Accountability deficiencies as a risk to M&A
Accountability – a key principle under the General Data Protection Regulation (GDPR) – has recently become an important factor in M&A data privacy matters. In recent years, enforcement activity has significantly increased, with considerable fines imposed for non-compliance with privacy principles such as data minimization, lawfulness and transparency of the processing. For M&A activities, insufficient compliance with accountability is a risk of particular importance and can lead to significant financial exposure.
Not only is compliance with accountability requirements an indicator of the effectiveness of the target company's data privacy organisation and its ability to identify and mitigate data privacy risks such as cyber attacks, but in most cases, a purchaser is also accountable for carefully examining the target companies in scope through a documented privacy due diligence exercise.
An incomplete or only cursory privacy due diligence may lead to data privacy compliance shortcomings. Those hidden legacy risks can, if not properly hedged, expose the transaction to great risk. This risk for the purchaser in an M&A transaction is heightened given the growing threat of class action suits and regulatory investigations, for example, in response to data breaches.
GDPR accountability and compliance
The GDPR imposes accountability as one of its core principles to be adhered to by data controllers. The principle encompasses an obligation to document and demonstrate in particular that any processing of personal data is done in a lawful, fair and transparent manner and that the integrity and confidentiality of personal data is ensured at any time.
Technical and organisational measures must be implemented to ensure the safeguarding of personal data by a data controller, who must also demonstrate that any personal data processing takes place in accordance with the GDPR. To ensure their ongoing effectiveness, such appropriate measures should be set up, documented, and regularly reviewed. Indeed, supervisory authorities in the EU and UK have begun auditing internal processes and questioning their effectiveness.
This obligation is crucial for every company and all data processing activities, but the more complex and frequent a company’s processing of personal data, the higher its accountability requirements are. Thus, particular attention should be paid to target businesses which are involved in critical or sensitive processing activities (for example, in the healthcare or financial sector) or which are both customer-facing and data-heavy (such as e-commerce businesses).
The increased awareness of authorities in this regard was recently demonstrated by a substantial fine imposed by the ICO in a scenario where the purchaser had performed insufficient due diligence on the target company which suffered a data incident post-closing. There has also been a notable case where a data controller was fined for not reviewing internal security policies for their current effectiveness.
Obligations in the US: a comparison
In the US, while there is no comprehensive data protection law imposing accountability requirements, companies should be aware of risks presented by sector and state-specific obligations to protect personal data.
Companies subject to sector-specific regulation may be required to design and implement more thorough information security policies. These sector-specific regulations may exist at the federal or state level. For instance, healthcare providers regulated under the federal Health Insurance Portability and Accountability Act may be required to maintain written policies concerning data protection. Financial institutions subject to the Gramm-Leach-Bliley Act are required to design, implement and maintain safeguards to protect customer information. At the state level, financial institutions licensed by the New York Department of Financial Services are required to maintain a cyber security program, documentation of which must be made available to the regulator upon request.
Companies may also be subject to state-level data protection laws (such as the California Consumer Privacy Act), or other state laws which impose obligations to maintain reasonable data protection measures. For example, New York and Oregon provide a ‘floor’ of minimum statutory security requirements which, if implemented, are deemed to demonstrate statutory compliance. Massachusetts requires companies holding personal information of Massachusetts residents to implement a written information security program.
In performing due diligence in a potential M&A acquisition, it is important to assess the federal and state privacy laws to which the target company may be subject, and whether the target company has documented an appropriate information security program based on the applicable requirements.
Implications for due diligence
The above risks resulting from accountability (or in the US, data security and protection) shortcomings should be carefully considered in the extent of any privacy due diligence conducted in an M&A process.
The European Data Protection Board has made clear that it ’reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger.’
As noted above, the data controller has a duty to ensure (and be able to demonstrate) that there are appropriate data security measures in place at any time. This obligation extends the purchaser’s responsibility to ensure GDPR compliance of the target company when acquiring it (ie at closing). Thus, a purchaser has to anticipate any future pre and post-acquisition accountability shortcomings when performing privacy due diligence. Those considerations affect the process in all of its stages, starting with requests for privacy documentation as part of due diligence.
- The purchaser has to benchmark measures employed by the target company not only for their appropriateness with GDPR standards, but also for their effectiveness in practice. It may often be insufficient to simply gather information on internal policies or guidelines on how certain measures are to be performed. Rather, it is crucial to request documentation on how those policies and guidelines are effectively implemented through the whole organisation (ie within a group of target companies and their local establishments).
- To assess the effectiveness of the organisation’s policies and guidelines, requesting expert sessions with dedicated privacy professionals such as privacy counsel or the data protection officer of the target company (or target group) is prudent.
- Following a holistic approach, the purchaser should have these measures reviewed both during the due diligence process and as part of any post-closing data protection regime that needs to be set up either from scratch or following a privacy gap analysis.
With respect to the US in particular, the purchaser should ensure that the target company understands precisely which state- or sector-specific regulatory regimes it is obligated to follow and has taken steps to comply with all relevant obligations. The relevant purchase agreement should, from a purchaser-perspective, include, where appropriate, safeguards such as warranties, indemnities or covenants whereby the seller is held responsible and/or has to remediate any (potential) shortcomings or breaches pre-closing.
Warranties and indemnities alone will, however, typically not be sufficient to hedge the risk of (hidden) accountability deficiencies not properly assessed in the course of the due diligence. To make matters worse, it could be difficult to find a representations and warranties insurance covering the proposed transaction if privacy accountability risks have not been sufficiently examined, making it harder to negotiate for such contractual safeguards.
A purchaser is best advised to conduct privacy due diligence in the US holistically, to ensure it has identified and assessed any material shortcomings pre-closing, and to conduct its own “privacy gap analysis” post-closing to remediate remaining issues, in particular relating to insufficient documentation and data security.
Accountability under the GDPR – and data security requirements in the US – have become an important factor in M&A as shortcomings can quickly (and often unexpectedly) lead to material financial exposure, including costs of review and remediation effort, fines by authorities and mass claims.
Avoiding these risks can be complex and far from straightforward. Accountability requires an appropriate design of measures and – more importantly – their effective implementation. To mitigate legacy or future risk for the purchaser, warranties and indemnities alone will probably not be enough. Whether the target company has achieved (and maintained) full compliance with accountability requirements by setting up, documenting and regularly reviewing the effectiveness of technical and organisational measures within its privacy organisation, should guide the privacy due diligence, especially in light of increasing attention by supervisory authorities.
A purchaser has to anticipate any future pre and post-acquisition accountability shortcoming when performing privacy due diligence.