On February 19, 2020 the European Data Protection Board (“EDPB”) published its second statement on privacy in the context of corporate transactions.
The statement, the full text of which can be read here, highlights the existence of concerns related to the combination and accumulation of sensitive personal data and the possibility that such combinations could result in a high level of risk to the fundamental rights to privacy and the protection of personal data.
The EDPB’s statement does not propose any particular steps to mitigate such concerns, but explains that:
- the privacy implications of a merger must be taken into account by the parties to the transaction;
- in compliance with the principle of accountability under the EU General Data Protection Regulation 2016/679 (the “GDPR”), the parties must conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger; and
- the parties should mitigate the possible risks of the merger to the rights to privacy and data protection, before notifying the merger to the European Commission.
The EDPB also made reference to their previous statement, accessible here, on the importance of assessing longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed.
In light of the increased scrutiny on the part of regulators, it has become crucial to consider personal data protection throughout the transaction process. We explore the relevant data sharing and due diligence considerations below.
Substantive Privacy Due Diligence
State-of-the-art data privacy diligence has become indispensable for purchasers seeking to avoid onboarding GDPR liability through their acquisitions. Purchasers may be exposed to significant financial and reputational risks from privacy and cybersecurity issues inherited through an acquisition. Marriott’s 2016 acquisition of Starwood Hotels gave rise to this very issue. Marriott is currently facing lawsuits in the United States, as well a potential £99 million fine from UK regulators, in connection with the massive personal data breach that affected the Starwood customer database (see our previous blog post here). The UK Information Commissioner’s Office stated that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems”.
Due to the complex, fast-evolving regulatory environment and the ever increasing risk of cyberattacks, substantive diligence is crucial in connection with target businesses which operate in personal data-intensive industries. Potential purchasers must tailor their due diligence exercise to the risk profile of the target company (see our article here on diligence strategies and how to scope diligence based on the target’s risk profile).
Privacy due diligence requires purchasers in particular to:
- Identify applicable data protection laws which requires an in-depth understanding of the target’s business;
- Review the target’s privacy policies (past and current) and assess its compliance with legal requirements;
- Review the target’s contractual obligations vis-à-vis third parties;
- Assess the target’s actual practices (including compliance with its own policies); and
- Review the target’s security measures in light of the industry standards.
The outcome of thorough data privacy diligence may – in the worst case scenario – encourage a potential purchaser to walk away from a transaction that gives rise to an unacceptable data privacy-related risk. More commonly, diligence will enable purchasers to request appropriate pre-closing adjustments to the target’s data privacy practices or to seek appropriate representations and indemnities in transaction documentation.
For further guidance on privacy diligence and management of pre-closing data privacy liabilities, please see our article here.
Data Sharing in Transactions
Information sharing in the course of the negotiation of a transaction (including in connection with due diligence, as described above) is not unusual. However, parties should be very cautious when sharing personal data. During the early stages of a transaction, it may not be possible to establish a legal basis for such data sharing (and it may be impossible or undesirable to notify the relevant data subjects, in any event). Parties must keep in mind the “necessary” threshold associated with the majority of legal grounds for processing, which may not be met in the early stages of diligence.
As of signing, the disclosure of personal data to a potential acquirer becomes easier to justify as such information sharing may be necessary and legitimate for integration planning purposes. However, both the disclosing and recipient parties must (i) establish a legal basis for the processing, (ii) ensure the data processed is limited to what is necessary to fulfill the purpose of the processing and that the transfer is compatible with that purpose and (iii) ensure that data subjects have been provided with information about the processing of their personal data (unless one of the limited number of exemptions applies). Assuming these requirements are met, the core principles of the GDPR (including the principle of accountability) suggest that parties should still consider entering into a data transfer agreement which sets out the obligations of each of the parties in connection with the disclosure of the information. Additionally, any transfers of personal data outside the European Economic Area must comply with the GDPR’s restrictions on international data transfers and it may be necessary to execute the European Commission’s standard contractual clauses.
Post-closing integration of personal data must also be subject to careful analysis. The purchaser must ensure that its contemplated use of personal data processed by the target is not inconsistent with the processing (and purposes of processing) described to the relevant data subjects when their personal data was initially collected. The parties must also consider cybersecurity risks associated with integration of systems. Finally, where the parties intend to provide services to each other on a transitional basis post-closing, the parties will need to ensure that any controller-to-processor relationships are identified and contractual provisions are in place for the purposes of complying with the GDPR’s requirements.
For further guidance on data sharing in the context of a transaction, please see our article here.