear about what data they possess, and how they use it, to avoid possible EU or California enforcement actions, the attorneys said.
The GDPR changed the calculus on how privacy issues can affect a deal, leading to more scrutiny “through the entire process,” Scott Loughlin, a privacy and cybersecurity attorney in Hogan Lovells LLP’s regulatory practice group, told Bloomberg Law.
Multinational companies could face fines of up to four percent of annual revenue for violating provisions of the GDPR. EU regulators have been ramping up enforcement of the law and are expected to go after companies for broad violations that go to the heart of their business models, in addition to individual scenarios such as a data breach.
Under the California law, companies could face up to $7,500 for in civil penalties for each intentional violation. Consumers can also bring actions in some cases.
The GDPR can serve as a roadmap for companies that are bracing for the California privacy law, merger and privacy attorneys said. Attorneys familiar with the GDPR can spot red flags in deals involving other privacy laws, they said.
Buyers will often assume the liabilities, including pending lawsuits and enforcement actions stemming from privacy laws, attorneys said. Data-driven companies could be a risky purchase because EU and U.S. regulatory authorities are focusing on businesses being transparent in their data collection practices, they said.
How well an acquisition target follows the GDPR and other privacy laws plays an increasingly important role in deal negotiations, attorneys said. Buyers are incorporating privacy issues in contract language, including representations and warranties, and changing deal prices to account for possible enforcement actions or lawsuits.
“At the end of a day, it’s a combination of remedies that could limit future privacy headaches,” Christine Lyon, a data protection partner at Morrison & Foerster LLP, told Bloomberg Law.
Buyers have far less time to prepare for California’s privacy law than they did for the GDPR, which took effect last May and echoes earlier EU privacy laws, and are forcing executives to discuss privacy in the board room when domestic deals are on the table, Lyon said. Many companies, even in the U.S., have dealt with EU privacy laws for years, she said.
Companies, especially buyers, have started preparing for compliance issues that could arise before or after striking a deal, attorneys said.
Buyers want to know “if the companies are flexible to upcoming privacy laws, or are there conflicts that are inherently problematic,” Lyon said. To determine this, “companies buying data-driven technologies are taking a deep-dive before signing deals and thinking ahead to remediate any issues if they find them,” she said.
Compliance with the GDPR and other privacy laws is even more important when the acquisition target is a data-driven company, attorneys said. An acquirer may spend more time in the due diligence process looking at the personal data a company holds than before the laws were in place, they said.
Privacy risks also can alter a deal price of a data-driven company because how much and what kind of data the target holds will help decide its future value, attorneys said. If a buyer can’t use certain data-sets because of health, financial, or other regulations, it could impact the value of a business, they said.
Buyers should assess if and how they can use the target’s data after a deal closes, especially in data-driven deals, attorneys said.
“Data has become a risk because of these laws, with non-compliance, fines, and investigations, but also it has become a very valuable asset for M&A buyers,” Ilan said. “In those data-driven transactions where it’s an asset the buyer wants to specifically acquire and exploit, privacy law has a very important role in determining how the data could be used after closing by the buyer.”
A buyer should determine what permissions and rights the seller has to the data, as well as how it will fit into the buyer’s business model, Loughlin said. If a seller has data but the buyer can’t use it, that could “go to the heart of the transaction,” he said.