Data Protection and Security in M&A
After almost two years of the GDPR, the fines from the regulators are starting to pile up. Buying or merging with a company that lacks proper cybersecurity, or one that is not in compliance with the GDPR, becomes a considerable risk. For instance, Marriott was fined £99 million by the Information Commissioner’s Office (ICO), which is the UK regulator, after hackers stole the guest records of the Starwood Hotels & Resorts Worldwide that it had acquired. A study by Merrill Corporation has shown that over half (55%) of practitioners surveyed across EMEA said they had worked on M&A transactions that had not progressed because of concerns around a target company’s data protection and compliance with GDPR. Therefore, non – compliance with GDPR can become a serious issue for the seller.
For the buyer an undiscovered breach can add high costs to an M&A transaction and, therefore, security and data protection should be better addressed during the due diligence phase, to avoid unpleasant post-transaction surprises.
However, even without a current breach, an M&A transaction contains some issues and hurdles that need to be considered, regarding data protection compliance.
What happens in the situation of non–compliance?
In an M&A transaction, there is the risk that non-compliance issues are transferred to the acquiring company, which then can ‘infect’ the buyer company and lead to a non-compliant company as a whole. The same goes for vulnerabilities in the security network. A hole in the security can become a risk for the whole company, if the target company is integrated into the IT infrastructure post-transaction. Hackers can use the IT infrastructure of the acquired company as an entry point through which to attack the entire group.
Administrative Fines
By now, everybody should know about the 4% turnover / €20 Mio GPDR fine rule. However, no regulator has yet gone for the 4%. The FTC has also started to treat privacy more severely, as we have seen with the five-billion dollar fine against Facebook.
Since it is still not clear what the right way is for calculating the revenue, most European supervisory authorities use the turnover of the group as a base, and not the turnover of the subsidiary. As a result, if a small company is acquired, and non-compliance is discovered and fined in the aftermath, the bigger acquiring company could end up paying a disproportionately higher fine. In the worst-case scenario, some time might pass before a breach of the target company is detected, and the entire group will subsequently be affected. Hence, the regulator will calculate the fine, based on the whole group.
Reputation risk
Besides being fined for non-compliance or, in the worst-case scenario, for a breach, it could damage the reputation of the acquiring company. If data protection or security problems arise post-transaction, both the press and the customers do not often make a distinction between the target company and the buyer company. It could, therefore, damage the whole brand, and even the stock price of a publicly-traded company could be affected. A survey by PwC (US) found that that 85% of consumers won’t do business with a company if they have concerns about its security practices.
Liability risk
Privacy and security violations are still difficult to litigate as, in most cases, there is no direct financial damage. Nevertheless, a breach could lead to multiple costly lawsuits. Under the GDPR, it is possible for non-profit or consumer advocate groups to sue on behalf of the victims and the risk of a lawsuit, therefore, increases significantly. For instance, a consumer protection organization sued Apple in Germany over their German Privacy Policy and another organization sued also in the UK. Additionally, in Austria, various companies were sued for their non-compliant tracking of their visitors. In the aftermath of the Marriott breach there was also a civil lawsuit in Canada as a class action filed. In the worst case a class action in the aftermath of a data breach could even force a company into bankruptcy as the case of American Medical Collection Agency (AMCA) has shown.
In the worst-case scenario, fines and reputational damages alone will outweigh the positive effects of the transaction, so that the buyer would have been better off if he had not entered the transaction.
A buyer may be willing to take the risk of buying a company that is not fully compliant and secure, because of other factors, e. g., its purchase price, market advantage, or IP. However, if a buyer does not sufficiently assess and resolve the data protection compliance and security issues post transaction, he will create a ticking time-bomb that will affect the whole company, and not just the purchased company, if it explodes.
The Due Diligence stage
It is essential for the buyer to get a good sense of the data protection compliance and level of cybersecurity of the target company. Even though cybersecurity plays a critical role, data protection is also a governance issue. The depth of the assessment will always depend on the sensitivity of the personal data, as well as whether the personal data are an essential part of the target business model. The same is true for a security assessment. If personal data, the confidential IP, and other intangible assets, make up the majority of the purchase price, a more in-depth review is necessary.
Data Protection Assessment
Personal data are processed within many departments of a company. The most personal data-prone departments are Human Resources, Marketing and Sales, Finance, and of course, IT. Hence, it is crucial to not only focus on the IT Department.
In most cases, it would be impossible to conduct an in-depth data protection assessment. It would require an audit, which cannot merely be performed in a data room. Furthermore, there would not be enough time to undertake an exhaustive analysis. Instead, a buyer should try to get a sense of how data protection compliance is handled within the target company, and he should also check for high risks. A good starting point would be to look at the structure, policies, guidelines, and data map/governance. Of course, it also helps if the company has some certification, e.g., an ISO 27001 or a Data Protection Certificate. In this case, the previous audit reports can provide useful information on the quality of the compliance, and they can also show some existing gaps.
In addition, it might be necessary to talk directly to some key personnel to verify that the existing policies are lived and enforced. Shadow processes are one of the biggest risks for data breaches, and the personnel should be regularly checked to see if they are trained sufficiently. If the target company works in a global environment, a buyer should also take a look at the cross-border transfers and check to see if an adequate level of data protection is guaranteed.
As the ability to use the collected personal data can be a significant price factor, it is crucial to check that the data are collected on an adequate legal basis. For instance, losing the right to use customer information because it was not obtained in a proper way, or at least not in a fully compliant way, it could have a significant impact on the overall value of the target company.
Security assessment
A security assessment during the due diligence phase should assess if there are sufficient safeguards in place, and it should also look for previous, or current, breaches. Similarly, as with the data protection assessment, a buyer will not be able to perform an in-depth evaluation of all security measures and the whole IT infrastructure. However, it is possible to assess the general security set-up in order to get an impression of how security is treated within the company (e.g., access management or data encryption). In addition, it is possible to scan the IT environment for open connections and unclear data exchanges, and then to do some spot checks regarding the potential vulnerabilities. Of course, a buyer should assess where the most valuable data (e.g., the IP information) or most risky data (e.g., the special categories of personal data) is and then focus the resources in that area.
Fixable/non-fixable issues during the transaction
After the data protection and security assessment, the buyer should undertake/conduct a risk classification and triage of the easily-fixable, complex, and non-fixable issues (e.g., previous breaches). The easily-fixable issues can probably be corrected during the closing phase, which should be a condition of the contract. Complex matters cannot be fixed right away and will therefore have to be fixed over a more extended period, which will add to the costs of the transaction.
As with all due diligence matters, if some potential issues and risks are uncovered, they should be reflected in the price and the contract, so that if one of the risks materializes, the buyer will be protected. We saw this happen in the Yahoo transaction, where the price was reduced afterward because of the data breach fines.
Right to access personal data during the Due Diligence phase
During the due diligence phase, potential buyers might need to access personal data from, for instance, the customer data management system (CRM) or employee files, which will therefore have already-processed personal data. To access and process such data, the buyer needs a sufficient legal ground under Article 6 of the GDPR, or Article 4 and 12 FADP under Swiss law. However, such transactions are always handled confidentially, and the buyer is not known in advance. These two factors are in conflict with the fairness and transparency principles, as a data subject is not aware that his/her data will be disclosed to another party. In addition, it can also create a conflict with the purpose requirement. Companies often inform the data subject that it will potentially disclose their personal data within an M&A transaction, but such clauses remain vague, and their effectiveness is questioned. Even though the legality of such a clause debatable, it can certainly help to justify the transfer of personal data to the buyer and will increase transparency.
Consent
Getting the data subject to consent to the data processing will not be a viable option, since an M&A transaction has to remain confidential. In the context of the employee, it could be workable, but one does not want to unsettle one’s employees, and it would also increase the risk of the planned transaction being leaked to the public. Therefore, in practice, consent will also not be an option. Consent in advance might also be an option, but it must be given freely, it must be informed, and it must be specific enough. The legality of such consent is still debated, in the context of data processing during due diligence, as such consent will not be very specific. Additionally, if the clause is buried in the Terms & Conditions of the target company, consent was not given with explicit action. However, some experts regard such clause at least as specific enough under Article 13 (1e) GDPR as this Article only requires disclosing the categories of the recipient but not the specific buyer.
Legitimate interest
However, the target company might be able to rely on a legitimate interest during the due diligence phase, as it has a legitimate purpose for disclosing information to the buyer during a transaction. According to the ICO, a target company (as the controller) may be able to lawfully disclose data, based on legitimate interests. These might be its own interests, or the interests of the third party receiving the data, or a combination of the two. A target company can only rely on a legitimate interest, where such interest is not in conflict with the interests or fundamental rights and freedoms of the data subject. However, a target company should always complete the following three-part test:
the purpose test – is there a legitimate interest behind the processing?
the necessity test – is the processing necessary for that purpose?
the balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
By only disclosing the necessary data and by combining it with additional measures, for instance, anonymization or pseudonymization, a target company can further reduce the risks and better justify a legitimate interest. As a result, 'legitimate interest' will, in most cases, be a sufficient legal ground for giving a potential buyer access to the necessary data, including personal data.
Another justification might be that a potential buyer has to ensure that no sanctions are violated, or a financial service provider might want to conduct a compliance check on certain customers. However, in most cases, an anonymous and more general assessment of the customer base will suffice, and it may only be necessary to assess some customers, in more detail, in a second step.
If, during the due diligence phase, potential buyers have access to personal data that fall under the special categories of Article 9 GDPR or Article 3 (c) FADP, only explicit consent from the data subject will allow such data to be processed. Therefore, such data should be excluded from the data room, or else they must be anonymized.
The risks can be reduced by:
not disclosing personal data that fall within special categories, as they are more restricted and require consent from the data subject;
aggregating or anonymizing the data, where possible. For instance, the statistical tables of customers will often suffice, and complete access will not be necessary for assessing the customer base;
only sharing template contracts instead of signed contracts, where possible; and
restricting and monitoring the access to the data room; however, this should already be the best practice in an M&A deal.
As a side note, if the data room is provided by a third-party provider, even though it is only for a short time, the third party will be a processor and has to be treated as such.
Transferability
We must differentiate between an Asset Deal and a Share Deal. Under a Share Deal, the controller stays the same, as only the ownership will change, but not the entity that controls the personal data. However, if the buyer also wants to make use of the data, it will open up new questions post-transaction. On the other hand, in an Asset Deal, the controlling entity changes, as it is only the assets that are transferred. In an Asset Deal, the controller changes. Of course, the buyer usually has a great interest in receiving all the existing customer data, in order to continue to offer them the product or service. From a legal point of view, this involves the passing on, or disclosure, of personal data, and for this, we need a legal basis. Therefore, the buyer cannot solely rely on the existing legal grounds. The problem of a lawful transfer of personal data, and the possibility of the buyer continuing to use the personal data, must be much more carefully addressed in an Asset Deal transaction, where the buyer faces similar problems, as discussed in the previous paragraph.
Getting consent for the transfer and the continuous use of their personal data would be a time consuming and expensive approach and as a result, not very practicable. In addition, the conversion rate is usually low, and the overall value of such an action will be low. However, some experts are of the opinion that an Asset Deal always requires specific consent, in order to continue with the data processing. This view contradicts Article 6 of the GDPR, which specifically lists different legal grounds for processing data. Likewise, Art. 12 FADP allows the buyer to argue freely on the justification. Consent is not the only way of justifying data processing and not always the appropriate legal grounds. The Greek Data Protection Authority clearly decided that a controller cannot use consent as a legal basis, if it is actually based on a contract. Therefore, if a contract can be legally transferred during an Asset Deal, this could justify carrying on with the data processing. As an example, this will often be the case regarding employment contracts as such contracts have to be transferred by law if a business unit is transferred. Otherwise, a buyer may also be able to rely on a legitimate interest, in order to process the data. As described above, this requires that the different interests be assessed by balancing the two interests against each other. Within the current literature, it is still debated as to whether a buyer can even rely on the legitimate interests as a legal ground. If the buyer resides in a third country, it will most likely not be a sufficient legal ground.
There are two mechanisms that are used to further reduce the risk of compliance. Instead of asking for consent, the target company would give the data subjects the right to opt-out. In the context of the conversion rate, this seems a much better approach, but it also makes sense in respect of the structure of the GDPR, as it covers Article 6 of the GDPR and includes the data subjects’ rights, especially Article 21 of the GDPR. This mechanism would probably also work under the new California Consumer Privacy Act (CCPA).
In order to optimize the first mechanism, a company should proactively include a data transfer clause, as a second mechanism, in its T&Cs, its other contracts or its Privacy Policy.
An example clause could be formulated in the following manner:
In the event that the Company merges, acquires, restructures, sells assets, becomes bankrupt, or becomes involved in any such transaction, we may sell, or transfer our assets, including your personal data, in connection with such a transaction. In consideration of such a transaction, we might give a third-party access to our data (e.g., due diligence). We will notify you before your personal data is transferred to a new controller and becomes the subject of another data protection policy. If required by the applicable law, we will offer you the right to refuse such a transfer. However, if you refuse a transfer, you may not be able to continue to use the connected services.
The clause above is only an example, and it should not be taken as legal advice. However, it shows how the two-step approach could work. You already explain the possibility of such disclosure (transparency) and give a right to opt-out. Such a mechanism will help in the balancing test, as the interests, or the fundamental rights and freedoms, of the data subjects will most likely be sufficiently protected.
Post-Transaction
One of the main reasons for doing an M&A transaction is to create value by using synergistic effects. Such synergies are often achieved, on the one hand, by cross-selling services and products to the customers and, on the other hand, by reducing administrative costs; for instance, by centralizing some IT infrastructure or processes. In both cases, the personal data are potentially exchanged and shared.
Integrating or merging a database has some inherent compliance risks. How to integrate databases with personal data into the infrastructure of the buyer needs to be carefully assessed. As has already been explained above, it will also depend on whether it is a share or an asset deal. In either case, if the buyer wants to integrate the databases and use them for its own purposes, the buyer needs to have sufficient legal grounds to process them. In accordance with Recital 50 of the GDPR processing of personal data for purposes other than those for which the personal data were initially collected, is only allowed where the processing is compatible with the purposes for which the personal data were initially collected. In that case, no new legal basis may be necessary.
In order to ascertain whether the purpose of processing the personal data further is compatible with the purpose for which the personal data were initially collected, the buyer should, after having met all the requirements for the lawfulness of the original processing, take the following into account: (a) Is there any link between these purposes and the purposes of the intended further processing? (b) Is the context in which the personal data have been collected, in particular, the reasonable expectations of the data subjects, based on their relationship with the buyer, as to their further use? (c) What is the nature of the personal data? (d) What are the consequences of the intended further processing for the data subjects? and (e) Do appropriate safeguards exist in both the original and intended further processing operations. The buyer needs to, therefore, conduct an assessment and should also document his reasoning, which is similar to a DPIA. If the new purpose is not compatible with the existing purpose, the buyer has to reassess the legal grounds. If the buyer plans to use the personal data for other purposes as well, it should already be addressed in the transaction.
In the case of sole administrative optimization, a buyer might also want to assess the possibility of just becoming a processor. Bigger organizations often have centralized corporate services that could be used in a controller/processor set-up and, therefore, a big assessment of the legal justification may not be necessary, as the controller will remain the same.
How can a seller be proactive?
By implementing a data protection compliance framework and data governance in the first place (it usually takes more time than expected);
By already implementing protective measures in one’s contracts;
By implementing sufficient security;
By doing one’s own compliance and security risk assessment before starting an M&A process; and
By preparing for due diligence, in general.
How can a buyer protect himself?
By assessing the data protection and security compliance during the due diligence stage phase;
By conducting one’s own risk assessment;
By addressing it in the purchase agreement, especially by seeking protection against undisclosed, or ongoing, data breaches, or other major data protection violations, which could lead to investigations and fines by a supervisory authority; and
By taking care of the data protection and the security, post-transaction.
This post was written by Attorney at Law Yves Gogniat.
Please contact Sebastian Wälti for any further information