Data protection issues may creep into any stage of mergers and acquisitions—from the development of an acquisition or approach strategy to the integration and transition strategy post-completion—so companies should prepare carefully at the outset of the M&A process, the authors write.
By Emma Flett and Jennifer Wilson
Emma Flett is an intellectual property partner in Kirkland & Ellis International LLP in London. She can be reached at firstname.lastname@example.org.
Jennifer Wilson is an associate at Kirkland & Ellis in London.. She can be reached at email@example.com.
The revelations of the data security breach affecting at least 500 million Yahoo! Inc. user accounts at an advanced stage of a proposed billion-dollar acquisition of the company by Verizon Communications Inc. is the stuff of every dealmaker's nightmares. The breach, which has been brandished by tabloids across the world as a “ mega-breach” and the “ biggest hack in history,” is reportedly expected to result in substantial delays to deal closing, painstaking investigations and a reduced purchase price. The situation has recently been compounded with Yahoo's Dec. 14 disclosure of another record-breaking breach of more than one billion user accounts that occurred in Aug. 2013.
The Verizon/Yahoo deal is not the first merger and acquisition (M&A) transaction to hit the headlines from a data protection perspective, however. In the lead up to the acquisition of WhatsApp Inc. by Facebook Inc. in 2014, the proposed use and transfer of WhatsApp's user data to Facebook for targeted advertising and other purposes was publicly scrutinised by the U.S. Federal Trade Commission. Two years later, Facebook's processing of user data obtained from its WhatsApp messaging service has found itself back in the spotlight.
While the Verizon/Yahoo and Facebook/WhatsApp acquisitions have perhaps thrust data protection into the public spotlight of M&A activity, privacy concerns are not (and should not be) limited to high profile deals involving the world's digital and telecommunication giants. In a world awash with more personal information than ever before, data has become “ the new oil” and a key business asset for almost all companies, even in respect of those viewed as traditional “brick & mortar” businesses. New technologies and business models have led to data collection and analysis becoming an almost ubiquitous business practice, viewed as essential to the heartbeat of a business in maintaining its competitive edge. Coupled with this brave new information age in which we live, the elevation of data protection compliance as a board level issue (particularly in light of moves by European governments to introduce personal liability for directors in respect of cybersecurity breaches); growing customer awareness and expectations regarding the ways in which businesses treat (and mistreat) their personal data; and the advent of anti-trust type fines for data protection compliance under the new General Data Protection Regulations (GDPR) in the EU from May 25, 2018, are all factors contributing towards data protection becoming an increasingly important item in the long list of items to be considered as part of any business sale or acquisition.
Despite this shift in focus, data protection issues are often neglected by sellers, buyers and their advisors during the M&A process, and key compliance issues may not be identified until well into the transaction (or in some cases, not at all). Consider for example, the announcement by tour-booking and review site Viator Inc. in 2014 that it had been the victim of a data breach affecting an estimated 1.4 million customers, only two weeks after online travel site TripAdvisor Inc. had acquired the company for over $200 million. At best, failure adequately to address these issues at an early stage in the process can result in a last minute dash to find a compliance solution at a critical moment in the transaction. However, where a target's data forms one of its key assets, a critical or systematic failure to comply with applicable data protection laws may mean that the entire business model on which a transaction is premised is not viable. Targeted due diligence may therefore reveal issues that go directly to deal value and in some cases, deal feasibility.
In short, data protection issues can no longer be afterthoughts in the process of selling or acquiring a business and pre-transaction planning is critical. How then can parties to an M&A transaction ward off data protection monsters and uncover compliance skeletons in the closet?
Like a terrifying character in any hair-raising horror film, data protection considerations can creep up on unsuspecting parties at any stage of a transaction. However, parties to a deal should prepare in advance for these issues to be addressed at three key touch points so as not to be caught unawares:
In addition to identifying potential data protection risks and liabilities during due diligence into a target's trading activities and operations, data protection compliance issues exist as a result of the mere performance of due diligence itself. As almost all M&A deals will involve the exchange of personal data between parties (often with a cross-border aspect), these issues should be considered in the early planning stages of any transaction. This article will address both compliance during the M&A process itself, and the key considerations for sellers and buyers in tackling potential data protection nasties in respect of the target's activities prior to and following the transaction.
In light of the lessons learnt from others' M&A data protection horror stories, savvy sellers should invest ahead of any transaction to make sure their house is in order from a compliance perspective. In terms of compliance with the U.K. Data Protection Act 1998 (DPA), this will involve ensuring that the seller is compliant with the eight core data protection principles enshrined in the DPA. In particular, sellers should ensure any personal data held by the company is adequate, relevant to the purposes for which it has been collected and not excessive for those purposes, and that it is not being kept for longer than necessary for those purposes. Prior to completion, a seller should audit the personal data it holds and assess compliance with the principles of the DPA. In particular, at a basic level, consideration should be given to the following:
Before engaging with a target, potential buyers should factor data protection and data security considerations into their overall deal strategy given that these can impact on a target's business objectives, regulatory profile and overall valuation. Some key strategic issues to consider include:
Other basic preparatory considerations that should be made by acquirers early on in an M&A process, even before formal due diligence begins, include:
Given the strategic importance of many of these issues, parties on both the sell and buy side should review the target's privacy policies and applicable laws to determine what personal data can be shared by the target during the due diligence process and any notable restrictions on transfers of personal data that could impact on the transaction (discussed further below) at an early stage in the evaluation of a potential merger or acquisition.
One way of avoiding having to provide fair processing notifications at this stage would be to fully anonymise any personal data included in the information to be disclosed to the prospective buyer and its advisors so that it falls outside the scope of the DPA. In reality, effective anonymisation of all personal data contained in due diligence disclosures may be impracticable. Alternatively, sellers should consider holding back all personal data during due diligence until a later stage in the transaction (for example, once exclusivity with one potential acquirer has been granted, thereby limiting the number of potential recipients of the personal information).
A risk-based approach
If personal data contained in disclosures cannot be anonymised, parties may need to adopt a risk-based approach, which weighs up the need for disclosure against the commercial and legal risks (based on the volume and sensitivity of personal data involved). In any case, where disclosures of personal data (as opposed to sensitive personal data—see further below) are unavoidable, sellers should seek to minimise the volume of personal data provided to prospective acquirers as far as possible and limit disclosures to those that are absolutely necessary to the due diligence exercise or transaction as a whole. In addition, the risk of onward disclosure of personal data should be reduced by requiring prospective buyers to enter into non-disclosure agreements including confidentiality undertakings that ensure the personal data will only be used to evaluate the assets and liabilities of the business and will be returned to the sellers and/or adequately deleted should the merger or acquisition not go ahead.
It may also be necessary to include restrictions in such non-disclosure agreements on the potential buyer and its advisers from transferring personal data outside the EEA, or if such cross-border transfers are necessary (for example, where a buyer based outside the EU is considering an EU target), only allow such transfers if certain conditions are met (such as entry into standard contractual clauses). In most M&A deals, non-disclosure agreements will be entered into prior to the due diligence exercise. However, parties should be alert to any likely disclosures of personal data that may be made prior to the formal due diligence process, and back-date the effective date of non-disclosure agreements as appropriate to protect such information. From a practical standpoint: access to personal data should be in a secure environment; electronic transmissions of data should be encrypted; third-party hosts of data should be carefully vetted; and those given access should accept the confidentiality and purpose-limitation undertakings mentioned above as a strict condition of access.
Categories of data
In terms of particular categories of data which may be relevant to a disclosure exercise:
Tailored due diligence
In terms of the assessment of a target's data protection compliance and information security profile, due diligence should be tailored as far as possible to the company's trading activities and operations. In the digital age and particularly in light of the overreaching principle of “accountability” underpinning many of the provisions of the GDPR, simply reviewing privacy policies and data protection provisions in employee contracts etc. in a vacuum is no longer adequate.
Transactional lawyers advising a target's risk profile from a data protection perspective should adopt a holistic approach which not only assesses how that company gathers, uses, stores, protects and destroys personal data according to the black letter of its general information governance policies and contracts, but also whether these procedures are followed in practice. To do so, as well as requesting the target's privacy policies and internal guidelines for use of personal data, it is also worth asking management of the target (or, even better, the target's data protection officer if it has one) to provide:
The overreaching objective in requesting the above information and documentation should be to paint a detailed picture of the overall data protection health and well-being of the target. Of course, there is no magic wand to this type of due diligence and the questions asked and documentation requested should be tailored to the nature of the target's business and industry sector, as well as the buyer's strategic plans for the business (as discussed above). In addition, the level of diligence carried out may be dictated by a number of factors (including the risk tolerance of the buyer and time constraints around the speed at which the deal is to occur). Arguably, limitations in the depth of due diligence resulting in spooky data protection “unknowns” should translate into more fulsome representations and warranties in the deal documents. On the other hand, unearthing compliance issues though detailed data protection due diligence is also likely to lead to stringent and robust data protection provisions and pre or post-completion undertakings from the seller in the transaction agreements.
Either way, the findings of the seller's data protection due diligence will significantly inform the representations, warranties and indemnities sought from the seller in the deal documentation. By way of example, sellers should be asked to warrant that the target has: (i) provided adequate notice and obtained any necessary consents from data subjects required for the processing of personal data; (ii) abided by any privacy choices (including opt-out preferences) of data subjects relating to personal data; (iii) adopted appropriate technical, physical and organisational measures and security systems and protocols designed to protect personal data against accidental disclosure or unlawful access; (iv) put in place written agreements with all data processors which comply with data protection laws and the target's own privacy policies; and (v) not experienced any breach, security incident, or violation of data protection laws, or of its own privacy policies in relation to personal data.
The buyer may also want to seek indemnities in respect of any breaches of data protection laws, on a general basis or in relation to specific concerns identified through its due diligence. In negotiating the survival period of these provisions, a buyer should consider the length of time required to fully integrate the IT systems of the target and secure the target's network following completion, as well as any limitation periods for data protection related claims and investigations.
Address red flags without delay
Notwithstanding the need for carefully crafted representations and warranties in the deal documentation, at a practical level, significant data protection red-flags uncovered by due diligence should be addressed without delay. If the risks or vulnerabilities in the target's IT security framework are significant, or key personal data is tarnished in a material way or cannot be transferred to the buyer, the value of the target may be affected and a renegotiated purchase price may be appropriate. Alternatively, if data protection or security issues can't feasibly be resolved prior to completion, buyers may need to consider how best to apportion financial risk with the seller, for example, by requiring an escrow account to hold back part of the purchase price to address potential post-closing liabilities. As the sellers are unlikely to be in a position to assess these liabilities post-completion, this is likely to entail detailed provisions being negotiated as to the mechanisms around this holdback. At a more prescriptive level, buyers may ask that the target takes specific remedial steps prior to completion, such as amendments to its privacy policies and fair processing notices, the implementation of certain security measures (such as encryption or more regular back-ups of data), or the tightening-up of data protection provisions in the target's agreements with data processors.
Data protection considerations in M&A deals do not end with the signing of transaction documents. While (or, most likely, before) celebratory champagne corks are popped, data protection practitioners must ensure that any transfers of personal data as a result of the transaction are compliant with data protection law. The position will differ depending on whether the transaction is an asset or share sale. On a share acquisition, as there will be no actual asset transfer other than relating to the shares in the target company, the identity of the data controller will not change on completion. As a result, fair processing information does not need to be given to the relevant data subjects, unless the acquirer proposes to use their personal data for a new purpose. From a reputational and customer service perspective, however, acquirers may wish to notify data subjects that their data has “changed hands.” This is likely to be the case where, for example, the identity of the target as a member of a particular group was an important basis on which the data subjects originally entrusted the target with their personal data.
In an asset sale, the transfer of personal data on completion of a business sale will amount to processing. As both parties are effectively acting as data controller at the point of transfer, both parties will be under a duty to inform the data subjects that their personal data is transferring to a new data controller. In practice, it is seen as adequate for one of the parties to provide this notification. For practical reasons and as the seller will no longer be the data controller of that data post-transfer, it is more common for the buyer to notify the data subjects on behalf of both parties. As a result, contractual assurances to the effect that the buyer will provide appropriate “fair processing information” to the relevant data subjects are often contained in the deal documentation. Data subjects' express consent will need to be obtained by the buyer (in both an asset and share sale) before it is able to use the personal data acquired as result of the transaction for any new purposes not already detailed in the target's privacy policies and customer agreements.
To the extent that the data being transferred in an asset sale is sensitive personal data then, under the black letter of the DPA, the seller or original data controller must obtain the express consent of the relevant data subjects before the sensitive personal data can be transferred to the buyer, unless one of the alternative (and very narrow) bases for processing sensitive personal data set out in Schedule 3 of the DPA is present.
In respect of employee sensitive personal data, this may include the fact that the transfer is necessary for the performance of the outgoing data controller's obligations under employment law (including in compliance with the Transfer of Undertakings regulations (TUPE)). Beyond employee data, however, it is difficult to think of an asset sale satisfying any of the other conditions set out in Schedule 3 of the DPA. Where obtaining express consent to the transfer of any other categories of sensitive personal data is not feasible, sellers and acquirers may therefore find themselves in a compliance conundrum on the point of transferring such data as part of an asset sale. Given the nature of sensitive personal data, a careful assessment of the likely impact on the relevant data subjects should be carried out. Any transfers of sensitive personal data likely to cause the data subject damage or distress should be avoided at all costs. Where consent to the transfer of sensitive personal data cannot be obtained, to the extent that such transfers are highly unlikely to cause damage or distress to the relevant individuals, parties may be forced to adopt a risk based approach (discussed below).
As discussed above, at certain stages during the M&A process, parties may be backed against a wall from a data protection compliance perspective and may need to weigh up the enforcement and reputational risks of non-compliance vis-à-vis the commercial risk of not proceeding with the transaction. Currently, the enforcement risks in the U.K. are as follows:
Beyond the criminal and civil sanctions attached to contraventions of data protection laws, sellers and buyers alike should be aware of the adverse reputational impact a breach of data protection law during the M&A process or transfer of customers or employees' personal data may have on the ongoing business. In addition, recent examples of regulatory bodies more closely scrutinising data protection issues in M&A transactions, coupled with the introduction under the GDPR of fines for non-compliance of up to 4 percent of annual worldwide turnover of the preceding financial year or 20 million euros ($20.8 million) (whichever is the greater), are likely to focus attention on data protection requirements during the M&A process, and raise the stakes in terms of carrying out thorough due diligence. We expect to see interesting developments in this area of M&A process in the next few years.
In an era where personal data has become the lifeblood of many businesses, a company's observance of data protection laws can go to the value of the business to a potential buyer. As recent headline grabbing horror stories have demonstrated, buyers cannot afford to be kept in the dark with regards any data protection nasties. There is no longer an excuse for data protection due diligence to be overlooked or inadequately tailored to a target's risk profile. Data protection issues should be carefully considered, planned for and handled at the outset and throughout the M&A process. Strategic issues with data protection at their core can creep up at various stages of a deal, including during the development of an acquisition or approach strategy at the genesis of a deal, through to the integration and transition strategy post-completion. Data protection issues don't vanish on completion, and wary buyers should continue to assess and review progress in meeting data protection compliance requirements and audits following signing of the deal lest they continue to be haunted by compliance ghosts of the past.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)