Due diligence

Typical areas

What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?

Since the target’s technology and IP are the most valuable assets to an acquiring technology company, a thorough and comprehensive due diligence of such assets is essential to ensure future revenue streams and restrict legal actions in the post-merger phase. Such due diligence usually focuses on owned IP, third-party IP, IP disputes and IT assets.

An important feature of the review is analysing the ownership of the IP. Under Belgian copyright law, software is protected for up to 70 years after the death of the author. However, only the form and expression of the idea is protected.

Anyone is allowed to write a program with the exact same functionality, provided that it is based on a self-developed source code. Just because the target company owns the IP of a certain software, does not mean that it is protected against the copying of the idea. A solution could be found in patenting the software but that method is, in the European context, no guarantee, since there is great disagreement about the patentability of software.

The due diligence should not only focus on the ownership and value of the IP rights, but also – and foremost – on their transferability.

The objective of any IP due diligence audit would be to answer one or more of the following questions about the target’s technology assets:

  • What was the origin of the technology asset?
  • When was the technology asset first conceived and when was the development completed?
  • Who are the people who could claim to be an inventor or author?
  • What types of IP rights might be available to protect the technology asset and have those rights been protected?
  • Has any employee, consultant or other third party used any trade secrets or proprietary technology of others in the development, support, maintenance or enhancement of the technology asset?
  • Does any third party have IP rights that could be violated by past or future uses of the technology asset?
  • Have any offers of licences or assertions of proprietary rights infringement claims been received and is there any litigation pending or threatened?
  • Where consultants or independent contractors have been used to develop the technology asset, have adequate measures and agreements been taken to protect the proprietary interests of the hiring party and to ensure that the hiring party owns the rights to the technology asset?
  • If any portions of the technology asset were purchased or licensed from third parties, what rights were acquired by the technology company? Are there any obligations that, if breached, could result in a reversion of rights back to the third party?
  • Have necessary registrations been made and transfers recorded with the appropriate agency?
  • Has the technology asset been used to secure performance of any obligations or are they encumbered by any security interests or liens?
  • Do third parties hold any licence rights, joint ownership rights or other rights in the technology asset?
  • Is the technology asset substantially similar in function, appearance or coding to the technology asset of others?
  • If proprietary materials and documentation of the company are held in escrow, what are the terms of the escrow arrangement (eg, conditions for release)?
  • Are the technology assets sufficient to operate the licences?
  • Are there any restrictions on the company’s technology assets (eg, exclusive rights of first refusal or negotiation, non-competition, pricing restrictions, no-assignment or change-of-control provisions)?

 

The answer to these questions may affect the value of the technology asset to be acquired and be determining for the decision whether or not to acquire the target company or the technology asset at all.

Another specific area of due diligence that is typically conducted in a technology M&A transaction is privacy and cybersecurity due diligence.

If a target’s data processing activities are not in line with applicable data protection laws, this entails major risks for the buyers. Violations of data protection laws within the European Union are, since the adoption of the General Data Protection Regulation (GDPR), subject to fines up to €20 million or up to 4 per cent of the total worldwide annual turnover.

Recent high-profile data breaches on companies like Yahoo!, Equifax, Target, Anthem, Uber, Facebook and British Airways have highlighted the risks associated with data security. Data breaches subject companies to significant liability arising from shareholder lawsuits, government investigations, remediation costs and reputational damages. According to Juniper Research, the global cost of data breaches will rise to US$5 trillion by 2024. Moreover, national data protection authorities (including the Belgian Data Protection Authority) have been delivering already a substantial number of decisions and have been imposing very high fines in 2019–2021, which show the importance of the GDPR in general. The record fine of €746 million imposed on Amazon by the Luxembourg DPA also shows that the GDPR has a real impact and should not be neglected.

Without sufficiently evaluating whether a target is  compliant with data protection requirements, buyers risk acquiring a non-compliant business and thus buying into the hazard of serious fines or lawsuits from data subjects.

The only way to understand and mitigate these data protection risks is a comprehensive evaluation of the target. At best, identified non-compliance can be cured prior to closing (eg, by immediate actions of the target curing non-compliant behaviour itself). Where this is not possible or feasible, the identified non-compliance can at least be factored into the risk assessment and valuation in the course of the purchase decision. The parties can also agree to conduct a data protection audit shortly after closing, splitting the costs thereof, to remediate any possible breaches as soon as possible.

To assess a target’s data protection compliance status, the following documents should be requested by buyers (provided by the seller) in the due diligence process:

  • a record of processing activities (to verify that all of the target’s processing activities were for lawful purposes and whether the data can be processed for other purposes);
  • relevant data protection documents (eg, privacy notices, guidelines, works council agreements, consent forms, data-processing agreements, joint controller agreements and data-sharing agreements);
  • IT, data protection and security concept, documentation of technical and organisational measures;
  • an expert session with data protection officers or other informed experts, and possibly the contract, description of tasks and place in the target’s organisational chart of the data protection officer;
  • documentation of data protection-related self-assessment (eg, on a balance-of-interests test);
  • a presentation of data protection organisation and data protection processes (in particular, relating to handling data subjects’ requests or the deletion of personal data);
  • documentation of all personal data breaches and evidence of related communications with the data protection authorities and the data subjects;
  • any data protection impact assessments carried out;
  • proof that IT programs used by the target are GDPR-compliant (eg, human resources, payroll software, monitoring equipment and geolocation equipment);
  • cybersecurity policies and response policies;
  • information on all regulatory or criminal proceedings in relation to data protection issues (eg, correspondence with data protection authorities);
  • information on all other disputes with data subjects (eg, civil claims);
  • supporting documents that the target secured all essential rights to commercially use personal data and only for current or also for new purposes (eg, provisions in general terms and conditions, individual contracts, in the supply chain); and
  • data privacy or cybersecurity insurance coverage.

 

Also relevant in this context may be the target's compliance with the Belgian Network and Information Security Act of 7 April 2019 (the NIS Act) which applies to operators of essential services such as energy, transportation, banking and health, but also to providers of digital infrastructure (including providers of digital services such as online sales platforms, search engines and cloud computing services). The NIS Act provides for higher cybersecurity standards in these sectors and also includes obligations with regard to data protection and procedures in case of data breaches, whereby this data does not only compass personal data. Its scope is, therefore, broader than that of the GDPR. The NIS Act is based on the European NIS Directive (EU 2016/1148), which is currently being revised by the European Commission. Its importance is set to grow, as the revised text may also target ‘important’ entities such as postal and courier services, manufacturing and food production. Moreover, the introduction of GDPR-like sanctions is also likely, amounting up to €10 million or up to 2 per cent of the total annual worldwide turnover of the respective entity.

A third area of specific due diligence that may be more relevant in technology M&A transactions involves the IT systems (eg, encryption, restriction of access, passwords and the safeguarding of sensitive data). IT systems will include hardware and software. With respect to hardware, relevant due diligence information could include:

  • diagrams of the hardware infrastructure;
  • an inventory of the relevant hardware assets;
  • relevant third-party agreements (eg, vendor maintenance agreements); and
  • possible disaster recovery and business continuity protocols.

 

With respect to software assets, relevant due diligence could include:

  • an inventory of software used by the target, including information on ownership and licences;
  • agreements related to software assets, such as licences, support, maintenance, development, assignment and escrow agreements;
  • documentation, including policies, manuals and information on user access protocols; and
  • active or planned development programs.

 

With respect to the IT systems, buyers should check that:

  • they are free of bugs;
  • they have not had any material security breaches;
  • they have not had any material outages affecting business;
  • they are in fair condition and sufficient for the normal functioning of the business;
  • all necessary licences are in place;
  • the maintenance and support agreements are still running; and
  • adequate IT investments are budgeted to meet the business plan and be compliant.

 

This due diligence is usually undertaken by the chief information officer of the buyer and his or her team, who should be involved from the beginning on a technology M&A transaction.

A final area of due diligence that may be more relevant in technology M&A transactions relates to websites, web shops and social media assets. Privacy policies, disclaimers, general terms and conditions, supply and logistics agreements, compliance with applicable laws (eg, information obligations, advertising), investigations, complaints and disputes involving such assets may need to be reviewed.

Buyers are also increasingly looking at identifying environmental, social and corporate governance (ESG) risks in a target. Issues like child labour, carbon emissions and corruption could after all become very costly and affect the target's long-term performance and reputation.

The focus of the legal due diligence will vary slightly depending on whether the ultimate transaction is an asset or a share purchase. In an asset purchase the buyer will, of course, only focus on the assets it will purchase. Where, in general, the due diligence in an asset purchase transaction is not as demanding as in a share purchase transaction, in a technology M&A transaction, special attention will have to be given to the transferability of the IP vested in the sellers’ technology assets (eg, the formalities required to transfer IP or a lack of assignment clauses in licensing agreements) or the transferability of certain data assets that qualify as personal data (eg, the data subject providing legal consent to the transfer).

Customary searches

What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?

When conducting technology M&A, the buyer usually performs advanced trademark, domain name and patent searches, as further discussed below. This is in addition to standard public searches of publications in the annexes to the Belgian Official Journal, which include details on the appointments and resignation of directors, persons in charge of daily management, members of the management committee and, in some cases, proxy holders (but not shareholders). The Register of Ultimate Beneficial Owners will be consulted to find information on the shareholders and other persons which are in control of an entity (eg, through voting rights). Further, the company file, which will include the company’s articles of association and other notarial deeds that have been enacted (eg, capital increases), and documents filed with the National Bank of Belgium (eg, annual accounts, report statutory auditor and annual report) should be with the registry of the commercial court.

Registrable intellectual property

What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?

Benelux trademarks (ie, trademarks that are valid in Belgium, the Netherlands and Luxembourg) can be registered with the Benelux Trademark Office in The Hague. European Trademarks can be registered with the EU Intellectual Property Office in Alicante, Spain. There is no separate Belgian trademark regime.

Patents can be registered with the Patent Section of the Intellectual Property Office of the Ministry of Economic Affairs or with the European Patent Office.

Benelux models and designs can be registered with the Benelux Models and Designs Office in The Hague. European Models and designs can be registered with the European Union Intellectual Property Office in Alicante. There is no separate Belgian models and designs regime. For European models and design, there is a separate mechanism in which no registration is required. Protection under this unregistered mechanism is, however, limited (up to a maximum of three years) and is subject to extra conditions.

Domain name registrations are not technically IP rights but are often addressed alongside IP registrations and applications. Belgian domain names can be registered with DNS Belgium. Top-level domain names can be registered with a whole range of international authorities.

In Belgium, copyright protection arises automatically as the work is created and published. No registration is required (or even possible). The same is true for trade secrets and know-how.

For IP that can be registered, the buyer will usually conduct a worldwide search through appropriate databases or with the assistance of specialised IP offices. In addition, due diligence is conducted on the documents made available by the seller to the buyer, such as applications, licences and litigations. With respect to unregistered IP, such as copyright, know-how and trade secrets, buyers review all employment and third-party contractor agreements (including development contracts, confidentiality agreements and non-disclosure agreements) to make sure they include property confidentiality and invention assignment clauses. Often, IP due diligence cannot be conducted by lawyers alone, as it is not always apparent from the legal documents whether the IP protection is strong or weak, is sufficient to operate the target’s technology, and if other companies use similar IP.

Liens

Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?

With the increasing prominence of IP as a balance sheet asset, it is common for lenders to include IP as collateral in secured debt financing. Thus, the buyer needs to determine if the target has granted any liens or security interest on specific IP assets.

The most common types of IP over which security is granted are patents, trademarks, designs and models. Such rights qualify as intangible movable assets under Belgian law.

Traditionally, it was debated among legal scholars whether it is possible to create a valid possessory pledge on IP under Belgian law.

However, following the entry into force of the new Belgian act on security interests on movable assets on 1 January 2018, it is possible to create a non-possessory registered pledge over IP, to the extent that the pledge act is not contrary to other legal provisions in which such pledge rights are regulated specifically.

A non-possessory registered pledge will be perfected by registering the pledge in the national pledge register (which is a public, online register). Such registration remains valid for 10 years. Upon release of the pledge, it should also be removed from the pledge register.

However, if any specific law imposes additional perfection requirements for certain IP rights, it is recommended to comply with such additional requirements as well. For example, certain pledges must also be notified to, or registered with, the relevant IP authorities or registration offices to become effective against third parties.

It is (in theory) also possible to create on non-possessory pledge on software and source codes (to the extent such rights are transferable). Given that the pledge register is a public register, it is not recommended to register the source code in the pledge register. A generic description (eg, ‘all kind of software and source codes developed by the pledgor’, or a general description of the software without revealing the source code) is also allowed, as long as the object of the pledge is sufficiently determined or determinable.

When conducting due diligence, it is recommended to perform a search in the national pledge register and the relevant IP registers.

Employee IP due diligence

What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?

When performing due diligence on a target company, the following documents are to be screened on specific clauses (eg, secrecy or confidentiality clauses, IP clauses, etc) to assess the ownership and assignment of the target company’s IP rights:

  • with respect to its employees:
    • individual employment contracts (or covenants thereto);
    • work regulations, codes of conduct, policies and any document holding unilateral instructions; and
    • guidelines, approvals or waivers pertaining to IP rights (eg, notices or brochures); and
  • with respect to its contractors, service or consultancy agreements (or covenants).

 

Belgian employment law also provides two types of protection for company secrets (including IP):

  • Workers are forbidden from divulging any company secrets that they may learn during their professional activity. This ban is imposed on workers during and after the employment contract. Violating this obligation is considered misconduct and may lead to the immediate dismissal of the worker or to a claim for damages after the employment has terminated (article 17 (3) of the Act of 3 July 1978 on Employment Contracts).
  • A worker who divulges an industrial or fabrication secret may also commit a criminal offence, which is punishable with imprisonment and a fine (article 309 of the Belgian Penal Code), although this is rarely applied.

 

The Belgian Code of Economic Law (articles XI.336/1 to XI.336/5) defines ‘company secrets’ as information that is not publicly known or not easily accessible, possesses a trade value, and has been submitted to reasonable measures to maintain its secrecy (eg, contractual clauses or physical or virtual security measures).

Depending on the nature of the activity of the employer (the principal) and the type of industry, employment contracts or service agreements customarily contain specific IP (transfer) clauses.

A distinction must be made between moral and patrimonial (economic) rights. The moral rights (eg, the right to be named as author or the right to claim or refuse the paternity of an invention) of employee-created IP or technology are not transferable, and so always belong to the employee, but patrimonial rights (eg, the right of reproduction or use of the IP or technology) can be transferred to the employer.

 

Patent

The employer and the employee are free to set forth any IP rights transfer clauses in an employment contract (or in a separate agreement). Except where an agreement expressly states otherwise, an invention is understood to be one of the following:

  • A work invention: an invention developed within the worker’s attributions, as described in his or her job description and while using the employer’s resources. Such an invention is owned by the employer.
  • A free invention: an invention made by the employee on his or her own, with his or her own means, and outside his or her attributions. Such an invention is owned by the employee.
  • A dependent invention, such as:
    • an invention of a hybrid or mixed type; or
    • an invention made by an employee outside the performance of an employment contract, but using company resources. Inventions of this kind are mostly considered to be owned by the employee, although this is disputed in case law.

 

It is recommended to insert a clause in an employment contract that the employer will own such inventions and will be entitled to file for patent protection, possibly with a compensation method for the employee.

Similar language will be required in contracts with independent contractors. Failing that, any inventions made by independent contractors will be owned by them.

 

Trademark

Trademarks always belong to the natural person or legal entity on behalf of which the trademark is registered. Any transfer must be agreed in writing and registered with the relevant trademark office.

 

Computer software and databases

Under the Belgian Code of Economic Law (articles XI.187 and XI.296) there is a legal presumption of transfer of IP rights on the computer software and databases to the employer, if the software or database is created during the execution of the employee’s functions or following the employer’s instructions, unless otherwise agreed.

Transferring licensed intellectual property

Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?

In some cases, the technology or IP assets to be acquired in a technology M&A transaction will be subject to certain contractual provisions that either limit the buyer’s ability to exploit those assets or the IP as expected, or prevent any transfer of the technology assets or IP altogether. The following are the most common examples of scenarios leading to these unfortunate results:

  • the target company has granted a third party a licence to use its IP and:
    • the licence is exclusive with respect to a particular field of use or territory, precluding the buyer from exploiting the IP in overlapping fields of use or territories that may be key to the buyer’s business; or

    • the licence is non-exclusive, but grants the licensee either an option to convert to an exclusive licence or a right of first refusal in the event of a pending acquisition; or

    • the target company has licensed certain IP assets from a third party; and

    • the licence grants only non-exclusive rights to the target, leaving open the possibility that competitors will hold or be able to obtain a licence to the same IP, which the buyer may deem critical to the ongoing business;

  • the third-party licensor has retained the exclusive right to use the IP within a particular field or territory;
  • the licensed rights do not include the right to any improvements or enhancements of the licensed IP that would permit the licensor or third-party licensees of the licensor to develop new versions of the IP and compete with the buyer;
  • the governing agreement requires continued payment of licence fees or royalties that will be the buyer’s obligation post-acquisition;
  • the licence terms do not allow for sublicensing of the IP, which may be critical to the buyer’s intended business model; or
  • the licence terms expressly prohibit assignment of the licence to the buyer.

 

It is, therefore, important to scrutinise all of the target company’s agreements pursuant to which an IP licence is granted to or from a third party, focusing, in particular, on terms governing assignability and exclusivity, and to determine if any third-party consents or waivers must be requested as pre-closing conditions.

With respect to transferability, the IP or technology licence agreements can either contain a no-assignment or a change-of-control clause. A no-assignment clause usually prohibits the licensee from assigning any of its rights under the licence agreement except with the prior written consent of the licensor. This is usually triggered when there is an asset deal but not when there is a share deal. A change-of-control clause usually gives the licensor the right to terminate the licence agreement in the case of a change of control. This is usually triggered by a share deal but not by an asset deal. Usually, the buyer will require a written waiver or consent of the licensor as a pre-closing condition.

When there is a share deal and nothing is foreseen in the licence agreement, the licence agreement usually remains valid and no formalities must be fulfilled.

When there is an asset deal and a no-assignment clause is seen in the licence agreement, the licensed IP or technology can, in principle, be transferred by means of a written assignment agreement. Except in the case of copyright and know-how, the assignment must also be registered with the relevant agency, these being:

  • trademarks:
    • the Benelux Trade Mark Office in the Hague; or
    • the Trade Marks Section of the Intellectual Property Office of the Ministry of Economic Affairs;
  • patents:
    • the Patent Section of the Intellectual Property Office of the Ministry of Economic Affairs; or
    • the European Patent Office; and
  • models and designs:
    • the Benelux Models and Designs Office in the Hague; or
    • the Models and Designs Section of the Intellectual Property Office of the Belgian Ministry of Economic Affairs.

 

Whether a licence agreement is exclusive should not change the treatment except that exclusive licences will more likely include no-assignment or change-of-control clauses and almost always require consent of the licensor with the assignment (asset deal) or change of control (share deal).

Software due diligence

What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?

First of all, the buyer should investigate the seller’s rights in any proprietary software included in the purchased technology assets, particularly if the purchased software includes software that the seller licenses or distributes to customers, and software licensed from third parties that is not readily replaceable or is costly to replace.

For software created by or for the seller and included in the purchased assets, the buyer should confirm that all relevant rights have been assigned to the seller and can be conveyed to the buyer. In particular, if the software is created by a non-employee, it is important that all rights are expressly assigned to the seller.

For software licensed to the seller by third parties and included in the purchased assets, the buyer should ensure that the rights licensed to the seller are consistent with the rights the seller has licensed to its customers or other third parties. In particular, the buyer should confirm that, if the licensed rights are terminated, the applicable licences permit the buyer’s customers to continue using the licensed software and the buyer continues to have the right to provide its customers with maintenance and support.

Further, for material third-party software licensed to the seller and included in the purchased assets, the buyer should determine whether the seller is either in possession of a copy of the source code or is party to a source code escrow agreement.

A source code escrow agreement gives the licensee access to and the right to modify the licensor’s source code on the occurrence of certain conditions (eg, if the licensor enters bankruptcy or ceases operation and cannot continue providing maintenance and support).

Finally, it is customary for the buyer to ask the seller to show that the company understands the open-source applications it uses and to ask to document how open source code is used within the target and its products. Relevant due diligence information could include:

  • policies and procedures;
  • code reviews;
  • searches for ‘copyleft’ and similar open source code use; and
  • attribution and notice requirements.

 

Best practices for a growing amount of companies involved in a technology M&A transaction include an independent code audit whenever software is a significant part of the deal. Indeed, more and more firms are realising that an open source code audit also should be part of their overall due diligence process, as modern software development code is rarely written from scratch. Custom code now often comprises only 10 to 20 per cent of many applications, with the remainder being previously developed code, third-party code and, increasingly, open source code as the core foundation for applications. In fact, it appears that about 95 per cent of code bases contain undisclosed open source. Open source material may come with legal obligations in its licence agreements that go with the usage of that code. There also may be security vulnerabilities within the code as well as operational risks, such as versioning and duplications. Software audits identify open-source code and third-party components and licences, and may mitigate legal, operational and security issues. The software audit is mostly undertaken by the buyer, but can also be undertaken by the seller as part of its vendor due diligence to give assurance that it can give the strict IP representations and warranties that are usually required or mitigate certain risks.

So, buyers must carefully review whether the target has combined open-source code with proprietary software in a way that requires the software to be made publicly available under the open-source licence and evaluate the third-party code. Indeed, open-source software licences can be important in a proposed transaction as they may dictate the terms on which software derived from such open-source software is licensed to third parties. If the buyer is expecting to use the target company’s technology exclusively, then discovering that the technology incorporates software that is subject to free-use rights could be a deal-breaker.

Other due diligence

What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?

The focus of the due diligence approach set out above is on a traditional IT environment. IT is increasingly being acquired as ‘software as a service’ or in the context of cloud computing. Where a target engages or makes use of such services, this category of agreements will require separate and careful consideration. When acquiring or merging with a provider of cloud applications, platforms or infrastructure in the cloud, special attention should be paid to issues such as the ownership of the data or applications run in the cloud, compliance with mandatory rules with respect to international data transfers and exit possibilities.

Machine learning, deep learning, neural networks and other forms of artificial intelligence (AI) are often already an integral part of a target’s business operations when conducting technology M&A. When conducting the due diligence and drafting M&A documentation in relation to an AI company, buyers should give special attention to:

  • the IP protection of data sets and algorithms (eg, copyright, trade secrets and patents);
  • ownership of IP developed by AI;
  • ownership of content generated by AI;
  • licensing, liability and regulatory issues;
  • privacy; and
  • cybersecurity.

 

Attention should be paid to the developments in the European Commission, which has created a Coordinated EU Plan on Artificial Intelligence and published the White Paper on Artificial Intelligence in February 2020, so that Europe can become a world leader in this technology, but with AI based on ethics and European values.

Internet of things (IoT) devices often contain components of different manufacturers. They are often low-price devices with low levels of security. So, when acquiring manufacturers or operators of IoT devices buyers should properly review liability, IP, privacy, IT security and consumer protection (such as the new digital sales rules) issues. However, IoT could also raise additional environmental (eg, waste management) or health and safety issues.

Key technologies relating to autonomous or semi-autonomous driving include automated automotive technologies, collision avoidance technologies, artificial intelligence and machine learning, and others. When acquiring companies in this field, sellers should focus on the ownership of these technologies (eg, patents and trade secrets), ownership of data, regulatory issues (eg, government authorisations and test results) and insurance.

If a target is involved with big data, the seller should, during its due diligence, prioritise the following areas of the target’s business operations related to information and its related risks and liabilities:

  • data privacy;
  • data security;
  • information governance;
  • regulatory inquiries; and
  • insurance policies covering information-related topics (including data breach and infected system issues).