Data is now one of the most valuable commodities in the world, with a market predicted to be worth US$92 billion globally by 2026.

It's not surprising. Everything we do each day leaves a digital trace, capable of being collected, analysed, manipulated and sold. Most of us give up this valuable resource for free, or in exchange for a helpful app.

In just ten years, data has become perhaps the most disruptive and pervasive aspect of the world's business landscape, and a major driver for, and feature of, M&A.

Shifting the goalposts for new and old alike

Of the world's ten most valuable public companies in September 2017, seven were tech companies. Back in 2007, as the iPhone launched, Microsoft was the only tech company in the top ten.

And for most of these companies, this stellar growth has been achieved largely by the smart collection, interpretation and use of data.

Data and underlying technological developments are also disrupting almost all sectors and new and old companies alike.

For many companies, data-driven M&A is now part of their strategies. In any event, data as a feature of M&A is on the ascendance, with resulting issues for doing deals in the data-age.

Data-driven M&A

Opportunities to acquire data assets or data-rich businesses are being perused by companies across nearly all sectors, from financial institutions to media players, with spill-over into adjacencies such as analytics, artificial intelligence and data centres. There are no shortages when it comes to data-driven deals. Microsoft’s purchase of LinkedIn in late 2016 gave its sales system access to LinkedIn’s massive database of contacts. One of the key drivers for Amazon's recent acquisition of Whole Foods was the treasure trove of consumer data that came with the acquisition.

There are examples across almost all sectors, with accounting firm BDO recently finding that data-driven deals in the energy sector were up tenfold in 2017.

The devil's in the detail

Buyers need to ensure they upload value and not problems with their acquisition of data.

Good due diligence of data is now critical, given the growing reputational and legal risks of bad data management.

Legal due diligence must now extend to every aspect of the target's data collection, protection, storage and documentation, including all related contracts. Restrictions on the anticipated use or transfer of data can be value-destructive.

Privacy concerns have been heightened by high-profile thefts, disclosures and loss of data. The legal, ethical and commercial implications of a big data leak are now painfully evident and routinely publicised.

As data protection regimes expand to keep up with the industry and public concerns, M&A due diligence of will become deeper and denser, particularly if you are buying a dataset gathered and stored in numerous countries.

An acquirer needs to be sure that the prior handling of data complies with all applicable laws in every country in which the target operates and protect against liabilities for non-compliance.

Beyond a country’s general data laws, there may be sector-specific requirements to consider, particularly in banking and telecommunications.

Regulations are getting stricter and regulators are being armed with greater powers, including to issue severe penalties. Moving data across borders is becoming more challenging from a number of markets. Existing and anticipated arrangements for data centres and outsourced functions must be validated.

The way in which these issues are handled during negotiations has changed. There is now a much greater emphasis on representations and warranties, conditions precedent, indemnities and post-closing remediation and integration planning.

Antitrust concerns increase

More and more antitrust regulators are considering broadening their criteria to measure mergers and other business activities against data-related concerns or even social inequality, rather than a simple economic calculation.

The cases have already started. In May 2017, the EU fined Facebook US$122 million in relation to statements regarding the ability to match Facebook and WhatsApp accounts when it acquired WhatsApp in 2014.

The practice of using data-lakes during due diligence, where buyer and target data are combined into a common location to assess synergies, overlaps and value, needs to be structured and monitored carefully. The use of data-lakes featured, for example, during Johnson Control's acquisition of Tyco.

Antitrust and market regulators worldwide are also revisiting rules to address major players in the data space that are already apparent. This could lead to restructuring within those players and increased focus of regulators on data-related mergers.

One challenge is that the traditional antitrust focus on the effect on pricing works poorly in industries built from data freely offered up by users using ostensibly “free” services.

Expect a sharpened focus interest from regulators during acquisitions on this, as well as on behavioural issues.

A very public eye on data

The fact remains that very often the primary producer of acquired data – the individual – is not being paid for its labour. These ‘producers’ are realising that their online lives are now very useful to companies richer than countries and may be sold to the highest bidder.

Public activism is steadily rising in these areas, and governments and regulators will be forced to react. This public pressure will also increase scrutiny on mergers and the fate of data after a purchase.

The challenge for regulators and companies in the years ahead is to achieve a delicate and fair balance between facilitating innovation and growth including from use of data, on the one hand, and regulation, privacy and security, on the other. It will need cross-border and cross industry understanding to achieve both outcomes successfully.