Trends in data-driven deals
Businesses can entirely transform their offering by gaining access to valuable data sets. This has generated a rush for data assets, which in turn has led to a relatively new phenomenon: non-tech businesses having to think like tech companies. All businesses are now having to become familiar with how to answer complex legal questions like how to acquire rights in data and manage restrictions on data analytics. And this learning curve has coincided with new and stricter data laws – most notably the EU General Data Protection Regulation (GDPR). Data-related fines are getting higher and high-profile data crises are damaging business reputations. All of this means that data issues are becoming front and centre in mergers and acquisitions (M&A) and other deals.
In this chapter, we will look at issues that businesses should consider when doing due diligence on a data-rich target; the level of warranty protection to seek on a deal; data integration issues; legal issues raised by the process of deals themselves; and specific issues relating to data collaborations.
Although we will focus on the issues arising on M&A, much of this chapter applies equally to data licensing, joint ventures and other data deals.
Data due diligence – assessing value and risks
A buyer of a data-heavy target needs to consider two broad themes.
First, what is the potential upside of acquiring the data? Its value will, of course, depend on its intrinsic content, but other factors will also be relevant, including the target’s legal rights to use the data and its rights to stop others using it.
Second, what are the potential risks of buying the data? With data regulation increasing all the time, it is possible that compliance costs might impair the value of the data. And if the data includes valuable know-how or personal information, then a data breach – whether past or future – could be disastrous.
We explore these issues further below.
What rights does the target have to the data?
A common misconception by businesses is that they legally ‘own’ data that they have collected or created. A buyer of a data-heavy target should always investigate what legal rights the target has over its data. There are two main ways that businesses can structure their operations to protect their rights in data: by getting intellectual property protection and by using contracts.
IP protection of data
One way of protecting data is the legal protection given to databases by the EU database right and copyright. These IP rights aim to harmonise the legal protection of databases across the European Union and protect the interests of businesses that invest in creating and maintaining databases.
The database right protects ‘substantial investment’ in collecting existing materials, and verifying and presenting them as a database. It prevents others from extracting or using large parts of a database. The difficult part in proving that database right exists is usually showing that there was investment in collecting the data, rather than creating it. Copyright protects databases whose contents have been selected or arranged in an original way. It protects only the structure of the database – not the contents – and it is relatively rare that a database structure has been found to be original in a protectable sense. So database right potentially offers better protection for data-driven businesses, provided the ‘investment in collecting’ test is met, but only in the European Union. By contrast, in other jurisdictions (for example, in the United States) protection of databases tends to be more ad hoc, turning on the particular facts of a case (often under copyright law).
It is also sometimes possible to show that a data set amounts to a trade secret. Internationally, trade secrets are typically protected where the data is secret, has commercial value from being secret and reasonable steps have been taken to keep it secret. Meeting these tests requires particular care in open, cloud-based data systems.
Data and contracts
As well as IP rights, the buyer will want to look at any contracts that affect the target’s data. If the target licenses out its data, the buyer should check the key terms – for example, can the licensee merge the target’s data with other data and, if so, who owns that derived data? Where a business is both licensing in and distributing data, it is important to diligence the flow of those rights, to ensure that there are no material gaps. Some licensors also require licensees to acknowledge in the licence that the licensor has made a ‘substantial investment’ in obtaining the data – to help assert database right. Certain industries – like the media, news and financial services – already have well-developed data-licensing practices, and this is likely to spread as other industries start to connect and share more data.
The target might also have outsourced the analytics of its data set. The buyer should check those contracts to see what they say about protecting IP rights, and complying with data privacy laws (assuming the data set contains personal data).
Has the target complied with data protection law?
If the target’s data sets contain personal data, then data protection compliance is likely to be a key part of due diligence. A key issue will be whether individuals (including employees and customers) have been informed about, and (where required) consented to, how the target uses their data.
The first place to look for consent would be contracts, application forms and marketing literature used by the target. The GDPR, which is probably the high watermark for data privacy law internationally, states that consent must be freely given, specific, informed and unambiguous for most processing; consent must be ‘explicit’ for processing sensitive data and for data exports from the European Economic Area (EEA). Whether consent is valid will depend on the circumstances, but broadly: an opt-in, for example by ticking a box on an application form, is required. Silence – or an opt-out – will not be valid consent. It is particularly hard to prove that employees have ‘freely given’ their consent, given the power imbalance between employers and employees.
If there is no consent, the buyer should assess whether the target’s data use is permitted under any other conditions. The most commonly used conditions under the GDPR tend to be more specific (for example, data use necessary to perform a contract) – or they require a judgement as to whether they’re satisfied (for example, do the target’s ‘legitimate interests’ in using the data outweigh the data subject’s interests).
The target must also have given data subjects certain information about how it intended to process their personal data. The buyer should check whether these notices have been given, and ask to see copies.
Due diligence should also reveal whether the target has complied with other elements of data protection law. For example:
- paying the necessary fees to relevant regulators;
- appointing a data protection officer (where relevant);
- keeping data secure;
- complying with the restrictions on exporting personal data;
- conducting direct marketing lawfully;
- complying with data subject individual rights requests;
- complying with notices received from regulators;
- appointing data processors in accordance with relevant laws, including the GDPR;
- conducting data protection impact assessments; and
- conducting profiling and automated decision-making lawfully, including having analytics systems that can respond in a modular way to individuals who might object to processing.
The buyer might also ask for details of the target’s internal training programme and employee policies on data protection issues.
The buyer should also review the data protection provisions in major third-party service-provider contracts. For example, in contracts with cloud providers, the buyer will want to check that they contain suitable data processing clauses and also review any liability caps; if those caps are very low, that might indicate that the target has failed to appoint its processors in a compliant way.
During due diligence, the buyer will also want to analyse whether existing consents are sufficient to cover the buyer’s intended use of the target’s personal data, for example, for cross-marketing its own products, or for developing new products. And if the target’s products incorporate ‘privacy by design’ – a GDPR requirement – then the data assets are more likely to be attractive to a possible future buyer.
If due diligence raises any major problems, the buyer might consider seeking a pre-closing covenant that those problems are fixed in the ordinary course before closing, such as requiring the seller or target to seek new consents or amend privacy notices. If breaches cannot be cured before closing, they might be relevant to the risk assessment or valuation of the deal, and the time it would take to integrate a target business.
Has the target addressed cybersecurity risks?
Cybersecurity due diligence is vital on any deal – but particularly where data is a key driver. Cyber issues can be deal-breakers, or at least affect deal value: during Verizon’s 2017 acquisition of Yahoo!, US$350m was knocked off the price after data breaches were revealed.
And a buyer that fails to do full due diligence can store up problems for itself. The high-profile TalkTalk hack in 2015 was the result of a legacy IT system it had acquired from Tiscali in 2009. The ICO issued a record fine against TalkTalk, even though the vulnerability was part of an ‘inherited infrastructure’, because the ICO found that TalkTalk had failed to properly assess the infrastructure for possible threats.
So how should a buyer approach cyber due diligence? The answer is likely to depend on various factors, including:
- the buyer’s negotiating stance: it might decide to carry out a detailed review of the target business’s cybersecurity risk profile in exchange for receiving more limited or no warranties. Alternatively, the buyer might want to carry out a more limited review and attempt to get full warranties;
- the nature of the target’s IT systems, including the age and complexity of the target’s IT systems, whether they are generic or bespoke, their ‘fitness for purpose’, and whether they are stand-alone or integrated with the seller’s group; and
- the target’s sector: more detailed due diligence will be needed for highly regulated, complex industry sectors (eg, financial services, energy, infrastructure or telecoms).
Having said that, most buyers should consider seeking information on:
- any cyber breach – or attempted breach – suffered by the target during the last three to six years;
- any breach suffered by a third party engaged by the target that might have compromised the target’s systems or data;
- any notifications to regulators or individuals about cyber breaches;
- any internal or third-party reports relating to cyber preparedness, vulnerabilities or particular breaches (the buyer should ask for copies, including details of any remediation steps);
- cybersecurity policies and procedures, and any steps the target takes to test them;
- those responsible for dealing with cyber risks and incidents;
- how the target minimises its exposure to cyber risks when entering third-party contracts;
- employee training programmes and IT policies;
- any cyber insurance policies;
- anything the target has included in its annual reports and accounts on cyber risk management; and
- any recognised information security standards or best practices with which the target complies (including ISO27001, NIST and PCI DSS).
Other data issues to assess on due diligence
The buyer will also need to look at other legal issues that might affect data. In particular:
- Does the acquisition raise antitrust issues? This might be an issue where the parties’ data pools – when combined – could create a monopoly.
- Could the buyer’s access to the data raise foreign investment concerns where the data is regarded as sensitive? This might lead to the deal being reviewed by relevant government authorities (eg, the Committee on Foreign Investment in the United States).
- Are there product liability issues? This might be a risk if the buyer is looking at creating interconnected products or services in circumstances where the control of the data is relevant to the allocation of risk.
- What are the tax consequences of how the data set is structured (or will be structured after closing)? Historically, taxation has been linked to where a business is established, and that question has included looking at where a business’s data is stored, but, to reflect the digital economy, regulators are now moving towards looking instead at where a business’s customers are based. This leaves less room for businesses to structure their digital assets – including their data – so as to minimise tax exposure.
- Do sector-specific rules apply? Areas likely to attract sector-specific data laws include telecoms, financial services and healthcare. There might also be special rules if the target provides products or services to children.
Data and cybersecurity warranty protection
A buyer’s approach to warranties and indemnities will depend on various issues, including its negotiating power and the extent of its due diligence. But most buyers will want to obtain warranties that the target:
- complies with data protection laws, regulator guidance and industry standards – and has done so for three to six years;
- has received no notices or allegations of non-compliance;
- has obtained all required consents from data subjects to the processing of their personal data;
- has rights to use all data collected and generated in its business;
- complies with best industry practice, or at least relevant standards, on cybersecurity;
- has experienced no cyber incidents, including in relation to its data processors or other key contract counterparties; and
- has procedures in place for responding to data crises.
On a data-heavy deal, a buyer will also want to get full warranties about the allocation of rights in data; and contractual issues (eg, breaches) that might affect data licences or data-sharing agreements.
A buyer will sometimes ask for a ‘forward-looking’ warranty that its processing of personal data post-closing will be lawful if the data is used in the same way as it was used before closing. A seller will rarely give this.
If due diligence has revealed that the target is not processing data fairly and lawfully, it might be necessary to approach data subjects for fresh consent to data processing. Subject to antitrust ‘gun-jumping’ rules, this sometimes takes place between signing the deal and closing it, and, in serious cases, is framed as a closing condition, usually based around a percentage of consents received. The number of consents received might also affect the final price.
And, if due diligence reveals a data breach, the buyer might require the seller or target to remedy inadequate security measures, and notify regulators and individuals affected.
Breaches of data laws could of course lead to fines or compensation claims: if there’s a high risk of breach, a buyer might not want to accept financial caps on the data warranties. In deals where data is key, the buyer will sometimes seek indemnities – most often where breaches of data laws or data licences are disclosed and loss is foreseeable.
Integration and post-closing issues
There will usually be data integration and post-closing issues for a buyer to consider. These will vary, depending on the structure of the sale and what the buyer intends to do with any data acquired. But most buyers will need to think about reviewing the data sets and deleting excess data; conducting IT and cybersecurity checks; analysing whether intended new data uses will require new data consent; notifying data protection regulators; and updating data processing arrangements.
Reviewing the data sets and deleting excess data
If the seller is transferring only part of a data set – for example, if the seller is retaining a product that is sold to certain customers only – there will be a logistical exercise in separating the relevant data. If excess data is transferred, there is a risk of breaching data protection law; for example, the GDPR permits data to be processed only if it is ‘relevant and limited to what is necessary’. Provisions governing a data separation exercise are usually included in a transitional services agreement or migration plan.
The buyer will need to review the personal data it receives, to ensure compliance. In particular, it will need to delete irrelevant, excessive or out-of-date personal data, and if the seller is retaining data, it will need to ensure that it continues to process the data lawfully and delete any excess data.
All parties should also delete data relating to the transaction itself, unless required to keep it by law or regulatory obligation. Both parties might also need to think about securely disposing of IT equipment that contains personal data; it is important that no personal data is compromised during that process.
IT and cybersecurity checks
The buyer will need to check that the IT systems it has acquired are secure. There is no ‘one size fits all’ for determining the appropriate level of security, but compliance with a security certification, for example the ISO 27001 series or NIST, and passing certain industry standard tests might be a good indicator of compliance. If a cyber breach occurs, any regulator will look at whether the business complied with industry standards – although that will not necessarily determine the level of any penalties, particularly if the standards in a particular sector are low or if there are indicators to suggest that compliance with a standard was not the whole IT security story.
The buyer might decide to appoint a cybersecurity consultant to review the new system. If so, it is worth remembering that any consultant reports might not attract privilege – so they might be disclosable to a court or regulator if a cyber breach occurs later on. This could be a problem if the report reveals multiple failings that are not fixed and are relevant to a later breach. Before commissioning a report, the buyer should clearly define the scope of work and consider how prepared it would be to implement any findings. Consultants will often give ‘belt-and-braces’ recommendations, but the cost–benefit analysis for the buyer might not justify fixing all problems disclosed. All the more reason for lawyers and IT experts to work hand-in-hand to scope cybersecurity solutions.
New data uses: obtaining new consents and informing data subjects
Data protection law might require the buyer to notify data subjects and obtain new consents, including where:
- the deal is structured as an asset sale, and there is, therefore, a change of data controller. Under the GDPR, the buyer must give the data subjects notice of the change of data controller within a reasonable period, and no later than one month;
- the buyer wishes to use the target’s personal data for new uses, for example to cross-market its own products, or to conduct data analysis. Any new purpose that is incompatible with the original purposes for which the personal data was collected might require new notices or consents; and
- the target intends to make new disclosures of personal data – either intra-group or to third parties – or new data exports.
Often, fair processing notices and requests for consents can be included in other employee or customer communications relating to the deal.
For new uses under the GDPR, the buyer might be able to rely on an exception to the rule requiring notices to be given where this would involve ‘disproportionate effort’.
On an asset sale, the buyer will also need to consider rules on electronic marketing. For example, the ICO has issued guidance on buying a marketing database where customers have consented to receiving marketing. The guidance says that the buyer can use it for e-marketing without a fresh consent from each individual only if the buyer was named in the original consent request. This is highly unlikely to be the case in an M&A situation, so fresh consent might be required.
Any change in the data controller might need to be notified to relevant national data protection regulators. There might also be increased fees to pay.
Data processing arrangements
The transaction might have involved transferring data processing agreements to the buyer (eg, agreements with cloud-providers). If the buyer already has agreements with the same processors, it might decide to consolidate those arrangements.
Data privacy issues arising from the deal process
The mechanics of most deals will raise data protection issues. These tend to involve disclosing or receiving personal data in due diligence, exporting personal data, and transitional arrangements.
Disclosing or receiving personal data in due diligence
Disclosing personal data to the buyer during the due diligence process raises data protection issues. There is no general exemption for M&A deals, although there are laws governing specific types of data that the parties might rely on. To try to minimise the risk of a data protection breach, a seller or target should:
- ensure as far as possible that due diligence materials are made anonymous – this might include aggregating salary data so that individuals’ salaries are not identifiable, using sample contracts rather than actual signed contracts, and compiling summaries of any disputes;
- remove or anonymise all sensitive data;
- sign a non-disclosure agreement (NDA) with each potential buyer;
- ensure that any agreement between the seller or target and a virtual data room provider contains GDPR-compliant processor clauses;
- if appropriate, update privacy notices (including those in employment handbooks) to include data processing for M&A activity; and
- if it decides to disclose non-anonymised data to the buyer under the GDPR’s ‘legitimate interest’ grounds (or similar), record its assessment of why it can rely on that ground and why it is not notifying the data subjects about the disclosure.
The NDA should require the potential buyer to:
- only use the data it receives to help it evaluate the target’s business;
- treat the data in confidence and not disclose it;
- comply with applicable data protection laws; and
- destroy or return the data if the deal does not proceed.
Sometimes, draft NDAs include GDPR-compliant data processor clauses, on the basis that the buyer is deemed a data processor, acting on the instructions of the seller. However, a buyer will in fact usually be a data controller, so no data processor clauses are needed. A buyer will sometimes ask the seller to confirm in the NDA that the disclosure complies with data protection laws. The seller should resist this; instead, it might explain what it has done to reduce any risk, so that the buyer can make its own assessment.
The buyer must ensure its own data protection compliance on due diligence. Under the GDPR, this means satisfying the lawful, fair and transparent requirements when using personal data to assess the target. To satisfy the lawful test, the buyer will usually rely on the ‘legitimate interests’ condition. As regards transparency, the GDPR requires the buyer to inform data subjects of its identity and the purposes for which the data will be processed. This must be done within a month. The buyer does not need to provide this information if it has already been provided. There’s also an exception if informing would involve a disproportionate effort or would seriously impair the objectives of the processing. The buyer can usually rely on this exception in a due diligence exercise. The risk to data subjects is low – personal data will be protected by an NDA and there will be strict limitations on use.
The parties will also need to consider any data localisation laws if personal data is being sent overseas to the buyer or its advisers. Under the GDPR, this means considering whether data is being exported from the EEA to countries without an ‘adequate’ level of protection. If so, the parties might consider using EU model clauses (or relying on the buyer group’s existing data transfer compliance steps). Remote access of a database in the EEA from a non-EEA location is an export – for example, if someone outside the EEA accesses a virtual data room hosted within the EEA. Storing or accessing data in the cloud may also result in an export.
On many deals, the seller will provide services to the buyer on a transitional basis, until the buyer has set up its own systems. These services often include payroll or human resources administration, and the seller will therefore be processing personal data as a data processor on behalf of the target. The transitional services agreement will, therefore, need to contain relevant data processing clauses. If the arrangements involve data export, the agreement will also typically need to include relevant data export clauses.
Data collaborations – specific issues
Rather than acquiring a data-heavy target, a business might decide to create and use a data set in collaboration with another. Many of the issues raised above in relation to M&A will apply equally to data collaborations, but there are some additional traps to be aware of.
Most importantly, the parties will need to agree and specify ownership of and access to data that is contributed and generated by the collaboration. As we have seen above, ‘ownership’ of data is not straightforward, and the parties will need to think carefully about how they draft their contracts and structure their operations. And it is often not clear even what data will be produced by a particular digital collaboration. For example, for a retail digital offering, it is often necessary to work closely with the technical teams to analyse each step of a customer’s journey to identify every data set that will be generated. Only then can the parties allocate ownership, access and use rights for each data set.
There is also a risk where one party contributes a data set containing personal data: this will, for example, restrict any profiling or analytics that can be conducted on the resulting data set. Before a party contributes any personal data, it will need to check that it has the relevant consent or other rights to use it. If not, the other party might seek a closing condition that the data be anonymised – and possibly vetted by a third-party anonymisation expert. The parties should also consider whether they need to have a data-sharing agreement or terms in place for data privacy purposes, including to allocate responsibilities where the parties are joint data controllers.
Antitrust issues can also arise in collaborations if the parties are pooling their data – carefully drafted data-sharing agreements can mitigate the risk.