M&A practitioners are more and more confronted by GDPR issues when assisting their clients. This matter was addressed by FLINN during the 14th International M&A Conference, which took place from 1 to 3 November in the prestigious TRIANON PALACE hotel in Versailles.
Our clear aims were to make the audience aware of such issues, to think about compliance within their own law firms and to exchange information about the actions of the Data Protection Authorities located in the various jurisdictions represented.
Leonard Hawkes (FLINN’s DPO), illustrated the issues faced by buyers by reference to ICO’s intent to fine MARRIOTT INTERNATIONAL more than £99 million for failing to adequately address data protection issues during its acquisition of STARWOOD HOTELS in 2016. Seemingly, Starwood’s systems were compromised in 2014 but the data breach was not discovered until 2018. Around 30 million guest records related to EU residents (and 7 million related to UK residents) were compromised.
Information Commissioner Elizabeth Denham commented: “The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measuresto assess not only what personal data has been acquired, but also how it is protected”. (Our emphasis).
Exchanges with the delegates confirmed that the proactivity of the Data Protection Authorities (DPAs) varies from jurisdiction to jurisdiction. The UK and France are clearly ahead of the European ‘peloton’, with ICO fines exceeding UK£ 187 M also proposed against British Airways and a € 50 M fine imposed by CNIL on Google. Italy (with a € 10 M fine against Facebook), the Netherlands (€ 600 K against Uber) and Spain (€ 250 K against La Liga, Primera Division Football League) follow. In other countries, perhaps those where DPAs have less resources available, the number of cases is lower and fines (so far) less significant. In Belgium for instance the biggest fine for disproportionate behaviour was imposed on a retailer who forced its customers to remit their ID-cards to obtain a loyalty-card.
Benoit Simpelaere concluded that acquiring companies in countries with proactive DPAs need specific attention and additional due diligence, certainly if the target is active in a B2C or a ‘big’ or ‘sensitive’ data environment (retail online business, marketing agencies …). However, the fact that many DPAs, across the EEA, are still organizing their operations needs to be taken into account. More verifications and fines can be expected in future.
To the extent that GDPR issues are tackled early in the acquisition process they may well have an important influence on the drafting of the Heads of Terms or Memorandum of Understanding. FLINN’s slides (click here) contain some examples of questions that buyer’s counsel may want to ask during the due diligence (DD) exercise. Finally, information from the DD results will influence the decisions on appropriate data protection representations and warranties and specific indemnification clauses.
Based on the currently available statements about the Marriott case (and the amount of the proposed fine had not been confirmed by ICO at the beginning of November 2019) a buyer might also implement technical and security solutions to mitigate data protection risks, by carrying out remedial measures post-acquisition if a potential threat is uncovered, or where it is unclear that data subjects provided an active informed consent for processing of their data. (A note of caution about adequately documenting those decisions and processes needs to be sounded, as erasure of data falls within the definition of ‘processing’. Moreover once a breach is uncovered there are 72 hours to inform the relevant DPA.)
From the Seller’s side, questions raised included the extent to which it remains possible to enter into an asset deal that includes a transfer of personal data where no express informed consent for such transfer has been given. Appropriate drafting of the fair processing statements made when personal data are obtained, so that they include a change of control permission, will help prevent such problems arising in future. Otherwise, it may be necessary to assess if Article 14 GDPR (which provides a mechanism requiring a controller to provide fair processing information to data subjects whose information has been acquired indirectly) could be used as a basis for remedial measures.
Sellers should use appropriate techniques (such as anonymization) to prevent unnecessary disclosures of personal data when setting up their data room or preparing vendor’s due diligence. They also need to document any disclosures that are made, particularly if they intend to use the ground of “legitimate interest” as the legal basis for making such disclosures. (Moreover, they should carry out appropriate anti-trust assessments when deciding what disclosures to make.) Using professional data-room providers who can certify that they provide secure GDPR compliant services looks crucial.
The 14th International M&A Conference was a “grand-cru” edition. It included a visit to the exceptional Camondo Mansion in Paris’ 8th arrondissement before dinner on Saturday, thanks to the huge and greatly appreciated efforts of its organizers : Dr. Andreas Lachmann (RWP) founder of the conference, Matthieu Bringer (Guillemin Flichy) and Nicolas Maubert and Cecilia Della Berta (RiveDroit Avocats).