Due diligence for tech M&A in France

Due diligence

What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?

Typically, as part of due diligence, a buyer looks at whether the IP assets that are necessary to conduct the target company’s business are owned or licensed to the target company. Among the owned IP assets, it is key to assess whether the target company is the only owner or whether those IP assets are co-owned with third parties (including the target company’s affiliates) to anticipate any potential future licence-back or cross-licence agreements that may need to be entered into with such third parties. The buyer will also enquire about whether the owned IP assets are subject to any potential claim from third parties, contractors or employees that would have participated in the creation of those IP rights. This is also a key issue in respect of software given that most software is developed using open source libraries, which can be contaminating, and thus can subject the target company’s software to certain restrictions in terms of use and distribution.

With respect to the licensed IP assets, the focus at due diligence is whether the target company is the exclusive or sole licensee (ie, whether the target company is the only one authorised to use the licensed IP assets or if the licensor can also use them, in both cases to the exclusion of any third party) or not, or if the licence is not exclusive (ie, third parties can also use them). Most valuable IP assets are usually owned or licensed to the target company exclusively. This assessment requires a thorough review of the different agreements entered into by the target company, including assignment, licence, pledge, customer, service and lease agreements, as well as related terms and conditions. When a carveout is contemplated, acquirers should also ensure that the resulting company will have the necessary IP rights (by way of assignment or licence if the relevant IP rights are to be used by both companies) to conduct its business independently.

Another key area of due diligence is data protection. With the entry into force of the GDPR and the significant sanctions that are now available to data protection authorities, potential buyers are all the more focused on the target company’s compliance with data protection legislation.

What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?

A potential investor or buyer usually carries out searches in publicly available IP databases (eg, INPI for French IP registrations, OAMI for EU IP registrations or the World Intellectual Property Organization for international registrations) to verify the accuracy of the IP-related information provided by the target company. The findings of the searches usually include the name of the registered owner, the dates of registration and potential expiration, the existence of any registered licence or security interest or any other potential type of restraint (such as limited class of products or services for trademarks, or non-payment of the renewal fee in a given country for a patent).

Private databases, that is, databases requiring a subscription fee, may give additional relevant information, including the existence of any past or pending litigation involving the target company as a claimant or as a defendant or involving the target company’s IP assets.

In some cases, such IP databases may also allow the identification of any prior or posterior IP rights owned by third parties, which could constitute an obstacle to the use by the target company (and the potential buyer post-closing) of its IP assets.

With respect to data protection, before the entry into force of the GDPR, the data protection authorities often provided for the list of formalities to be carried out by companies on their respective websites. Even though the GDPR no longer requires formalities to be carried out (since data controllers and processors must keep a register of their data protection activities), such information may still be relevant to assess the target company’s compliance for the period before 25 May 2018.

What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?

Not all types of intellectual property are registrable in France. The following are registrable: trademarks, patents, designs and semiconductors. In contrast to common law countries, France does not provide for registration of author’s rights (equivalent of copyrights in the United States).

Software is not registrable; however, source codes may be held in escrow by a third party, such as a public notary or an agency dedicated to software (eg, APP Agency for the Protection of Programs).

Acquirers will usually need to be provided with the list of intellectual property owned or used by the target company or necessary to run the target company’s business on a stand-alone basis. This is particularly important in respect of non-registrable intellectual property since it cannot be found, traced or verified on public databases. The assessment of the nature of non-registrable intellectual property that the target company owns or uses and of the potential associated restraints can be conducted by reviewing the target company’s rights and obligations provided under related contracts.

In addition and as mentioned in the response to question 5, due diligence undertaken with respect to registered IP assets include verification of the name of the registered owner, the dates of registration and potential expiration, the existence of any registered licence or security interest or any other potential type of restraint (such as limited class of products or services for trademarks, non-payment of the renewal fee in a given country for a patent, etc).

Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?

Yes, specific liens and security interests can be granted on IP rights (eg, trademarks, patents, movies, designs, domain names, software and databases). For unregistered IP rights (such as domain names, software and databases), since there is no legal provision specifically relating to the grant of security interests thereon, it is important to identify the register or the database on which the lien or security interest should be recorded and how to ensure that the lien can be enforced against third parties. Intellectual property rights can also be part of the liens and security interests taken on the tangible and intangible assets of the grantor.

What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?

When intellectual property is developed or created by an employee or a contractor, it is important to ensure that the rights in such intellectual property are vested in the target company. Patentable inventions that are developed by employees as part of their employment and during the performance of their duties are automatically assigned to the employer who must pay additional compensation to the employee for such assignment. Those patentable inventions that are developed by employees outside the scope of their employment but using resources provided by the employer belong to the employee; the employer may, however, ask to be assigned ownership in consideration of a fair price. Inventions that are developed by employees outside the scope of their employment using their own resources belong to the employee (article L. 611-7 of the French Intellectual Property Code).

Software created by employees during the scope of their employment automatically belong to the employer unless the employment agreement provides otherwise (article L. 113-9 of the French Intellectual Property Code).

All other intellectual property created by employee or contractor belong ab initio to the employee or contractor and, therefore, must be expressly assigned in writing to the employer. In particular, it is recommended that copyright assignments be detailed, in particular, in respect of the scope of the economic rights to be assigned. However, assignment of economic future rights in works is not allowed.

Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?

Transfer or assignment of licensed intellectual property and technology must be registered on the relevant IP register to become enforceable against third parties. In practice, non-exclusive licences are not registered. Depending on the terms of the licence agreement, consent of the licensee may be required for the transfer or assignment of the licensed IP and technology. Indeed, such transfer will most likely imply the transfer or assignment of the licence itself.

What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?

When software is a key asset of the transaction, specific software due diligence will help with assessing the rights and obligations of the target company associated with such software. The following due diligence is typically undertaken as part of this software audit:

• identifying whether the software owned or used by the target company is proprietary or open source-based and who actually developed the source code (the target company’s employees or outside contractors);
• verifying that all of the IP rights in the software are vested in the target company;
• identifying any open source software, including open source software used to develop the target company’s software, and associated licence terms (eg, Apache) as those licence terms may apply to the software into which open source components have been integrated (contamination effect);
• detecting vulnerabilities of the software components or those components that are not in use, are slowing the software operation or need to be updated or upgraded; and
• assessing whether the software used by the target company is the most efficient and reliable software for the target company.

It is not customary for targets to provide scans for third-party or open source code.

What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?

The legal framework with respect to special or emerging technologies is itself emerging or non-existent. Additional areas of due diligence undertaken or unique legal considerations with respect to such technologies focus on the following key legal issues:

• for artificial intelligence, whether the software performs tasks that are regulated (eg, providing legal or financial advice);
• for internet of things and autonomous driving, personal data and liability; and
• for big data, on security and personal data, especially focusing on how the system has taken into account the purpose limitation enshrined in the GDPR.