Part 1: Risks Associated with the Target’s Pre-Closing Privacy-Related Liabilities
One aspect of mergers and acquisitions that is receiving growing attention is the relevance of privacy issues under U.S. and European Union (“EU”) laws as well as the laws of a growing number of other jurisdictions. This two-part blog post discusses the principal M&A-related privacy risks and highlights certain “traps” that are often overlooked. In this Part 1 of the post, we discuss risks associated with a target’s pre-closing privacy-related liabilities and consider ways to mitigate these risks through adequate diligence and representations in M&A agreements. In Part 2, we will discuss the risks associated with transferring or disclosing personally-identifiable information (“personal data”) of an M&A target (or a seller) to a purchaser (or prospective purchaser) and those associated with the purchaser’s post-acquisition use of such personal data.
1. Risks Associated with the Target’s Pre-Closing Privacy-Related Liabilities
In M&A transactions, purchasers often assume the liabilities of the target, including for past noncompliance with privacy laws, which may result in fines, damages arising from private actions, significant harm to a company’s goodwill and, in some cases, criminal liability. Yet privacy-related diligence and related representations often just skim the surface.
A. Privacy Due Diligence: Key Areas of Inquiry
As part of the due diligence process, it is important to consider all applicable laws, the target’s privacy policies and contractual commitments, the existing privacy standards in the target’s industry and, most importantly, the target’s actual practices (and its compliance with all of the foregoing).
i. Identifying the Applicable Laws. The first step in privacy diligence is ascertaining which federal, state and non-U.S. laws may apply to the target’s business. This requires an in-depth understanding of the business of the target and knowledge of the relevant laws. While many countries have enacted privacy laws, U.S. state and federal laws and EU laws, including the EU’s restrictions on cross-border transfer of personal data, are most often implicated in cross-border M&A deals.
The U.S. legislative privacy framework is fragmented – no comprehensive federal legislation exists. Section 5 of the Federal Trade Commission (“FTC”) Act, which prohibits unfair or deceptive acts or practices, has been enforced against companies that failed to safeguard personal data or comply with posted privacy policies; various other federal laws apply to select industries or particular categories of information (and empower various federal agencies to promulgate regulations). In addition, states have passed their own privacy laws applicable to entities that operate in their states or collect personal data about individuals residing in the state. Thus, in the U.S., the mere task of ascertaining the law applicable to a particular target may be a complicated endeavor. There are also industry standards and guidelines issued by industry groups, which are not legally enforceable but are considered “best practices.”
EU law may apply where the target is established outside of the EU but its processing makes use of equipment situated within the EU. Additionally, the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), which will come into force on May 25, 2018, will also apply to non-EU targets who process personal data of EU-based individuals (“data subjects”), irrespective of where they are established or where the related equipment is situated.
- Trap: An M&A target will often be subject to privacy laws in jurisdictions beyond those where the target and its subsidiaries are incorporated. A purchaser should check in which jurisdictions the target has branches or sales offices, and in which it collects or stores (in local servers) personal data. Within each jurisdiction, more than one set of privacy-related laws may apply, depending on the target’s business.
However, assessing whether a target’s privacy policies are adequate and whether the target is in compliance with these policies requires identification of those policies that apply to the personal data in question, and that may not be a simple task:
- Different policies applicable to different data sources. First, the target may publish several different privacy policies that govern the use of personal data collected through various mechanisms (for example, through its online platform, its mobile application or in materials sent via mail).
- Different policies applicable to different subsidiaries, business lines or divisions. Second, the target may consist of several subsidiaries or business lines, and their privacy policies may vary (including as a result of the fact that some subsidiaries or business lines were acquired from third parties and their pre-acquisition policies were maintained).
Once the relevant policies are identified, they should be carefully reviewed. Such diligence is focused on two main areas. First, the policies should be reviewed to determine whether they contain all the information required to be published under applicable law. Examples of the types of information that privacy laws in various jurisdictions may require include the precise categories of personal data collected; the purposes for which customers’ personal data is intended to be used; the categories of third parties with whom the personal data is shared; and information about, and a mechanism to obtain consent to the use of, cookies. Second, the policies should be reviewed to determine whether there are statements or promises in the policies with which the target does not comply. This inquiry obviously requires diligence of the target’s actual practices.
iii. Contractual Obligations. A final area of inquiry is the target’s contracts with third parties (other than its published online or offline policies). When the target is a service provider that has entered into agreements containing privacy-related requirements, assessment of compliance with such contractual obligations may be important. A particular area of concern in this context is the target’s indemnification obligations and the extent to which its liabilities under each contract may be capped or otherwise limited. The nature of privacy-related exposure is such that a significant portion of the potential liability is associated with third-party claims, namely where users and customers bring actions (including class actions) for privacy breaches.
One area that is often overlooked in privacy diligence is the existence of contractual obligations to comply with the published policies of third-party platforms through which the target’s goods or services are provided. In particular, more and more products and services are offered via third-party online platforms (including Facebook, Android and iOS apps, and Amazon Web Services) and usage of these platforms may require compliance with their privacy standards. Similarly, many third party services used in connection with apps, such as Google Analytics and Google Adsense, require such compliance as part of their terms of service.
Finally, under EU law, when a data “controller” (namely, an entity that determines the purposes and means of the processing of personal data) enters into a contractual arrangement with a data “processor” (namely, a third party that processes personal data on behalf of the controller, such as a service provider), such a contract must (i) be enshrined in a written agreement, (ii) require that the data processor act only on the instructions of the controller and (iii) require the processor to comply with security obligations equivalent to those imposed on the controller under applicable national legislation. Under U.S. federal law, the Gramm-Leach-Bliley Act as implemented by various federal agencies generally requires companies that offer financial products or services to individuals to (a) take reasonable steps to select and retain third-party service providers capable of maintaining appropriate safeguards for the protection of non-public records and information and (b) contractually require such service providers to implement and maintain such safeguards. Similar requirements exist in some cases under U.S. state law (e.g., Massachusetts and Maryland, where companies must require by contract that service providers implement and maintain appropriate data security measures). New York’s proposed cybersecurity regulations, which would apply to certain entities operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance or financial services laws, require such entities to have a policy of including preferred data security provisions in their agreements with third party service providers. It is therefore important to confirm that the target’s agreements with third-party service providers contain provisions that comply with such laws.
- Trap: When the target’s business provides products/services through third-party platforms or relies on third-party service providers, the target may be required to comply not only with its own privacy policies but also with privacy policies and online terms of service published by these third parties.
iv. Internal Practices, Policies and Security Measures. Review of the target’s published privacy policies and contractual commitments, and the applicable privacy laws to which it is subject, is certainly necessary in order to identify the privacy-related requirements that the target must comply with. However, only an examination of the target’s practices and internal policies (including those provided to employees) regarding collection, processing, storage, protection, use, disclosure, transmission, transfer, retention and disposal of personal data can provide meaningful insight into the target’s privacy-related exposure. Additionally, a technical overview (even if high level) of the security measures actually employed by the target (such as encryption and breach detection), as well as any procedures and preparedness for breach notification, may be advisable in certain personal data-focused industries.
- Trap: A purchaser should be sure to confirm the target’s actions match its words. A target that has sophisticated internal privacy policies and breach procedures may still have significant privacy exposure if it does not make sure that such policies and procedures are notified to all relevant employees and enforced across all of the target’s businesses, subsidiaries or locations.
B. Privacy-related Representations in M&A Agreements
Practitioners often rely on a general “compliance with laws” representation to address privacy-related risks; however, such a representation does not always provide sufficient protection for a purchaser against privacy and data security risks. The “compliance with laws” representation is often heavily qualified and covers a limited period of time (e.g., the target’s operation during the year prior to the transaction), which may not be appropriate for privacy matters. The representation also fails to cover certain issues of concern in the privacy context.
Privacy-specific representations, tailored to include the foregoing matters as appropriate, should be considered whenever the risks discussed in this blog post are present.
- Trap: A purchaser should not assume the “compliance with laws” rep will necessarily cover privacy matters adequately. A privacy representation that is tailored to the risks associated with the target’s handling of personal data can be used, when appropriate, to cover important areas beyond mere compliance with applicable law.
A word of caution: privacy-related representations in M&A agreements can offer a certain level of comfort to a purchaser, and they should therefore be negotiated carefully, but they are often qualified by knowledge and/or materiality, and any indemnity for breach of the representations is subject to significant limitations. And even if damages are awarded as a result of an indemnity claim relating to breach of privacy-related representations, they may not be sufficient to compensate for the type of public relations and customer relationship damage often associated with privacy failures.
This concludes the first part of our blog post, dealing with an M&A target’s pre-closing privacy-related liabilities. In Part 2, to be posted on October 25, 2016, we will discuss the risks associated with transferring or sharing personal data in connection with an M&A transaction, as well as post-acquisition data integration issues.
 Throughout this blog post, we use the term “privacy” (or “privacy issues” or “privacy laws”) broadly as including cybersecurity, data protection and data security as related to personal data (and related issues and laws).
 This post focuses on U.S. and EU law, but we note that several other jurisdictions have passed or are adopting strict privacy laws. Among those are countries recognized by the European Commission as having an “adequate level” of protection for all or certain types of personal data processing (i.e., as of the date of this post, Andorra, Argentina, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay – please visit http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm) as well as other states such as Brazil, Singapore and South Korea. In any cross-border transaction, the laws of all relevant jurisdictions should be examined.
 The FTC has also been successful in obtaining monetary awards against companies in actions enforcing its orders. Notably, in 2015, LifeLock agreed to a $100 million settlement with the FTC, after the FTC charged that LifeLock violated the terms of a 2010 federal court order requiring the company to secure consumers’ personal information and prohibiting the company from deceptive advertising.
 For further information on the new GDPR framework, please refer to our May 13, 2016 Alert Memorandum:
 In 2014, the FTC filed a complaint against Fandango and Credit Karma charging that the companies had deceived consumers. Both had made representations that they could secure their customers’ personal data, but according to the FTC, both had failed to properly implement SSL encryption.
 The ICO’s “Privacy notices – code of practice” can be found here.
 Additionally, Member State consumer protection laws should also be considered as these may provide for additional information requirements (see, for example, the German Act Against Unfair Competition, which prohibits unfair commercial practices).
 See https://www.ftc.gov/sites/default/files/documents/cases/2004/09/040917comp0423047.pdf.
 See https://www.ftc.gov/news-events/press-releases/2011/09/ftc-seeks-protection-personal-customer-information-borders.
 For further information on New York’s proposed cybersecurity regulations, please refer to our September 20, 2016 Alert Memorandum: https://clearymacorpwatch.lexblogplatform.com/wp-content/uploads/sites/106/2016/10/Alert-Memo-Word-Version-2016-85.pdf