Personal Data Protection in the Context of Mergers and Acquisitions

Introduction

In today’s fast-evolving digital landscape, corporate transactions are increasingly affected by privacy and data protection issues. For this reason, it is essential that purchasers and investors, sellers and corporate lawyers are prepared to deal with the subject and to fully understand their effects on mergers and acquisitions (M&A).

Personal data can be of great value to companies in the context of M&A transactions. Technology companies – including legaltechs, fintechs, healthtechs and many others – whose core business is data itself, are more and more involved in business operations. The value of data goes even further: companies are increasingly facing situations in which data is a central part of the operation: often an M&A transaction only happens because of the data involved. In other words, data can be a major asset within M&A transactions.

Considering the rapid pace of implementation of many data protection regulations around the world, this topic has come to occupy a more prominent place in the context of M&A in recent years, from pre-closing to post-closing phases. After all, these regulations usually provide for relevant sanctions to entities that breach data protection rules (e.g., fines and suspension of data processing operations) and give regulators broad supervisory and sanctioning powers. This is the case, for instance, with Brazil’s General Data Protection Law (LGPD) and the General Data Protection Regulation (Regulation (EU) 2016/679 (GDPR)) in the European Union.^[2]

In view of the potential prominence of data in an M&A transaction, the aim of this article is to provide specific recommendations for identifying some of the aspects of personal data protection that will benefit from special attention in the context of such transactions. The article focuses first on the due diligence phase (both in the preparation and during the due diligence process), which helps the potential buyer to identify opportunities, risks and obstacles concerning personal data and privacy in the context of the target’s business. The second part of the article examines how the main findings of the due diligence process in respect of data protection can affect and even dictate M&A negotiations and, in the event of a successful transaction, the post-closing phase.^[3]

Due diligence of personal data: relevant aspects to be considered

Roles and responsibilities of main actors

There are usually four parties involved in the due diligence process of an M&A:

• the target company or companies;
• the potential purchaser or investor;
• external auditors; and
• legal counsel.

Each of these parties has a specific role in the due diligence process and their actions may have different implications for the overall transaction. When it comes to privacy and data protection, the parties have a convergence point: as a general rule, each of them is considered controller of personal data. Under the LGPD and the GDPR, controllers are the entities that, alone or jointly with others, determine the purposes and means of the processing of personal data.

It is not difficult to see why the target company and the purchaser or investor are considered controllers of personal data, since they have powers to make decisions about the main elements of the data processing operations involved in the transaction. For instance, the target company will decide which personal data it will make available in the virtual data room (VDR), while the purchaser can request specific personal data (e.g., employees’ data) to assess potential risks relating to the target business.

A more difficult task is to understand why external auditors and legal counsel are considered controllers of personal data in this context. In short, it is because, even if they were hired by one of the parties (the purchaser or the target company), they still will decide in the end, according to their expertise and know-how, which data is to be processed and how that data will be used in the context of their responsibilities.^[4]

Therefore, all the parties involved in the transaction will have the responsibilities attributed to controllers of personal data, which may include:

• implementing appropriate technical and organisational measures to protect the security of data;
• ensuring data is processed in a lawful and transparent manner to the data subject;
• ensuring collected data is accurate and up to date;
• conducting privacy impact assessments on any processing activities that are likely to pose relevant risks to the data subject; and
• retaining records of processing activities, among other common obligations that are attributed to controllers of personal data according to each jurisdiction’s data protection legislation.

In addition, it is important to note that all parties have to contribute independently and collaboratively to the lawful processing of personal data and that, depending on the applicable privacy laws, none of the parties will be exempted from liability in the event of a data breach or security incident involving personal data in the context of the due diligence process.

To ensure that all the parties will fulfil their data protection obligations and to regulate a possible right to redress in the case of joint liability provided for in law, the parties may put in place data protection clauses or a data processing agreement to establish the roles and responsibilities of each of them in the course of the transaction.

Target’s business model and relevant privacy laws

The business model of the target company will be crucial in determining how the due diligence will be conducted. The purchaser and its legal counsel will need to examine the kind of data that is relevant for the target business and the role of this information in the course of the business. Likewise, they will need to analyse whether the business model of the target company brings forth additional challenges or creates unforeseen privacy risks when compared with the existing business model of the purchaser.

For instance, if sectoral rules regarding privacy apply to a certain business (e.g., when the target is a financial institution or insurance company), this will likely change the way the due diligence will be conducted, to ensure that those sectoral rules and obligations are considered by the interested parties in assessing risks and impacts of the transaction.

In addition, in a transaction in which one of the parties is a business that has data processing as its core activity (e.g., an advertising agency or a big data and artificial intelligence company), the importance of the data involved in the operation is even more pronounced. In addition, these types of businesses could be more critical from a data protection perspective and should be looked into more closely to ensure that the purchaser is not assuming a risk that could pose a threat to its own activities in the future. In this situation, besides examining whether the target has a data privacy governance programme in place, it is key to ascertain whether the data processing activities being carried out are lawful.

Companies that develop activities involving relevant processing of sensitive personal data (e.g., health, biometric, racial and religious data) should also be examined carefully in the course of the due diligence, since their activities represent a greater risk from a data protection point of view. Health-related businesses are particularly susceptible since they usually process a huge amount of sensitive data that will probably have to be transferred to the purchaser after the deal is finalised.

Finally, besides the business model, it is also important to analyse (1) the current applicable privacy laws, to determine whether the target company is complying with them, and (2) whether there are new laws that would be applicable when the deal is finalised. As an example, the LGPD and the GDPR could be applicable to the targets even if they are not located in Brazil or in the European Union, respectively. This could be a relevant point of attention during the due diligence process if the target activities have an international connotation.

These are only some of the possible issues that could influence the course of the due diligence process and should therefore be taken into consideration by the parties involved in it. The issues we have discussed are the most common, but many others could arise depending on the particularities of the trans­action.

Transparency obligations

Data controllers must be clear with data subjects regarding their activities, according to many of the data protection legislations around the world, such as the LGPD and the GDPR. The obligation to provide transparency prevails even if consent is not the legal basis for the data processing.

Therefore, the data controller must find a way to make data subjects aware of the data processing activities that it carries out in the scope of its business and this should include information about the potential sharing of personal data during the M&A transactions in which it may be involved in the future.

To ensure data subjects are aware of this particular data processing activity, it is common to add a section to a privacy policy or notice informing data subjects that their data may be disclosed in M&A transactions or in the proceedings that lead to a transaction. This information should be available to data subjects before the proceeding is initiated so that it is considered lawful from the outset.

Most common points for review from a privacy perspective

During the due diligence process itself, there are relevant documents and practices of the target to look at from a privacy perspective. To check the level of compliance of the target with the main data protection rules, the first step is to look at the company’s documents regarding privacy and cybersecurity. Internal and external privacy policies (data subjects’ privacy policies, retention policies, data breach plans, etc.) are a crucial part of any compliance programme and should be looked at as part of due diligence. To the same extent, it is advisable to understand whether the company has internal training programmes in place and whether it reflects a data protection culture.

It is also necessary to detect any possible liability to which the company may be exposed; this means looking at existing or potential legal proceedings relating to data breaches, security incidents, violations of data subject rights or any other type of legal proceeding that involves personal data.

After covering these two basic points, it is time to examine the company’s practices regarding data sharing. This necessitates the analysis of the standard contractual clauses or data protection agreements that exist between the target and its main partners and services providers, to verify whether they adhere to the legislation of the relevant jurisdictions. In this sense, it is important to verify whether the main data sharing operations are lawful and, if not, if it is possible to terminate the relevant contractual relationship between the target and the third party, assessing the potential consequences of the termination for the business operation.

Security of the virtual data room

Considering that most elements of the exchange of personal data happens through VDRs, one of the most important steps to ensure that due diligence is lawful from a privacy perspective is to take care of the VDR’s security. The company that provides the VDR must comply with the applicable data protection laws, be trustworthy and adopt high-level security mechanisms.

Furthermore, to ensure that the data shared is minimal and strictly necessary for completion of the due diligence process, whenever possible, personal information should be anonymised or redacted from documents. In addition, sensitive or special categories of personal data should not be made available unless they are a vital part of the process.

Whenever contracts need to be provided, it is recommended that only standard templates are made available in the VDR. Ideally, different levels of access should be given to the individuals involved. Furthermore, only the individuals that need to have access to the data should have it, although they should not be able to edit the documents.

Some other precautions include not making available the names and salaries of employees of the target company, or records of work-related accidents that could be traced to a specific person. Finally, in lawsuit reports, the names of the parties in lawsuits that are under secrecy should be scored out (i.e., rendered illegible).

After the due diligence: M&A negotiations and post-competition phase

Impact on the valuation and other business impacts

As has been mentioned, data has gained a more pronounced role in M&A transactions over time. As a consequence, privacy and data protection are being given an increasing amount of attention within the scope of such transactions. As there are many subjects that can affect a business’s valuation (for example, the circumstances of the sale, the economic situation of the relevant jurisdiction, the age of the business age and stability of its management stability, among other things), privacy and data protection risks can also have major significance in estimations of the target’s price.

It is crucial for purchasers to take into account the effect of the personal data processing operations on the proposed transaction and on the negotiated valuation. Privacy issues, such as the lawfulness of the processing activities being carried out, the particularities of the data flows, the internal and external privacy policies in place, the level of compliance with applicable laws, the occurrence of data incidents, among other things, can significantly change the target’s values. This may depend on the legality of the company’s business model, the transaction valuation model (e.g., cash flow valuation, asset valuation, historical earnings valuation or relative valuation method), among other aspects.

This analysis is important to thoroughly identify and formulate a risk mitigation strategy (this can include, for instance, a comprehensive data protection compliance programme, the renegotiation of contracts that involve relevant personal data flows, etc.). It is also important to highlight that the valuation of the target business may be affected even if mitigation measures are taken in the pre-closing and post-closing phases.

An example of the impact that a data protection issue can have on the target’s valuation is a situation in which the target has experienced several data breach incidents and has not taken any preventive or remedial actions. In addition to the exposure to administrative sanctions (including high financial penalties), such a company will tends to be less attractive to the market.

In this sense, current and prospective clients are likely to refrain from using the company’s services because of the lack of commitment to protecting their personal data. Furthermore, third parties (e.g., commercial partners) are less likely to seek the company to propose marketing deals. Relations with the company’s supply chain can potentially be strained, in addition to the reputational damage that this company could suffer. All these aspects have the power to significantly decrease the company’s value and have a direct impact on the valuation negotiated by the parties.

Both purchasers and legal counsel must thoroughly investigate privacy gaps within the target business and also consider the costs of implementing measures to comply with the applicable data protection laws, which are usually high. Once these are identified, it is essential to appropriately address the risks and their potential impact on the target’s value.

M&A definitive agreements

Regulation of privacy and data protection representations, warranties and indemnities

One of the last and most important phases of an M&A deal is the preparation of the M&A definitive agreement that will set the deal. This can be, for instance, a share purchase agreement (SPA),^[5] in the case of a share transfer transaction, or an investment agreement (IA),^[6] in the case of an asset transfer agreement (hereinafter referred to as ‘definitive agreement’).

A relevant section of the vast majority of definitive agreements regulates the representations and warranties (R&Ws). These are given by both the seller and the purchaser or investor and aim to disclose material information. R&Ws are used as an assurance that particular facts are true, especially for topics that are not very easily verifiable. They are also used to allocate the risks between the seller and the purchaser or investor. This is very important, because these are the basis of any future indemnification claim in the event of a breach or inaccuracy post-closing.

R&Ws usually contain standard privacy and data security provisions and it is common to see R&Ws that include general terms (e.g., ‘compliance with privacy laws’). However, the best strategy is to refine these provisions to reflect the specific situation and to adjust the relevant topics. This will ensure better protection for the purchaser against specific privacy risks and for the seller in relation to data protection legal provisions that are not yet regulated by the relevant authorities.

More than compliance with the applicable laws, tailored privacy and data protection-related R&Ws can cover compliance with contractual obligations, disclosure requirements, internal data breach recovery procedures or any other measures that are not necessarily required by law or contracts (e.g., industry-standard security measures).

Although R&Ws can vary depending on the scale of the transaction and the target’s core business, among other aspects, it is important that they contain, at a minimum, specific privacy and data protection provisions that, for example, objectively list the target’s data protection main practices and level of compliance with applicable laws. The relevant subjects that R&Ws may address include:

• a history of the target’s past data security incidents, legal proceedings and relevant claims (or the lack of breaches), including enforcement actions;
• details of the data flows carried out by the target;
• an indication of the level of compliance with the applicable legislation; and
• an indication of the data sharing practices and retention policies adopted, among other things.

To mitigate risks of M&A, R&Ws insurance is becoming more common. It covers eventual indemnification obligations of the parties in relation to the violation of R&Ws included in the SPA. The main focus is hidden liabilities, although materialised contingencies are not usually covered by this type of insurance. Insurance companies usually analyse the due diligence reports in such cases to assess the main findings and negotiate what will be covered.

This type of risk mitigation may be considered especially relevant since the verification of the level of compliance with the relevant data protection laws usually requires in-depth and detailed analysis, both legal and technical, of the practices adopted by the target, which is not always compatible with the nature of due diligence. Thus, the insurance does not exempt an effective data protection due diligence but can mitigate risks relating to deeper aspects of data protection legal compliance.

Finally, the indemnities section of the definitive agreement is used to regulate the seller or invested company’s obligation to indemnify the purchaser or investor for damage and loss caused by facts and circumstances of which the parties are aware. For instance, if a relevant personal data breach occurred before the closing phase and individual lawsuits and an administrative proceeding have been initiated and are still in progress, the parties can agree that the seller or invested company will reimburse the purchaser or investor in respect of any losses that derive from the data breach. In this sense, a common practice when drafting indemnity clauses is to exclude any limitations to indemnify liability (such as caps, de minimis and basket amounts) in the case of relevant facts that were disclosed during the due diligence process, such as a critical personal data breach.

Integration of databases and data processing activities

After the deal is completed, depending on the nature of the transaction (e.g., a transfer of control of the target or a merger between two companies), it is time to integrate the companies’ databases and processing activities. This means combining and standardising data protection practices and information about clients, commercial prospects, marketing material, payments and supply chain, among many other elements.

The integration phase should start before the deal is finished. Planning is the most important step to assure the success of integration. Therefore, the key is organising the main characteristics of the planned integration in advance, such as the level of integration, the standard of privacy to be reached, priorities, the resources available and the need for IT support.

When the integration itself commences, it is also important to map out the various aspects of organisation, the tools needed to achieve a successful integration and how to coordinate the project to ensure it runs smoothly. Asking questions that can seem obvious at first, but are very commonly overlooked, is a relevant task:

• What is the size of the integration size?
• Is it sufficient to have one individual coordinating the project or is it necessary to put together a privacy team?
• How will the communication between the companies, the internal team and legal counsel work?
• How can other areas (e.g., human resources and marketing) follow the project and provide contributions?
• Do the companies have the necessary IT tools and systems in place?

Privacy components have an important place on the integration agenda. Depending on the issues and risks identified during the due diligence process, the purchaser’s priorities and the jurisdiction’s legal requirements, the order in which the company addresses these items may differ.

Below are a few examples of data protection matters that may be addressed during the integration phase, depending on the findings of the due diligence and the practices adopted by the target and by the purchaser or investor.

Data protection officer

Some jurisdictions have legal determinations that require companies to formally appoint a data protection officer (DPO). It may therefore be necessary to appoint, or replace, a DPO at the acquired company. This is certainly the case in Brazil and the European Union, as determined by the LGPD and the GDPR.

Structuring or reviewing data breach response plan

Some companies, especially in jurisdictions that do not have detailed data protection regulations, tend not to include privacy issues in their procedures for incident control and restrict them to business sensitive information. At a minimum, a company should include a DPO or a privacy lead on its disaster management team, not least to ensure that the respective country’s legal notification deadlines are met. For example, the LGPD determines that notification of the security incident should be made within a ‘reasonable period of time’.^[7] While further regulation is pending, it is recommended that the Brazilian Data Protection Authority is notified as soon as possible (i.e., the indicative period is two working days from the date of knowledge of the incident).

Preparing or reviewing data privacy governance policy

Data privacy governance policies are documents that establish the main rules, principles and obligations relating to data processing that must be followed by the company (including employees, service providers, etc.). If this document does not yet exist, the best strategy is that the company prepares and puts this policy into practice as soon as possible.

Privacy awareness workshops

One of the most essential parts of integration is internal transparency. All areas should be able to easily follow the integration procedure and provide their input in an organised matter. This practice improves the integration and ensures that all issues are being considered. One of the ways to achieve this goal is to provide privacy and security awareness workshops for employees, sharing the important elements of the integration, the status of the procedure, next steps and explaining the changes in processing personal data within day-to-day activities.

Reviewing privacy statements

Depending on the size, age and activities of the business and the level of integration, it is advisable to review the privacy statements (including data subjects’ privacy policies). This can be done according to the template used by the acquiring company, making adjustments to the existing document, or aligning new statements according to the post-closing situation.

Sharing human resources data

One of the most sensitive aspects of an integration is the sharing of data held by human resources (HR) departments. Usually, it is necessary for the target employees’ data to be shared for the purpose of people management. The transfer of HR data typically requires the drawing up of a contract in advance, in addition to a detailed analysis of the relevant legal obligations of the jurisdiction. In Brazil, the LGPD determines the designation of a legal basis for the processing of personal data and sensitive personal data by the controller. In some situations, a notice to employees is sufficient. In others, specific consent may be required for data processing. It is important to emphasise that, in any event, this data must not be shared beyond what is necessary to fulfil the sharing purpose.

Storing and transferring data

It is advisable to analyse the relevant jurisdiction’s transfer restrictions and localisation requirements so as to evaluate the need to prepare customer disclosures or to adopt the required mechanisms for the transfer of data, such as consent or data transfer clauses ensuring the same level of data protection, in case there is a change of location of the target’s data.

Sharing personal data

Processing the personal data of clients of the acquired or invested company for different purposes (such as marketing) may trigger the need for separate consent from each of the clients or of notice to data subjects. More often than not, business stakeholders intend to use this personal data for business purposes. As such, it is important that legal and contractual limitations are clear to stakeholders and other parties involved in the transaction and that the measures needed to guarantee the lawfulness of any new sharing of data are put in place.

* The authors acknowledge contributions to this article by Jaqueline Simas de Oliveira, Nuria Bauxali and Beatriz Spalding (associates at Mattos Filho Advogados) and Larissa Teles Nonato (trainee at Mattos Filho Advogados).

Notes