On October 6, 2014, following clearance by European antitrust regulators, Facebook, Inc. completed its previously-announced acquisition of online messaging service WhatsApp Inc. WhatsApp will exist as a wholly-owned, but independentlyoperating, subsidiary of Facebook. The strikingly large consideration (approximately $19 billion) reflects WhatsApp’s rapid growth into what Facebook may have viewed as a long-term competitive threat. The consideration included 177,760,669 shares of Facebook’s Class A common stock and approximately $4.59 billion in cash to existing WhatsApp security holders, with a portion held in escrow to secure WhatsApp holders’ indemnification obligations. In addition, Facebook awarded 45,941,775 restricted stock units to WhatsApp employees, and Jan Koum (WhatsApp’s co-founder and ongoing CEO) became a member of Facebook’s board.
The terms of the deal anticipated increased regulatory and public scrutiny of privacy issues in the wake of recent leaks, hacks, and National Security disclosures of Snapchats, credit card data, and a host of other private information. In March, the Electronic Privacy Information Center (an information-privacy research group that has also filed complaints in the past against such internet giants as Microsoft, Google and Facebook) filed a complaint with the Federal Trade Commission (“FTC”) objecting to the acquisition on the grounds that WhatsApp users would now, contrary to their original terms of service, be subjected to Facebook’s deep and sophisticated data collection. For its part, the FTC -- while allowing the deal -- pointedly referred, in letters to both Facebook and WhatsApp, to Facebook’s continued privacy obligations under WhatsApp’s existing data policies, and noted that these could only be changed with express user consent. Therefore, in an era where many deals are based upon the value of acquired entities’ IP, customer bases, and other data, those undertaking due diligence should also closely review the (i) privacy and data-sharing commitments made by the target, (ii) expectations of the target’s customer base, and (iii) the potential costs of (a) seeking customer consents to alter privacy policies, or (b) keeping the acquired data separate.
Reflecting this close scrutiny of privacy concerns, under the terms of the deal, WhatsApp was required to warrant that it had (i) provided adequate notice and obtained any necessary consents from data subjects required for the processing of personal data, (ii) abided by any privacy choices (including opt-out preferences) of data subjects relating to personal data, (iii) adopted appropriate technical, physical and organizational measures and security systems and technologies in compliance with all data security requirements under privacy laws and WhatsApp’s privacy commitments, designed to protect company data against accidental or unlawful Processing, (iv) experienced no breach, security incident or violation of any data security policy in relation to WhatsApp data nor any unauthorized or illegal processing of any WhatsApp data, (v) a written contract with each data processor that complies with the requirements of all privacy laws and WhatsApp’s privacy commitment, and (vi) not transferred or permitted the transfer of personal data originating in Europe outside of Europe. The transaction agreement, unlike most private company deal documents, is publicly available and is well worth review by practitioners focused on technology or information privacy issues in M&A.