On May 16, 2017, a privacy seminar took place at our firm. The purpose was to highlight some crucial issues introduced by the new General Data Protection Regulation (hereinafter, the “GDPR”). Our partner, Matteo Ludovico Vitali, head of corporate and M&A department, focused in particular on the main new issues introduced by the GDPR which may have an impact on the M&A industry.
A first insight has regarded companies that may be potentially subjected to the GPDR. A very notable change is that the GDPR will be applicable not only to companies established in the EU, but to all companies operating in EU markets or targeting EU consumers. Once the GDPR will become effective, a target company located outside the EU may be required to comply with the GDPR’s provisions. Companies in non-EU countries may soon find themselves with a significant investment backlog in privacy / compliance and may be exposed to previously unknown compliance risks and costs, including fines up to 4% of annual worldwide turnover or 20 million Euros (whichever is higher).
The spectrum of the industries caught by the GDPR’s rules is in theory indefinite: retail, banking and finance, fintech, healthcare, biomedical and several other industries will be potentially subjected to the new regulation framework.
Only article 3 of the GDPR provides for some exceptions with reference to the processing of personal data performed (i) in respect of activities which fall outside the scope of EU law (activities concerning national security); (ii) in relation to UE’s common foreign and security policy; (iii) by competent authorities for the preventions, investigation or prosecution of criminal offences; (iv) by a natural0 person as part of a personal or household activity.
A second issue concerns the additional diligence that will be paramount at all stages of an M&A process. In particular, the GDPR imposes the purchasers to closely evaluate the type of processing activities that the target company is engaged in and make a record of its current state of compliance. First of all, the GDPR requires data controllers and processors to maintain extensive records of processing activities, which must be available to Data Protection Authorities (hereinafter, the “DPA”). These record must include the name and contact details of the controller or processor; the purposes of the processing and its categories and description of the company’s technical and organizational security measures.
Furthermore, the potential purchaser shall verify that any personal data held by the company is adequate, relevant to the purposes for which it has been collected and not excessive for those purposes and that is not being kept for longer than necessary for those purposes.
Moreover, a potential purchaser shall analyze if the target company has appointed a “Data Protection Officer” (hereinafter, the “DPO”), i.e. a person who is accountable for the data protection. In
particular, the appointment of a DPO is mandatory where “the core activities” of an entity involve the large-scale processing of sensitive data or “regular or systematic monitoring of data subjects on a large scale” (for instance, online behavior tracking, profiling or the monitoring of employees by an employer). This circumstance, in particular, may affect multinationals (if, for example, they are engaged in such activities) and, consequently, understanding how a target company collects, stores, uses and transfers personal data will be vital in the evaluation of the risks associated with an M&A transaction.
Moreover, the exposition has analyzed the new obligation for companies that process “Big Data” to draw up a “Data Protection Impact Assessment” (hereinafter, the “DPIA”), i. e. a systematic description of the company’s processing operations and an assessment of the necessity and proportionality of the processing, as well as its risks and safeguards. With regard to an M&A process, it is advisable for potential purchasers to screen target companies for high-risk processing activities that require a DPIA. The fulfillment of this obligation will be checked by the DPA, which will maintain lists of the processing activities for which DPIA will be required.
In light of above, all potential purchasers should be very accurate in the due-diligence process, verifying that the target company has adopted all the above mentioned measures. The predisposition of a precise and clear check-list, as well as a thorough analysis of the privacy risks involved in an M&A transaction, will be vital to mitigate the danger of a future liability. In particular, the due diligence process will allow the potential purchasers to discover eventual breaches that have already happened but are unknown to the company that is being bought.
For these reasons the due diligence-process should be tailored as far as possible to the target company’s trading activities and operations: in the digital age and particularly in light of the overreaching principle of “accountability” underpinning many provisions of the GDPR, simply reviewing privacy policies and data protection provisions is no longer adequate. Transactional lawyers, consequently, shall adopt a holistic approach which not only asses how a company gathers, uses, stores, protects and destroys personal data according to its general information governance policies, but also whether these procedures are followed in practice. This approach will allow the potential buyer to paint a detailed picture of the overall data protection health and well-being of the target.
However, it shall be considered that the level of diligence carried out may be determined by a number of factors (including the risk tolerance of the potential purchaser and time constraints around the speed at which the deal is to occur). Probably, limitations in the depth of due diligence should translate into more fulsome representations and warranties in the deal documents.
On the other hand, unearthing compliance issues though detailed data protection due diligence is also likely to lead to stringent and robust data protection provisions and pre or post completion undertakings from the company target in the transaction agreement.
Either way, the findings of the company target’s data protection due diligence will inform the representations, warranties and indemnities in the deal documentation (for instance, the target company should be asked to warrant that the company has not experienced any breach, security incident or violation of data protections laws, has provided adequate notice and obtained any necessary consents from data subjects, has adopted appropriate technical and organizational measures and security systems and has
put in place written agreements with all data processors which comply with the GDPR and the target’s own privacy policies).
In addition, the potential purchaser may also demand to seek indemnities in respect of any breaches of the GDPR, on a general basis or in relation to specific concerns identified through its due diligence. In negotiating the survival period of these provisions, the potential buyer shall consider the length of time required to fully integrate the information technology systems of the target, as well as any limitation periods for data protection related claims and investigations.
What set forth allow us to conclude that before engaging with a target, potential purchasers shall factor data protection and data security considerations into their overall deal strategy, given that these can impact on the overall valuation of the target company.
Infact, if the risks or vulnerabilities in the target’s information technology security framework are significant, the value of the target may be affected and a renegotiated purchase price may be appropriate. Alternatively, the potential buyers may consider how best to apportion financial risks with the target company, for instance, by requiring an escrow account to hold back part of the purchase price to address potential post-closing liabilities.
In conclusion, in the digital age and under the stringent provisions of the GDPR, a company’s observance of data protection laws can significantly affect its value. Data protection issues shall therefore be carefully considered and planned for the outset and throughout the M&A process: strategic issues with data protection at their core can creep up at various stages of a deal, including during the development of an acquisition or approach strategy at the genesis of a deal, through to the integration and transition strategy post-completion.
Matteo L. Vitali – Martino Berselli