There have been two recent changes to cybersecurity laws in the European Union, specifically relating to the use of personal data of E.U. residents, which are further summarized below.M&A professionals will need to keep these two laws in mind when (a) a target company uses the personal data of E.U. residents in its ordinary course of business or (b) a U.S. acquirer needs to access the personal data of E.U. residents during the due diligence process.
First, the Privacy Shield Data Transfer Pact (the “Privacy Shield”) was approved by the E.U. member states on July 12, 2016 and sets forth how companies established or using equipment in the E.U. can share the personal data of E.U. residents with U.S. companies.The Privacy Shield replaces the invalidated Safe Harbor program that was previously relied on by both U.S. and E.U. based companies to legally transfer the personal data of E.U. residents from the E.U. to the U.S.In addition to imposing stronger obligation on U.S. companies to protect the personal data of Europeans and mandating tougher monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission, the Privacy Shield also includes written assurances from the U.S. that any access to the data by law enforcement will be subject to clear limitations to prevent surveillance of European citizens’ data.For more detail on the specific requirements of the Privacy Shield, please see this NP Privacy Partner Blog Post.
One of the ways a U.S. company can be in compliance with the Privacy Shield is to complete a self-certification, which includes name and contact details of the recipient of the personal data, a description of the activities that will be completed with respect to the personal data received from the E.U., and a description of how the U.S. company is in compliance with the Privacy Shield.The U.S. Department of Commerce and the Federal Trade Commission have expressed their commitment to enforce the Privacy Shield and violations of the Privacy Shield can result in penalties of up to $40,000 per violation or $40,000 per day for continuing violations. More information on the enforcement of the Privacy Shield can be found at this website.
Second, the General Data Protection Regulation (the “GDPR”) is the next iteration of E.U. data protection laws and will be effective on May 25, 2018. The GDPR applies to all companies based in the E.U. as well as any foreign companies processing the personal data of E.U. residents.The GDPR is intended to strengthen and unify data protection for all individuals within the E.U. and requires companies to completely transform the way that they collect, process, securely store, share and securely wipe personal data. The changes that GDPR will implement include requirements for companies to appoint a data protection officer responsible for implementing and monitoring compliance with GDPR. In addition, companies will be required to implement privacy by design meaning that they must take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed.GDPR also includes a clear focus on data subjects’ consent to processing and accessing data, as well as requiring a data breach notification obligation to notify the E.U. protection authority of a breach without undue delay and, where feasible, within 72 hours.Companies must also notify the individuals where there is a high risk to the individuals concerned.
In the event GDPR is violated, then the penalties can be significant: for breaches, including security and data breach notification obligations, the penalties can be up to €10,000,000 or 2% of worldwide revenue, whichever is higher; and for more significant breaches, including consent violations and transfer restriction violations, the penalties can be up to €20,000,000 or 4% of worldwide revenue, whichever is higher.
Given the potential penalties for violations of both the Privacy Shield and the GDPR, M&A professionals will want to include in their due diligence of a target company an analysis as to whether the target company is in compliance with both laws.If the due diligence results conclude that the target company is not currently in compliance with the Privacy Shield, or that the target is not in compliance with the GDPR when it takes effect in May 2018, then these issues may require some changes to the purchase agreement, including the exclusion of certain non-compliance liabilities from the transaction, the addition of certain specific indemnities relating to such non-compliance issues, the inclusion of a covenant enabling for ongoing safeguards of sensitive information by the target company in between signing and closing, or the addition of a new closing condition requiring the target company to take steps to address non-compliance issues or the implementation of missing IT safeguards.