Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most M&A transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many M&A agreements still lack adequate privacy-related representations and warranties. This update discusses the rising importance of privacy issues and how to approach them effectively.
In order to frame an appropriate set of representations and warranties, it is vital for both parties to not only understand the target's business in general, but also the privacy-related environment in which the target conducts its business (eg, nature and amount of collected personal information, storage location and applicable privacy-related legal provisions). By properly assessing privacy and data security issues during due diligence, a buyer can manage transactional risks and ensure that M&A agreements contain provisions that adequately address the target's privacy-related issues. A thoroughly conducted privacy-related due diligence should therefore cover the following:
- the existence of adequate policies and procedures (eg, data security governance and external or internal audits);
- past breaches and security incidents (eg, history of breaches and pending and threatened litigations);
- future legal requirements (eg, the General Data Protection Regulation (GDPR));
- social media material (eg, social media presence, activities and policies);
- employment privacy (eg, email use regulations and other aspects of employment privacy); and
- international considerations (eg, the applicability of international privacy-related laws).
In many cases, practitioners simply rely on standard compliance with laws and representations; but these often do not adequately address privacy issues and usually do not provide enough protection for buyers. Of course, privacy-related representations should cover compliance with privacy laws – but they should not stop there. A sophisticated set of representations and warranties should, in particular, cover the following.
Compliance Representations and warranties should comply with all laws, including applicable laws relating to privacy, data security and the processing of personal information, which includes (but is not limited to) the requirement to:
- gain data subjects' consent to transfer and use their data; and
- file any registrations with the applicable data protection authority.
Further, representations and warranties should comply with the target's own policies, representations to consumers and employees, contracts and applicable industry standards.
Representations and warranties must also comply with future legal requirements (eg, appropriate procedures to ensure compliance with the GDPR).
Finally, they must comply with notices, consents and other information provided to data subjects regarding the processing of personal information.
Implementation Representations and warranties must implement adequate:
- policies and procedures to ensure continued compliance with all applicable data protection and privacy provisions; and
- data security measures, including measures which are not necessarily required by law.
Data security Representations and warranties must ensure that there is no:
- loss, damage or unauthorised access, use, modification or other misuse of any personally identifiable information maintained by or on behalf of the target;
- claim or action with respect to loss, damage or unauthorised access, use, modification or other misuse of any such information; or
- reasonable basis for any such claim or action.
Disputes Finally, representations and warranties must ensure that there are no past, pending or threatened privacy-related disputes, claims or complaints by an individual or administrative authority.
This update aims to build awareness. Sophisticated privacy-related representations and warranties in M&A agreements can indeed offer a certain level of comfort to buyers, but they are not a universal cure. Even if damages are awarded as a result of accurately drafted representations and warranties, they may not be sufficient to compensate for the type of public relations and customer relationship damage often associated with privacy failures.
For further information on this topic please contact Clemens Rainer or Paul Nimmerfall at Schoenherr Attorneys at Law by telephone (+43 1 5343 70) or email (firstname.lastname@example.org or email@example.com). The Schoenherr Attorneys at Law website can be accessed at www.schoenherr.eu.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.