Part 2: Risks Associated with Transfers of Personal Data and Post-Closing Integration
One aspect of mergers and acquisitions that is receiving growing attention is the relevance of privacy issues under U.S. and European Union (“EU”) laws as well as the laws of a growing number of other jurisdictions. This two-part blog post discusses the principal M&A-related privacy risks and highlights certain “traps” that are often overlooked. In Part 1, we discussed risks associated with a target’s pre-closing privacy-related liabilities and considered ways to mitigate these risks through adequate diligence and privacy-related representations in M&A agreements. In this Part 2, we discuss the risks associated with transferring or disclosing personally-identifiable information (“personal data”) of an M&A target (or a seller) to a purchaser (or prospective purchaser) and those associated with the purchaser’s post-acquisition use of such personal data.
1. Risks Associated with Transferring or Disclosing Target’s (or Seller’s) Personal Data to Purchaser
M&A transactions often involve the disclosure or transfer of personal data from a seller to a purchaser. This normally includes personal data associated with the acquired target (or acquired assets), such as data relating to employees, customers, users, contractors, suppliers and business partners. While most personal data is transferred at closing, some disclosures may also occur between signing and closing.
A. Risks Associated with Disclosure Between Signing and Closing
M&A lawyers are not always aware of the risks associated with disclosure of personal data between signing and closing (when signing and closing are not simultaneous). In particular, M&A agreements often contain a clause providing for access to books and records between signing and closing, enabling the purchaser to request certain types of data it reasonably needs, including for purposes of integration planning. But it is a mistake to assume that because a deal is signed, personal data relating to the target business may be shared freely between the purchaser and the seller. While some M&A agreements state that the seller need not provide access to information prior to closing if providing such access would be in violation of applicable law, such a carve out is not necessarily applied in practice and, in any case, understanding whether a particular disclosure is in violation of privacy laws may be difficult.
ii. Under EU law, the disclosure of data relating to identified or identifiable individuals (“data subjects”) must comply with the laws implementing EU Directive 95/46/EC of October 24, 1995 (the “Directive”) in each of the EU member states (“Member States”). Generally, for the “processing” of personal data (a broad concept that includes transfer or disclosure) to be permitted it must be based on one of the grounds enumerated in the Directive, among which the most relevant to a pre-closing M&A-related disclosure are:
- Legitimate interest of the data controller or the data recipient, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject. The so-called “legitimate interest” ground is frequently relied on in M&A transactions since it is open-ended, making it possible to argue that it is in the legitimate interest of the purchaser to receive the data (i.e., to prepare for the acquisition). However, certain data subjects may claim to have an interest in keeping their data confidential, at least until the transaction is close to completion. In practice, it is therefore often advisable to try to wait until all or most of the conditions to closing of the transaction have been satisfied before transferring personal data based on this ground.
- Consent of the data subject. In an M&A context, it is often impractical to rely on the consent of the data subjects. The “consent” ground is therefore only used in practice when just a few individuals are concerned and such individuals have reason to be aware of the contemplated transaction (e.g., major customers whose approval is required in order to assign the customer contracts to the purchaser). Note that the data subject’s consent to the transfer may be required in certain circumstances, including when “sensitive data” are involved (e.g., where health, religion or union membership appear in, or can be deduced from, employee records).
- Performance of a contract with the data subject. This ground is typically used in the M&A context when the assets sold include contracts and personal data must be transferred for these contracts to continue to be performed.
In addition to existence of one the foregoing grounds for pre-closing disclosure, compliance with EU law would generally also require that the personal data transferred to the purchaser prior to closing is not inadequate or excessive. In other words, the only data fields that should be transferred before closing are those necessary for the new employer to prepare for completion of the transaction (such as, in the case of data obtained for HR-related purposes, positions and salaries but potentially not home addresses or bank account details).
Finally, certain additional steps may be required in the EU, particularly notice, inclusion of the European Commission’s standard contractual clauses (the “Model Clauses”)and potential Data Protection Authorities (“DPAs”) filings; since these steps are generally similar whether the disclosure/transfer occurs prior to or at closing, we discuss them below under Section B.
- Trap: It is a mistake to assume that sharing personal data is allowed once an M&A deal is signed and before it is consummated. In the U.S., language in privacy policies may not be broad enough to fully address this situation and purchaser’s use of such data must be strictly circumscribed in light of state law and contractual obligations. In the EU, several steps must be taken before transferring personal data and, as a general rule, because the disclosure of data is considered more legitimate as the deal progresses and closing becomes more certain, access to data should be tailored to what is necessary for each phase of the deal.
B. Risks Associated with Transfers at Closing
At closing, the purchaser will expect to receive all of the personal data related to the acquired business. Depending on the nature of the transaction (e.g., a spin-off of a stand-alone subsidiary) the transferred personal data may in fact remain hosted on the target’s systems that are sold as part of the transaction.
FTC vs. state regulators vs. bankruptcy courts. As described below, the FTC, state regulators and bankruptcy courts have taken slightly different approaches to such asset sales.
- Trap: While “transfers” of personal data in connection with mergers or share purchases have not been criticized by regulators to date, asset sales involving transfer of personal data have been subject to close scrutiny in the U.S. and certain steps may be required when planning such transfers in order to prevent exposure to potential liability.
ii. In the EU, a transfer of personal data at closing as part of an M&A transaction requires showing that at least one of the grounds for transfer discussed in Section A above (“legitimate interest,” consent or necessary for performance of a contract) is found. This should be easier than in the case of a pre-closing disclosure given that once the transaction has been completed, the purchaser should have a “legitimate interest” in processing the acquired personal data. In addition, the following steps should be considered:
- The data subjects should be informed of the transfer. The seller should give the data subjects certain information about the transfer of their data to a third party no later than at the time of the transfer, unless such disclosure would “involve a disproportionate effort.” Such information does not necessarily need to be given to each data subject individually (a posting on a website may suffice depending on the circumstances). A right to opt out of the transfer may need to be granted.
- Additional steps may have to be taken in the case of transfers of data outside the European Economic Area (“EEA”). EU law imposes stringent regulatory constraints on the transfer of personal data outside the EEA to a country that is not deemed to have an adequate level of data protection, which includes the United States, unless the transfer is to a company having self-certified under the EU-U.S. Privacy Shield. Consent of the data subjects will render the transfer lawful under EU law, but is often also difficult or very burdensome to obtain. In the absence of Privacy Shield certification or individual consent from the data subjects, an M&A-related transfer should therefore be made only after a personal data transfer agreement, which incorporates the Model Clauses, has been entered into between the parties. The Model Clauses place recipients of personal data under contractual obligations similar to those required in the EU. Note, however, that as discussed below, in certain EU countries (e.g., France) the data transfer agreement (containing the Model Clause) would need to be approved by the local DPA, which could take up to a few months and could render the Model Clause option inappropriate in some cases.
- Trap: The decisive factor for determining whether a transfer of personal data outside the EEA occurs (which may require usage of Model Clauses or self-certification under the EU-U.S. Privacy Shield) is not whether the seller/target is an EU corporation while the purchaser is not; it is whether personal data stored within the EEA is transferred (physically or electronically) to locations outside the EEA by an entity that is subject to EU jurisdiction.
- Verify whether filings with Data Protection Authorities must be made. Depending on the national law applicable to the seller, the target or the purchaser, the transfer of personal data may have to be notified to or authorized by one or several DPAs. Filing requirements vary among Member States and should be reviewed on a case-by-case basis. Planning ahead is important, as a DPA approval, if needed, may take a long time. By preparing for this in advance, a purchaser can ensure minimum disruption to the target’s personal data processing activities.
2. Risks Associated with Post-Acquisition Integration of Personal Data
Immediately after closing, the purchaser must consider how to integrate the target’s personal data and the target’s IT systems into its own data and systems. Problems arise if either the target’s practices do not comply with the purchaser’s privacy policies (or contractual obligations) or if the purchaser’s practices do not comply with the target’s privacy policies (or contractual obligations that survived the sale, including those assumed by the purchaser).
A. Target’s Practices & Policies More Robust than Purchaser’s
Guidance on how the FTC views this issue in the context of M&A is found in the FTC’s “business blog” published on March 2015 (the “FTC Blog”), which was prompted at least in part by Facebook’s acquisition of WhatsApp. The FTC Blog set forth several important principles:
- The target’s pre-acquisition policies continue to govern with respect to personal data collected by the target. As the FTC stated: “One company’s purchase of another doesn’t nullify the privacy promises made when the data was first collected.”
- With respect to data collected by the target prior to the acquisition, the purchaser may either comply with the target’s pre-existing policies or allow opt-in. The purchaser can simply abide by the target’s pre-acquisition promises, i.e., handle the data as promised when the target collected it from consumers. Alternatively, if it wishes to materially change how the data is processed, it must obtain affirmative (opt-in) consent from the individuals to whom the data pertains.
Finally, the target may collect certain personal data that is subject to additional regulation (such as health care data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the personal data of children younger than 13 subject to the Children’s Online Privacy Protection Rule). If the purchaser wishes to integrate such personal data and use it, the purchaser will need to ensure compliance with all relevant regulations.
We note that the above discussion relates to U.S. law, where most of the focus is on the target’s and purchaser’s privacy policies and promises. In the EU, the focus in review of post-acquisition practices (assuming the transfer of the data itself is lawful as discussed in Section A above) is on the purposes for which the data was initially collected. The use of the data by the purchaser must be in a manner consistent with the specified (and legitimate) purposes for which it was obtained by the target in the first place. As an illustration, in the case of data obtained for HR-related purposes such as payroll and administrative management, the data should continue being used for these same purposes by the purchaser.
- Trap: As a purchaser, it is not enough to establish that the target’s practices are compliant with your privacy policies. You may be violating the law if your use of data collected by the target does not comply with the target’s policy (or, in the EU, if your use of such data is in a manner inconsistent with the specified purposes for which it was collected by the target).
B. Target’s Practices & Policies Less Robust than Purchaser’s
The most reasonable approach will likely be for the purchaser to either (1) maintain the target as a separate entity/division that does not use purchaser’s data or (2) bring the target’s practices into compliance with purchaser’s previous promises (though this could involve significant costs).
- Trap: Even where the “transfer” of personal data to the purchaser resulting from an M&A transaction is lawful, post-closing processing of personal data, either by the purchaser (of target’s data) or the surviving target (of purchaser’s data), that conflicts with privacy policies applicable when such data was collected can lead to liability.
In this two-part blog post, we have outlined some of the complex privacy issues that arise at each stage of an M&A transaction. Prior to signing, a purchaser’s due diligence will involve multiple areas of inquiry to determine all potential risks associated with the target’s existing privacy-related liabilities and for greatest protection, privacy-specific representations in M&A agreements may be warranted. Between signing and closing, both sellers and purchasers should remain cautious in the disclosure of personal data and seek counsel both with respect to the content of any disclosures and the disclosure process. After closing of the transaction, the purchaser will need to consider carefully what steps must be taken to enable its use of the acquired data and to ensure such use complies with all applicable laws. Given the rapidly evolving nature of privacy laws, it is advisable to consult with privacy counsel at each stage of a transaction to most effectively mitigate these and other associated risks.
 Throughout this blog post, we use the term “privacy” (or “privacy issues” or “privacy laws”) broadly as including cybersecurity, data protection and data security as related to personal data (and related issues and laws).
 This post focuses on U.S. and EU law, but we note that several other jurisdictions have passed or are adopting strict privacy laws. Among those are countries recognized by the European Commission as having an “adequate level” of protection for all or certain types of personal data processing (i.e., as of the date of this post, Andorra, Argentina, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay – please visit http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm) as well as other states such as Brazil, Singapore and South Korea. In any cross-border transaction, the laws of all relevant jurisdictions should be examined.
 For example, Massachusetts General Law Chapter 93H and its regulations 201 CMR 17.00 impose requirements on all companies who receive, store, maintain, process or otherwise have access to personal data of the state’s residents to develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards to protect the data.
 While the Directive provides a harmonized regulatory data protection framework that is applicable throughout the EU, there are a few areas where national law differs in each Member State. Starting on May 25, 2018, the Directive and the national laws implementing it will largely be replaced by the General Data Protection Regulation (the “GDPR”), which will enhance existing legal requirements, create new rules and set out significant fines for organizations failing to comply. For further information on the key changes to be anticipated under the GDPR regime, please refer to our May 13, 2016 Alert Memorandum (https://www.clearygottlieb.com/news-and-insights/publication-listing/general-data-protection-regulation-key-changes-and-implications).
 Sensitive personal data may be transferred only where the data subject has provided his or her explicit and fully informed consent, or where a legal obligation exists in the context of employment which makes the transfer necessary. The advice of local counsel should be sought before relying on the “legal obligation” ground in connection with the transfer of sensitive employee data.
 For the Stipulation and Order Establishing Conditions on Sale of Customer Information, see https://www.ftc.gov/sites/default/files/documents/cases/toysmarttbankruptcy.1.htm.
 See FTC letter to the court-appointed Consumer Privacy Ombudsman in RadioShack, dated May 16, 2015 (https://www.ftc.gov/system/files/documents/public_statements/643291/150518radioshackletter.pdf).
 See In re RadioShack Corporation, et al., No. 15-10197 (BLS) (Bankr. D. Del.).
 See In re Borders Group, Inc., et al., No. 11-10614 MG, 2011 WL 5520261 (Bankr. S.D.N.Y. Sept. 27, 2011).
 In 2001, the French DPA declared (in the context of a merger of three companies) that personal data files may only be assigned or made available to a third party on the condition that data subjects be given advance notice as well as the right to object to such transfer. In Germany, it is necessary to provide notice of the transfer in the context of the transaction with a deadline to object where the transferred data goes beyond so-called “list data” (name and postal address). The Bavaria DPA issued fines to a buyer and target in an asset deal in 2015 where customer data was transferred without the parties providing the customers with a deadline to object to the transfer prior to the transaction.
 See footnote 2 above.
 Commission Implementing Decision of 12.07.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the “EU-U.S. Privacy Shield”). For further information on the EU-U.S Privacy Shield and the invalidation of its predecessor (the EU-U.S. Safe Harbor), please refer to our August 2, 2016 Alert Memorandum:
The GDPR provides for a “onehttps://www.clearygottlieb.com/~/media/cgsh/files/alert-memos/alert-memo-pdf-version-201679.pdf-stop-shop” mechanism under which data controllers established in the EU will be able to register with one DPA only (in their country of “main establishment”).