Data-driven M&A – from due diligence to joint ventures

This is an Insight article, written by a selected partner as part of GDR's co-published content. Read more on Insight

Trends in data-driven deals

Businesses can entirely transform their offering by gaining access to valuable datasets. This continues to generate a strong impetus to ‘build or buy’ data, which in turn has led to non-tech businesses having to think like tech companies. All businesses must now be familiar with complex legal questions like how to acquire rights in data and manage restrictions on data analytics and artificial intelligence (AI).

This learning curve has coincided with stricter data laws – most notably the EU General Data Protection Regulation (GDPR)^[1] and various copycat laws. Data-related fines are getting higher and high-profile data crises are damaging business reputations. All of this means that data issues are frequently front and centre in mergers and acquisitions (M&A) and other deals.

In this chapter, we will look at: issues that businesses should consider when doing due diligence on a data-rich target; the level of warranty protection to seek on a deal; data integration issues; legal issues raised by the process of deals themselves; and specific issues relating to data collaborations.

Although we will focus on the issues arising on M&A, much of this chapter applies equally to data licensing, joint ventures and other data deals.

Data due diligence – assessing value and risks

A buyer of a data-heavy target needs to consider two broad themes.

First, what is the potential upside of acquiring the data? Its value will depend on its intrinsic content, but other factors will also be relevant, including the target’s legal rights to use the data and its rights to stop others using it.^[2]

Second, what are the potential risks of buying the data? With data regulation increasing all the time, it is possible that compliance costs might impair the value of the data, including potential use cases to train AI models.^[3] And if the data includes valuable know-how or personal information, then a data breach – whether past or future – could be disastrous.

These issues are explored further below.

What rights does the target have to the data?

A common misconception by businesses is that they legally ‘own’ data that they have collected or created. A buyer of a data-heavy target should always investigate what legal rights the target has over its data. There are two main ways that businesses can protect their rights in data: by getting IP protection and by using contracts.

IP protection of data

One way of protecting data is the legal protection given to databases by the EU and UK database rights and copyright. These IP rights aim to protect the interests of businesses that invest in creating and maintaining databases.

EU and UK database rights protect ‘substantial investment’ in collecting existing materials, and verifying and presenting them as a database. They prevent others from extracting or using large parts of a database. The difficult part in proving that a database right exists is usually showing that there was investment in collecting the data, rather than creating it.^[4] Copyright protects databases whose contents have been selected or arranged in an original way. It protects only the structure of the database, not the contents.

It is relatively rare for the courts to find a database structure to be sufficiently original.^[5] So the database right potentially offers better protection for data-driven businesses, provided the ‘investment in collecting, verifying or presenting’ test is met in the relevant territory. By contrast, in other jurisdictions (eg, the US) protection of databases tends to be more ad hoc, turning on the particular facts in a case, often under copyright law, rather than under a specific framework that protects databases.

It is also sometimes possible to show that a dataset amounts to a trade secret. Internationally, trade secrets are typically protected where the data is secret, has commercial value from being secret and reasonable steps have been taken to keep it secret.^[6] Meeting these tests requires particular care in open, cloud-based data systems.

Data and contracts

As well as IP rights, the buyer will want to look at any contracts that affect the target’s data. If the target licenses out its data, the buyer should check the key terms – for example, can the licensee merge the target’s data with other data and, if so, who owns that derived data? Where a business is both licensing in and distributing data, it is important to diligence the flow of those rights, to ensure that there are no material gaps, including by testing whether rights to use historical data survive the termination of the contract.

Some licensors also require licensees to acknowledge in the licence that the licensor has made a ‘substantial investment’ in obtaining, verifying or presenting the data, to help assert the licensor’s database rights. Certain industries (eg, the media, news and financial services) already have well-developed data-licensing practices, and this is already spreading as other industries start to connect and share more data. This is particularly prevalent in adjacent sectors, for example for tech and fintech businesses.

The target might also have outsourced the analytics of its dataset. The buyer should check those contracts for provisions on protecting IP rights and complying with privacy laws (assuming the dataset contains personal data).

The contractual allocation of rights in data can be particularly relevant for AI, where the parties will want to be clear how to manage the ownership and use of any rights in the input and output data, as well the rights in models built using that data. With increasing interest in AI (and particularly generative AI) use, market practice is starting to shift towards contracts expressly providing for whether data can be used to train models.

Has the target complied with data protection law?

If the target’s datasets contain personal data, then data protection compliance is likely to be an important part of due diligence. A key issue will be whether individuals (including employees and customers) have been informed about, and (where required) consented to, how the target uses their personal data.

The first place to look for consent would be the target’s contracts, application forms and marketing literature. The GDPR, which is probably still the high-water mark for data privacy law internationally, states that consent must be freely given, specific, informed and unambiguous^[7] for most processing. Consent must be ‘explicit’ for processing sensitive data and for data exports from the European Economic Area (EEA) or the UK (depending on whether the GDPR or the UK GDPR applies).^[8]

Whether consent is valid depends on the circumstances, but broadly under the GDPR, an opt-in, for example by ticking a box on an application form, is required.^[9] Silence – or an opt-out – will not be valid consent. It is particularly hard to prove that employees have ‘freely given’ their consent, given the power imbalance between employers and employees.

If there is no consent, the buyer should assess whether the target’s data use is permitted under any other lawful bases. The most commonly used bases under the GDPR tend to be more specific (eg, data use necessary to perform a contract), or they require a judgement regarding whether they are satisfied (eg, whether the target’s ‘legitimate interests’ in using the data outweigh the data subject’s interests).^[10]

In the US, more industry-specific regimes lay out detailed notification requirements for consumers. For example, regulations impacting certain financial service providers, issued pursuant to the Gramm-Leach-Bliley Act, stipulate the contents of privacy notices.^[11] Specific categories of healthcare-related entities must follow the requirements of the Health Insurance Portability and Accountability Act’s Privacy Rule.^[12] Individual US states are also upping the data privacy stakes, passing laws that require certain notices and rights akin to the GDPR for those affected by data practices within their jurisdiction.^[13]

The target must also have given data subjects certain information about how it intended to process their personal data.^[14] The buyer should check whether these notices have been given and ask to see copies.^[15]

Due diligence should also reveal whether the target has complied with other elements of data protection law. For example:

paying the necessary fees to relevant regulators;^[16]
appointing a data protection officer (where relevant);
keeping data secure;
complying with the restrictions on exporting personal data;
conducting direct marketing lawfully;
complying with data subject rights requests;
complying with notices received from regulators;
appointing data processors in accordance with relevant laws, including the GDPR;
conducting data protection impact assessments;^[17] and
conducting profiling and automated decision-making lawfully, including having analytics systems that can respond in a modular way to individuals who might object to processing.^[18]

The buyer might also ask for details of the target’s internal training programme and employee policies on data protection issues.

The buyer should also review the data protection provisions in major third-party service-provider contracts. For example, in contracts with cloud providers, the buyer will want to check that they contain suitable data processing clauses and review any liability caps. If those caps are very low, that might indicate that the target has failed to appoint its processors in a compliant way.

The buyer will also want to analyse whether existing consents are sufficient to cover its intended use of the target’s personal data, for example, for cross-marketing its own products, or for developing new products. If the target’s products incorporate ‘privacy by design’ – a GDPR requirement – then the data assets are more likely to be attractive to a possible future buyer.^[19]

The buyer should review information published by data protection authorities in relation to the target. For example, as well as continuing to publish fines, enforcement notices, undertakings and prosecutions on its website, the ICO now also publishes datasets naming organisations that have been subject to reprimands, complaints and other concerns brought to its attention.

If due diligence raises any major problems, the buyer might consider seeking a pre-closing covenant that those problems are fixed before closing, for example, by requiring the seller or target to seek new consents or amend privacy notices. If breaches cannot be cured before closing, they might be relevant to the risk assessment or valuation of the deal, and the time it would take to integrate the target.

Has the target addressed cybersecurity risks?

Cybersecurity due diligence is vital on any deal – but particularly where data is a key driver. Cyber issues can be deal-breakers, or at least affect deal value: during Verizon’s 2017 acquisition of Yahoo!, US$350 million was knocked off the price after data breaches were revealed.

A buyer that fails to do full due diligence can store up problems for itself. The high-profile TalkTalk hack in 2015 was the result of a legacy IT system it had acquired from Tiscali in 2009. The ICO issued a record fine against TalkTalk, even though the vulnerability was part of an ‘inherited infrastructure’, because the ICO found that TalkTalk had failed to properly assess the infrastructure for possible threats. If it is not possible for a buyer to perform detailed cyber due diligence before the completion of an acquisition, then data protection regulators will generally expect that due diligence to be performed post-acquisition.

So how should a buyer approach cyber due diligence? The answer is likely to depend on various factors, including:

the buyer’s negotiating stance: it might decide to carry out a detailed review of the target business’s cybersecurity risk profile in exchange for receiving more limited or no warranties.^[20] Alternatively, the buyer might want to carry out a more limited review and attempt to get a fuller set of warranties;
whether the buyer will be relying on warranty and indemnity (W&I) insurance in respect of claims under the warranties: W&I insurance providers are generally less likely to provide coverage for data and cyber warranties where only limited due diligence has been performed, and – as a starting point in coverage negotiations – insurers will often seek to exclude or materially limit coverage for cyber issues;
the nature of the target’s IT systems, including the age and complexity of the target’s IT systems, whether they are generic or bespoke, their ‘fitness for purpose’, and whether they are stand-alone or integrated with the seller’s group; and
the target’s sector: more detailed due diligence will be needed for highly regulated, complex industry sectors (eg, financial services, energy or telecoms).^[21]

Having said that, most buyers should consider seeking information on:

any cyber breach – or attempted breach – suffered by the target during the past three to six years;
any breach suffered by a third party engaged by the target that might have compromised the target’s systems or data;^[22]
any notifications to regulators or individuals about cyber breaches;^[23]
any internal or third-party reports relating to cyber readiness, vulnerabilities or particular breaches (the buyer should ask for copies, including details of any remediation steps);
cybersecurity policies and procedures, and any steps the target takes to test them;
those responsible for dealing with cyber risks and incidents;
how the target minimises its exposure to cyber risks when entering third-party contracts, including due diligence on third parties and, where cybersecurity services are provided by a third party, the allocation of responsibility and liability for cyber risks;
employee training programmes and IT policies;
any cyber insurance policies;^[24]
anything the target has included in its annual reports and accounts on cyber risk management, including any amounts set aside for potential regulator fines; and
any formal certifications sought or received, or other efforts to implement recognised information security standards or best practices with which the target complies (including ISO27001, NIST and PCI DSS).

Other data issues to assess on due diligence

Below are some other legal issues affecting data that the buyer should review:

Does the acquisition raise antitrust issues? This might be an issue where the parties’ data pools – when combined – could create a monopoly.
Could the buyer’s access to the data raise foreign investment concerns where the data is regarded as sensitive? This might lead to the deal being reviewed by relevant government authorities (eg, the Committee on Foreign Investment in the US).
Are there product liability issues? This might be a risk if the buyer is looking at creating interconnected products or services in circumstances where the control of the data is relevant to the allocation of risk.^[25]
What are the tax consequences of how the dataset is structured (or will be structured after closing)?^[26]
Do sector-specific rules apply? Areas likely to attract sector-specific data laws include telecoms,^[27] financial services^[28] and healthcare.^[29] There might also be special rules if the target provides products or services to children. ^[30] The European Commission has also proposed a new EU Cyber Resilience Act to, among other things, introduce cybersecurity requirements for hardware and software products with a digital element.^[31]

There is also a relatively new trend of buyers seeking to assess a target’s data ethics; for example, conducting due diligence on the ethics of data analytics, including whether there are processes in place to avoid bias and to offer appropriate transparency. In addition to recent UK and EU proposals for AI regulation, the US Federal Trade Commission has publicly expressed its concerns about and readiness to review companies’ application of data analytics and the potential for bias.^[32]

Data and cybersecurity warranty protection

A buyer’s approach to warranties and indemnities will depend on various issues, including its negotiating power and the extent of its due diligence. But most buyers will want to obtain warranties that the target:

complies with data protection laws, regulator guidance and industry standards – and has done so for three to six years;
has received no notices or allegations of non-compliance;
has obtained all required consents from data subjects to the processing of their personal data;
has rights to use all data collected and generated in its business;
complies with best industry practice, or at least relevant standards, on data privacy and cybersecurity;
has experienced no cyber incidents, including at its data processors or other key contract counterparties for a specified period;
has remedied any identified security weaknesses in its IT systems; and
has procedures in place for responding to data crises.^[33]

On a data-heavy deal, a buyer will also want to get full warranties about the allocation of rights in data, and contractual issues (eg, breaches) that might affect data licences or data-sharing agreements.

A buyer will sometimes ask for a ‘forward-looking’ warranty that its processing of personal data post-closing will be lawful if the data is used in the same way as it was used before closing. A seller will rarely give this.

If due diligence has revealed that the target is not processing data fairly and lawfully, it might be necessary to approach data subjects for fresh consent to data processing. Subject to antitrust ‘gun-jumping’ rules, this sometimes happens between signing the deal and closing it and, in serious cases, is made a closing condition – usually based on a percentage of consents received. The number of consents received might also affect the final price.

If due diligence reveals a data breach, the buyer might require the seller or target to remedy inadequate security measures, and notify regulators and individuals affected (if required by data protection laws).

Breaches of data laws could lead to fines or compensation claims: if there is a high risk of breach, a buyer might not want to accept financial caps on the data warranties.^[34] In deals where data is key, the buyer will sometimes seek indemnities – most often where breaches of data laws or data licences are disclosed and loss is foreseeable.

In addition to any specific disclosures against the warranties, sellers will also often seek to include as a ‘general disclosure’ any information that would be revealed by searches of the websites of data protection regulators. Buyers should seek to narrow any such general disclosures (eg, by limiting them to cover only published enforcement decisions and actions against the target) and perform its own searches of relevant data protection authority websites.^[35]

MAC clauses

Occasionally, a seller will ask for cybersecurity events to be carved out of a material adverse change (MAC) clause. MAC clauses, which are more common in the US than Europe, allocate the risk of a MAC happening between signing and closing. If the target suffers a MAC pre-closing, MAC clauses often allow the buyer to walk away from the deal or at least renegotiate the price. A MAC is usually defined generically to capture unforeseeable events that are specific to and adverse to the target business. As such, a buyer should try to resist any carve-out of cyber events from a MAC clause.

Integration and post-closing issues

There will usually be data integration and post-closing issues for a buyer to consider. These will vary, depending on the structure of the sale and what the buyer intends to do with any data acquired. But most buyers will need to think about reviewing the datasets and deleting excess data; conducting IT and cybersecurity checks; analysing whether intended new data uses will require new consents; notifying regulators; and updating data processing arrangements.

Reviewing the datasets and deleting excess data

If the seller is transferring only part of a dataset (eg, if the seller is retaining a product that is sold to certain customers only), there will be a logistical exercise in separating the relevant data. If excess data is transferred, there is a risk of breaching data protection law; for example, the GDPR permits data to be processed only if it is ‘relevant and limited to what is necessary’. The data separation exercise is usually covered in a transitional services agreement or migration plan.

The buyer will need to review the personal data it receives, to ensure compliance. In particular, it will need to delete irrelevant, excessive or out-of-date data. If the seller is retaining data, it will need to ensure that it continues to process the data lawfully and delete any excess data.

Both parties should consider deleting data relating to the transaction itself, unless required to keep it by law or regulatory obligation.^[36] They might also need to securely dispose of IT equipment containing personal data.

IT, cybersecurity checks and integration

The buyer will need to check that the IT systems it has acquired are secure.^[37] Where a target suffers a data breach, or an existing data breach comes to light, after an acquisition has completed, then data protection regulators are likely to assess what steps the buyer took to investigate the security of the target’s IT systems post-closing and what it did to remediate any issues.^[38] For example, in October 2020, the ICO issued one of the highest ever fines under the GDPR to Marriott, in relation to alleged security vulnerabilities in the IT systems of Starwood, which Marriott had acquired in 2016.

There is no ‘one size fits all’ for determining the appropriate level of security, but relevant factors might include compliance with a security certification or framework, like ISO 27001 or NIST, and passing industry standard tests. If a cyber breach occurs, any regulator will typically look at whether the business complied with security or industry standards – although that will not necessarily determine whether the business complied with data protection law or the level of any penalties, particularly if the security standard only applies to certain data or industry standards in a particular sector are low.

The buyer should consider performing ongoing cyber diligence post-closing. If the buyer appoints a cybersecurity consultant for this purpose, any consultant reports might not attract privilege – so they might be disclosable to a court or regulator if a cyber breach occurs later on. This could be a problem if the report reveals multiple failings that are not fixed and are relevant to a later breach. Before commissioning a report, the buyer should clearly define the scope of work and consider how prepared it is to implement any findings. Consultants will often give ‘belt-and-braces’ recommendations,^[39] but the cost–benefit analysis for the buyer might not justify fixing all problems disclosed. For these reasons, lawyers and IT experts should work together to review cybersecurity solutions.

The buyer will need to decide whether to migrate any acquired IT systems, or to decommission them and migrate data to its existing systems. Data privacy requirements will be relevant here. For example, where the GDPR applies, these decisions will need to be taken by those with appropriate expertise and understood by senior management to satisfy the accountability principle, data privacy impact assessments might be required, and any data transfer out of the EEA might be restricted. If the buyer decides to decommission the systems, it will still need to implement appropriate security measures for them until they are decommissioned. A regulator is unlikely to look sympathetically on a business that fails to remedy a known vulnerability or to apply simple updates on time, just because a system is due to be retired.

The buyer should follow up on any other pre-closing cybersecurity due diligence findings and take steps to remedy any identified issues. This might include renegotiating cybersecurity services agreements so they appropriately allocate responsibility between the parties, include appropriate liability caps and include appropriate data processing provisions. Other measures the buyer should consider post-closing include:

updating internal cyber policies, governance structures and employee training programmes for the target;
mitigating any risks arising from the IT team transition (eg, a loss of institutional knowledge if IT employees leave the business); and
updating cyber insurance policies.

New data uses: obtaining new consents and informing data subjects

Data protection law might require the buyer to notify data subjects and obtain new consents, including where:

the deal is structured as an asset sale, so there is a change of data controller;^[40]
the buyer wishes to use the target’s personal data for new uses, for example, to cross-market its own products, or to conduct data analysis;^[41] and
the target intends to make new disclosures of personal data – either intra-group or to third parties – or new data exports.

Often, fair processing notices and requests for consents can be included in other employee or customer communications relating to the deal.

On an asset sale, the buyer will also need to consider rules on electronic marketing. For example, the ICO has issued guidance^[42] on buying a marketing database where customers have consented to receiving marketing. The guidance says that the buyer can use it for e-marketing without a fresh consent from each individual only if the buyer was named in the original consent request. This is highly unlikely to be the case in an M&A situation, so fresh consent might be required. Under some US regulations, using personal information for marketing purposes is also strictly controlled.^[43]

Notifying regulators

Any change in the data controller might need to be notified to relevant national data protection regulators. There might also be increased fees to pay.

Data processing arrangements

The transaction might have involved transferring data processing agreements to the buyer (eg, agreements with cloud-providers). If the buyer already has agreements with the same processors, it might decide to consolidate those arrangements.

Data privacy issues arising from the deal process

The mechanics of most deals will raise data protection issues. These include disclosing or receiving personal data in due diligence, exporting personal data and transitional arrangements.^[44] It is also increasingly common to see data-sharing agreements implemented between the seller or target (on one hand) and the buyer (on the other hand) where the parties are sharing material volumes of personal data before completion of the transaction, for example in the context of separation and migration planning.^[45]

Disclosing or receiving personal data in due diligence

Disclosing personal data to the buyer during the due diligence process raises data protection issues.^[46] There is no general exemption for M&A deals,^[47] although there are laws governing specific types of data that the parties might rely on.^[48] To try to minimise the risk of a data protection breach, a seller or target should:

ensure as far as possible that due diligence materials are made anonymous – this might include aggregating salary data so that individuals’ salaries are not identifiable, using sample contracts rather than actual signed contracts^[49] and compiling summaries of any disputes;
remove or anonymise all sensitive data;^[50]
sign a non-disclosure agreement (NDA) with each potential buyer;
ensure that any agreement between the seller or target and a virtual data room provider contains GDPR-compliant processor clauses;^[51]
if appropriate, update privacy notices (including those in employment handbooks) to include data processing for M&A activity; and
if it decides to disclose non-anonymised data to the buyer under the GDPR’s ‘legitimate interest’ grounds (or similar), record its assessment of why it can rely on that ground and why it is not notifying the data subjects about the disclosure.^[52]

The NDA should, as a minimum, require the potential buyer to:

only use the data it receives to help it evaluate the target’s business;
treat the data in confidence and not disclose it;
comply with applicable data protection laws; and
destroy or return the data if the deal does not proceed.

Sometimes, draft NDAs include GDPR-compliant data processor clauses,^[53] on the basis that the buyer is deemed a data processor, acting on the instructions of the seller; however, a buyer will usually be a data controller, so no data processor clauses are needed. A buyer will sometimes ask the seller to confirm in the NDA that the disclosure complies with data protection laws. The seller should resist this; instead, it might explain what it has done to reduce any risk, so that the buyer can make its own assessment.^[54]

The buyer must ensure its own data protection compliance on due diligence. Under the GDPR, this means satisfying the lawful, fair and transparent requirements when using personal data to assess the target. To satisfy the lawful test, the buyer will usually rely on the ‘legitimate interests’ basis.^[55] With regard to transparency, the GDPR requires the buyer to inform data subjects of its identity and the purposes for which the data will be processed. This must be done within a month.^[56] The buyer does not need to provide this information if it has already been provided. There is also an exception if informing would involve a disproportionate effort or would seriously impair the objectives of the processing.^[57] The buyer can usually rely on this exception in a due diligence exercise. The risk to data subjects is low – personal data will be protected by an NDA and there will be strict limitations on use.^[58]

The parties will also need to consider any data export laws if personal data is being sent overseas to the buyer or its advisers. Under the EU GDPR and UK GDPR, respectively, this means considering whether data is being exported to countries without an ‘adequate’ level of protection.^[59] The parties might consider using EU standard contractual clauses (SCCs) for exports from the EEA, or the ICO’s international data transfer agreement or international data transfer addendum to the EU’s SCCs for exports from the UK (or relying on the buyer group’s existing data transfer compliance steps). Remote access of a UK- or EEA-located database from a non-UK or non-EEA location is an export (eg, if someone outside the UK or EEA accesses a virtual data room hosted within the UK or EEA). Storing or accessing data in the cloud may also result in an export.

Transitional arrangements

On many deals, the seller will provide services to the buyer on a transitional basis until the buyer has set up its own systems. These services often include payroll or human resources administration, and the seller will, therefore, be processing personal data as a data processor on behalf of the target. The transitional services agreement will need to contain relevant data processing clauses.^[60] If the arrangements involve data export, the agreement will also typically need to include relevant data export clauses.^[61]

Data collaborations: specific issues

Rather than acquiring a data-heavy target, a business might decide to create and use a dataset in collaboration with another. Many of the issues raised above in relation to M&A will apply equally to data collaborations, but there are some additional traps to be aware of.

Most importantly, the parties will need to agree and specify ownership of and access to data that is contributed and generated by the collaboration. As discussed above, ‘ownership’ of data is not straightforward, and the parties will need to think carefully about how they draft their contracts and structure their operations. Further, it is often not clear what data will be produced by a particular digital collaboration. For example, for a retail digital offering, it is often necessary to work closely with the technical teams to analyse each step of a customer’s journey to identify every dataset that will be generated. Only then can the parties allocate ownership, access and use rights for each dataset.

There is also a risk where one party contributes a dataset containing personal data: this will, for example, restrict any profiling or analytics that can be conducted on the resulting dataset. Before a party contributes any personal data, it will need to check that it has the relevant consent or other rights to use it.^[62] If not, the other party might seek a closing condition that the data be anonymised – and possibly vetted by a third-party anonymisation expert. The parties should also consider whether they need to have a data-sharing agreement or terms in place for data privacy purposes, including to allocate responsibilities where the parties are joint data controllers.

Antitrust issues can also arise in collaborations if the parties are pooling their data – carefully drafted data-sharing agreements can mitigate the risk.

Notes

^[1] Breaches of the GDPR can result in enforcement action, fines of up to the higher of €20 million and 4 per cent of global group-wide turnover, and criminal liability for directors. The GDPR was incorporated into UK law at the end of the transition period for the UK’s exit from the EU (the UK GDPR). References in this chapter to the GDPR include references to the UK GDPR, unless otherwise stated. Fines under the UK GDPR are set at the higher of £17.5 million and 4 per cent of global group- wide turnover.

^[2] Putting a specific cash value on data is difficult. There have been several attempts to solve this but no definitive answer. It is possible to calculate enterprise value using revenue derived from products based on data, but there is no established methodology that can set a plausible monetary value on raw data itself. Investors in data-rich companies often need bank financing to pay for acquisitions, yet data is not included on the target’s balance sheet. As the data economy grows, we are likely to see new valuation methodologies emerge.

^[3] For example, the increase in data localisation laws is likely to increase compliance costs for those with large personal datasets. The proposed EU Data Act would also, among other things, require companies holding (personal and non-personal) data generated from the use of connected products, to make that data available to third parties at the user’s request and, as such, might affect the value of the data that those companies hold.

^[4] The European Court of Justice confirmed that this was the key test in the case of The British Horseracing Board Ltd and Others v William Hill Organization Ltd (C-203/02).

^[5] See Technomed v Bluecrest [2017] EWHC 2142 for an example of one such case.

^[6] Agreement on Trade-Related Aspects of Intellectual Property Rights, article 39.2.

^[7] General Data Protection Regulation (GDPR), article 4(11).

^[8] GDPR, article 9(2)(a) and article 49(1)(a).

^[9] For the UK Information Commissioner’s Office (ICO) guidance on consent under the UK GDPR, see ICO, ‘Consent’. For guidance under the EU’s GDPR, see European Data Protection Board (EDPB), Guidelines 05/2020 on consent under Regulation 2016/679.

^[10] GDPR, articles 5–9.

^[11] 16 Code of Federal Regulations (CFR) §313.6.

^[12] 45 CFR §164.520.ß

^[13] As at the time of writing, 11 states have passed new general data privacy laws, and that number is expected to grow aggressively in the coming year.

^[14] Articles 13 and 14 GDPR; for the US, see generally, notes 11–13.

^[15] For the ICO’s guidance on fair processing notices under the UK GDPR, see ICO, ‘The right to be informed’. For guidance under the EU’s GDPR, see the Article 29 Working Party (WP29), Guidelines on transparency under Regulation 2016/679, WP260 rev.01. The EDPB replaced WP29, which ceased to exist on 25 May 2018. During its first plenary meeting, the EDPB endorsed some of the WP29 Guidelines, including those on transparency, data protection impact assessments (see footnote 17) and automated individual decision-making and profiling (see footnote 18). The endorsed WP29 Guidelines are available on the EDPB’s website.

^[16] The GDPR reduced the amount of information that businesses had to register with data protection regulators, but there is still some information that a buyer can check via the regulator websites, including fees paid and notices issued.

^[17] For the ICO’s guidance on data protection impact assessments under the UK GDPR, see ICO, ‘Data Protection Impact Assessments (DPIAs)’. For guidance under the EU’s GDPR see WP29, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is ‘likely to result in a high risk’ for the purposes of Regulation 2016/679, WP248 rev.01.

^[18] For the ICO’s guidance on profiling under the UK GDPR, see ICO, ‘Automated decision-making and profiling’. For guidance under the EU’s GDPR, see WP29, Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, WP251 rev.01.

^[19] For the ICO’s guidance on ‘privacy by design’ under the UK GDPR, see ICO, ‘Data protection by design and default’. For guidance under the EU’s GDPR, see EDPB, Guidelines 4/2019 on Article 25 Data Protection by Design and by Default.

^[20] If cybersecurity is likely to be a big issue on a deal, the buyer might bring in specialist technical consultants, who work alongside the lawyers on the due diligence. Increasingly, a buyer might engage a third party to perform threat assessments on the target business, although that type of due diligence should itself be tested for whether it risks breaking any laws regarding hacking. Other deep-dive cyber checks might include researching whether the target’s data has been disclosed on the dark web.

^[21] See, for example, the EU’s second Network Information Security Directive, which is required to be transposed into Member State law by 17 October 2024. The UK is also in the process of reforming its own network information security laws.

^[22] The 2013 hack of US retail giant Target was reportedly caused by hackers accessing its systems via its third-party air conditioning supplier.

^[23] Many data privacy laws require businesses to notify regulators and individuals affected by serious cyber breaches. For the ICO’s guidance on personal data breaches under the UK GDPR, see ICO, ‘UK GDPR data breach reporting (DPA 2018)’. For guidance under the EU’s GDPR, see EDPB, Guidelines 01/2021 on Examples regarding Personal Data Breach Notification.

^[24] The buyer should carefully assess the adequacy of the cyber insurance coverage. Many policies contain exclusions or limitations for third-party claims, damage to physical property, or loss of data – which are exactly the sorts of losses that might be caused by a cyberattack.

^[25] Historically, product liability laws have channelled liability towards the maker of a defective product. That makes sense in a world where manufacturers exercise control over the design and manufacture of their products, where they are better placed than others to judge any risks – and where they can insure against the risks. The law has also allowed them to limit the scope of their liability – a claim against a manufacturer might well fail if the customer did not use it according to the manufacturer’s instructions. But existing liability regimes struggle with interconnected products. These involve sophisticated interdependencies between hardware, software, networks and data. Where something goes wrong, this makes it hard to determine who is – and, as a matter of legal principle, should be – liable.

^[26] Historically, taxation has been linked to where a business is established, and that question has included looking at where a business’s data is stored, but, to reflect the digital economy, regulators are now moving towards looking instead at where a business’s customers are based. This leaves less room for businesses to structure their digital assets – including their data – so as to minimise tax exposure.

^[27] For example, the UK’s Investigatory Powers Act 2016 regulates surveillance and the interception of communications data.

^[28] For example, the US Gramm-Leach-Bliley Act and its related regulations contain provisions to protect consumer financial privacy.

^[29] For example, the US Health Insurance Portability and Accountability Act (HIPAA) , and its related regulations, govern the management of patients’ health data by certain categories of entities.

^[30] For example, the US Children’s Online Privacy Protection Act.

^[31] European Commission, ‘Cyber Resilience Act’.

^[32] For the EU proposal, see Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts. For the UK government’s March 2023 white paper on AI regulation, see GOV.UK, policy paper, ‘A pro-innovation approach to AI regulation’. See also US Federal Trade Commission (FTC), press release, ‘FTC Report Warns About Using Artificial Intelligence to Combat Online Problems’, 16 June 2022; FTC, business blog, ‘Aiming for truth, fairness, and equity in your company’s use of AI’, 19 April 2021.

^[33] Warranties are often qualified by the seller’s or target’s ‘knowledge’ – a buyer should accept that qualification only if: the seller or target has sufficient measures in place to flag up risks; and ‘knowledge’ is properly defined (eg, referring to the DPO’s knowledge).

^[34] On tech deals, IP ownership and non-infringement warranties are sometimes treated as ‘fundamental warranties’, with higher – or no – liability caps.

^[35] The ICO now publishes datasets naming organisations that have been subject to reprimands, complaints and other concerns brought to its attention, which could limit the scope of the data protection and cybersecurity warranties if the general disclosure were included in the disclosure letter.

^[36] In an auction sale, unsuccessful bidders should also delete or return to the seller any data received on due diligence.

^[37] Article 32 of the GDPR requires personal data to be processed securely.

^[38] For example, the ICO has said: ‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

^[39] Not least because they may view the exercise, in part, as a pitch.

^[40] Under article 14(3) of the GDPR, the buyer must give the data subjects notice of the change of data controller within a reasonable period, and no later than one month.

^[41] For new uses, the buyer might be able to rely on the GDPR’s exception to the rule requiring notices to be given if this would involve ‘disproportionate effort’. But a full assessment will be needed. In 2015, the Bavarian Data Protection Authority (DPA) imposed a fine relating to an asset deal where personal data was transferred by the seller and used by the buyer. Email addresses were transferred and processed for marketing purposes without data subject consent and without data subjects being informed or given an opt-out. (The case was decided under the pre-GDPR regime, but would very likely be decided the same way under the GDPR.) See Bavarian DPA, press release, ‘Kundendaten beim Unternehmensverkauf - ein Datenschutzproblem’.

^[42] ICO, ‘Direct marketing’, 6 March 2018; ICO, ‘Direct marketing: detailed guidance’, 5 December 2022.

^[43] 16 CFR §§313.12 (prohibiting the provision of certain account details for marketing use) and 313.13 (governing joint marketing); 45 CFR §164.508(a)(3) (requiring patient consent for the use of protected health information for marketing).

^[44] If the seller reorganises its group to prepare the target for sale, this might also raise data protection issues – particularly where personal data is transferred to a new data controller.

^[45] The UK Information Commissioner’s data-sharing code contains guidance on how to treat disclosures on M&A. Among other things, it says: ‘seek technical advice before sharing data where different systems are involved: there is a potential security risk that could result in the loss, corruption or degradation of the data.’ See ICO, ‘Due diligence when sharing data following mergers and acquisitions’.

^[46] As well as GDPR issues on disclosure, there might be other local law issues.

^[47] A rare exception is the US HIPAA, the implementing regulations of which provide a limited exception for due diligence in corporate transactions. See 45 CFR§164.501 (definition of ‘healthcare operations’), §164.506(a) and (c)(1).

^[48] For example, the UK Transfer of Undertakings (Protection of Employment) Regulations 2006 require the seller to give the buyer certain information about transferring employees, including their identities (the ‘employee liability information’). That information may legally be disclosed under the GDPR, as article 6(1)(c) GDPR permits any disclosure of non-sensitive data that is required by law. A seller must still take care to ensure that any employee information not caught by the regulations and any sensitive data is anonymised. The regulations will not apply on a share sale, so – pre-closing – sharing employee data will typically need to be anonymised (or consent obtained, if practical).

^[49] Names and signatures on contracts disclosed in due diligence are technically personal data, but these are not usually redacted in practice. This is mainly on grounds of pragmatism – although it is arguable that individuals who have signed contracts have consented to have their name and signature processed in this way.

^[50] Examples relating to employees might include information about their health conditions or trade union membership.

^[51] Required under article 28 of the GDPR where there is a controller–processor relationship.

^[52] The UK ICO’s guidance on the legitimate interests provision under the UK GDPR states that it is good practice for the data controller to document its assessment as to why the provision is met. The guidance includes a template for documenting the assessment. German data protection authorities have issued collective guidance on transferring customer data on asset deals. The guidance considers whether consent is required or whether it is possible to rely on the legitimate interests basis. It says that, for instance, customer data relating to ongoing claims may be transferred on the basis of legitimate interest, whereas sensitive data may be transferred only if consent is obtained. (Although the Berlin and Saxony regulators did not endorse the guidance.)

^[53] Required under article 28 of the GDPR where there is a controller–processor relationship.

^[54] A buyer will sometimes also seek data protection compliance warranties in the sale agreement that relate to disclosures of information in the context of the transaction. A sensible seller response is to recommend that each side get its own data protection advice for the purposes of the transaction.

^[55] It should make a written record of its decision to rely on that basis (see footnote 52).

^[56] GDPR, article 14.

^[57] GDPR, article 14(5)(b).

^[58] Given the rise in homeworking in various countries, many advisers have introduced protocols to ensure that confidential materials are not printed out or are properly destroyed.

^[59] The list of countries declared ‘adequate’ under the EU’s GDPR can be found at European Commission, ‘Adequacy decisions’. In June 2021, the European Commission found the UK to be ‘adequate’ for most purposes, following the exit of the UK from the EU. In July 2023, the European Commission adopted an adequacy decision in respect of US companies joining the EU-US Data Privacy Framework, and the UK and US governments have agreed in principle to work to establish a UK extension to the Data Privacy Framework that would apply in respect of personal data exports from the UK to the US.

^[60] As required under article 28 of the GDPR.

^[61] GDPR, article 46.

^[62] In March 2020, the Dutch regulator imposed a €525,000 fine on the (non-profit) Royal Dutch Lawn Tennis Association for selling the personal data of its members to its sponsor partners for marketing purposes without the members’ consent. The Association argued that it could share the data under the ‘legitimate interest’ basis because its members would get some value from receiving marketing offers (for tennis equipment) and because it needed extra income owing to declining membership numbers. The regulator did not consider this to be a legitimate interest.