Law360, New York (February 21, 2014, 9:36 PM ET) -- A German data protection official on Thursday
ripped Facebook Inc.’s planned $19 billion acquisition of mobile-messaging service WhatsApp,
highlighting the growing need for deal makers to tap privacy attorneys to consider the tricky data security
issues that often draw regulatory scrutiny.
A day after Facebook announced it would fork over $4 billion in cash, $12 billion in stock and another $3
billion in shares down the line for venture-backed WhatsApp, the data authority of the German state of
Schleswig-Holstein delivered a stinging warning that the blockbuster acquisition could hand Facebook the
key to WhatsApp's dossier of smartphone messaging content and metadata and worsen ongoing breaches of
national and European data secrecy rules.
Users should abandon WhatsApp and switch to "trusted services" like Swiss messaging providers Threema
and myEnigma, which are subject to an "effective data protection regime" and feature end-to-end
encryption, the regulator declared.
“The German data protection commissioner’s criticism of the WhatsApp acquisition because of data
security concerns highlights the increasing importance of privacy issues in M&A,” Cohen & Gresser LLP
intellectual property practice chair Karen Bromberg said. “These concerns are even more critical in
[conducting] M&A due diligence for cross-border deals, [which] requires specialized knowledge about the
vastly different data protection laws and regulations in the European Union, the United States and other
The role for privacy attorneys in corporate deals has been steadily growing as valuable assets become
digitized and high-profile data breaches at companies such as Target Corp. and Adobe Systems Inc. push
data protection issues into the public radar.
“Anytime a company is considering an acquisition, in today's world it is vitally important to understand the
data, especially personal information, that the seller collects, uses and discloses; the laws that apply to that
data; and what policies and procedures the seller follows to account for the applicable legal framework,”
Hogan Lovells partner Timothy Tobin said.
As data privacy takes center stage, a trend toward rounding out transactions teams with experts in the
complex laws and regulations governing the collection, use and transfer of data has picked up momentum,
according to attorneys.
“Often corporate lawyers that deal with transactions will come across specific privacy law issues or concerns that they want privacy law experts to look at so that they can have a level of comfort that they've
structured the deal appropriately and understand the impact of privacy law,” said Robert J. Scott, the
managing partner of Scott & Scott LLP. “It's definitely gaining traction as a recognized subspeciality by
lawyers and clients seeking specific privacy advice.”
A company that fails to consider the privacy and data security risks posed by a deal could end up with more
than it bargained for, particularly when vast troves of consumer data are in play, attorneys say.
“You want to have some confidence that the company you're buying has not had serious privacy breaches
or a privacy regime that is inadequate, because if it has, then the buyer is not just acquiring the company or
its assets, but it's also buying a potential wave of privacy lawsuits or regulatory investigations,” said
Michael Gold, Jeffer Mangels Butler & Mitchell LLP privacy, information management and data protection
The German regulator's response to Facebook's attention-grabbing acquisition centers on concerns over
how the social networking giant plans to profit from the data assets it will scoop up. While WhatsApp touts
its ad-free, private messaging, Facebook has faced intense scrutiny over the way it uses consumer data for
advertising and other money-making purposes.
In a blog post Wednesday, WhatsApp co-founder Jan Koum vowed that “nothing” would change because
the company would continue to operate independently. That pronouncement has met with skepticism from
the German regulator, which in the past has fought unsuccessfully to apply the country's data protection
law to Facebook's practices.
But the companies should be able to stay out of serious legal trouble if they stick to their stated plan,
according to attorneys.
“It's going to be interesting to see how the data of WhatsApp users is treated and how Facebook goes about
integrating the very expensive new data assets into their platform,” Thompson Hine partner Roy Hadley
Even if no legal consequences result, the issues raised by the deal and other recent high-profile
transactions, such as Facebook's $1 billion purchase of Instagram and Google Inc.'s $3.2 million
acquisition of Nest Labs Inc., highlight the importance of retaining experts to advise on privacy issues,
“Anytime you have more scrutiny of these types of deals that involve companies like Facebook and Google
that have so much personally identifiable information about individuals, that always creates more
awareness,” Scott said.
Since WhatsApp has a large base of international users, the deal also illustrates the importance of taking
into consideration how a tie-up comports with international data protection and transfer laws.
“In the U.S., there is going to be more of a competition focus in a regulatory review, related to how fair a
deal is, as opposed to the EU, where privacy and security laws are more robust,” Hadley said. “That likely
means that regulators in the EU are going to raise more privacy flags when deals come up as opposed to in
With the increased risk of exposure, acquisition partners are increasingly concluding that the consideration
of privacy and data security issues — and the retention of experts in the field — are essential to the
completion of a robust and headache-free deal.
“It’s a lot of work, but the stakes are too high to cut corners,” Bromberg said.