Data protection legislation is not new. So why has the EU's GDPR, directly applicable from 25 May 2018, received so much attention? Perhaps because it gives significantly enhanced data privacy rights to individuals, including embodying a "right to be forgotten"; or perhaps because it significantly increases the maximum penalties that entities within scope may be subjected to if in breach. It may also be because of its expanded jurisdictional scope, meaning that its relevance is not confined to those businesses established in the EU. The fact is, that the GDPR will considerably increase the compliance burden for many businesses.
The GDPR applies to EU and non-EU businesses
The GDPR applies to the processing of personal data by those established in the EU, as well as by those outside the EU, where their processing activities relate to the offering of goods or services (even for free) to data subjects within the EU, or to the monitoring of their behaviour. "Processing" is defined broadly to mean any "operation … performed on personal data" such as collecting, recording, organising, storing, consulting, disclosing or even erasing or destroying data. The "offering of goods or services" is also construed broadly and, while it may not extend to mere accessibility of a website from the EU, "factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language… " may suffice.
Key GDPR areas of concern on an acquisition
Having established that the target business is within scope of the new regime, both the seller and buyer will need to consider a number of implications. While similar issues may have arisen in connection with the EU's previous data protection regime, the new enhanced regime means that it is critical that they are considered at an early stage and revisited during the course of the transaction.
- Value/strategy: a buyer should consider how important data processing is to the value it has ascribed to the target. For example, if it is effectively "buying data", will it be able to use it in the manner it intended to? A key principle of the GDPR is the purpose limitation, which means that processing of data should be restricted to purposes that are not incompatible with those specified to the individual upon collection. In other words, if data was collected by the target for one purpose, it may likely not be used for a different purpose following the deal. The GDPR also enhances the rights of data subjects and, while consent is retained as a processing condition, it is more prescriptive when it comes to the conditions for obtaining valid consent. Silence, pre-ticked boxes and inactivity are insufficient and there are no grandfathering or transitional provisions to smooth the pathway from old to new regime. A buyer should therefore (particularly in the next few months) verify that consents it may want to rely on have been obtained in compliance with the GDPR. A buyer may also need to be cognisant of any additional financial cost to it in ensuring GDPR compliance by the business going forward, including dealing with any issues which may, in part, become apparent during the due diligence phase.
- Due diligence: in addition to consideration of the target's legacy compliance with the GDPR, and the potential ramifications for the buyer associated with any lack of compliance, there are a couple of practical items that should be considered.
- Data rooms: compliance with the GDPR will necessitate extra caution when establishing and running a data room. It is already customary for sellers to pseudonymise or anonymise personal data, and /or to summarise contracts in order to avoid inclusion of personal data in the data room, particularly at an early phase of the deal. Parties are likely to be more focused on this issue now, and to go to additional lengths to prevent personal data being uploaded to a data room. Where the parties agree that personal data relating to the target does need to be included (in the main, this is likely to be employee data), the relevant data room provider will be regarded as a "data processor" and, as such, it will be subject to new compliance obligations. The data room provider will need to enter into a detailed agreement with the seller covering a number of mandatory areas, including obligations to protect and maintain the confidentiality and security of the personal data, and to ensure its deletion post-closing. Data room providers' terms and conditions should be checked to ensure that they contain the necessary provisions. Data room providers will be directly liable in case of non-compliance on their part, and may be subject to direct enforcement action. Those who access the data room (including the seller's advisers, prospective buyers and their advisers) may also be regarded as "data processors" or, in some circumstances, "data controllers" and similar considerations will apply to them. Any data breaches in respect of the data room must be reported without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk for data subjects' rights and freedoms). Affected data subjects must, in certain circumstances, also be notified.
- Cross border data transfer: to the extent data is intended to be transferred out of the EU as part of a deal, extra care needs to be taken. The GDPR largely retains the cross-border data transfer rules under the previous EU regime. As a general rule, personal data may only be transferred out of the EU/EEA to countries which have been recognised as providing an adequate level of data protection (eg, Switzerland, New Zealand, Argentina, Israel, etc.). In relation to the US, the European Commission has issued an adequacy decision in July 2016 with respect to the Privacy Shield Framework. As a result, data may be transferred to those US organisations that have self-certified to the US Department of Commerce and publicly committed to comply with the framework's privacy standards. Data transfers to other countries which do not enjoy adequacy status will only be permitted if the transferor can rely on specific derogations (e.g., consent), or can adduce specific additional safeguards ensuring an adequate level of data. The GDPR slightly expands the available options for data transfers (as compared to the previous EU regime) by adding certification mechanisms and codes of conduct. But, overall, it remains difficult to transfer personal data out of the EU.
- As well as harmonising the tasks and powers of supervisory authorities, the GDPR significantly increased potential fines for non-compliance. For major infringements (such as failure to comply with cross-border transfer rules or to obtain adequate consent) fines can be up to EUR 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
- Some of the concerns highlighted above may be addressed in the acquisition agreement. Whether the deal is structured as an asset or share deal, representations, warranties and indemnities (and insurance) can help apportion the potential risk of GDPR non-compliance between the buyer and seller (subject to any limitations or exclusions). If data processing is integral to the value of the target, specific GDPR conditions precedent to closing could also be required to be satisfied.
- Post acquisition integration:
- Information obtained during due diligence can help guide the steps that need to be taken after closing to ensure the business is GDPR compliant moving forward. For example, if third parties are processing data on the target's behalf, ensuring that those contracts contain specific mandatory provisions required by the GDPR is key.
- Transitional services agreements may also need to contain mandatory GDPR terms where, for example, the seller continues to process personal data (e.g. HR systems) on behalf of a buyer.
- There are no carve-outs for intra-group processing, or transfer of personal data.
- Take a broad view. It's not just relevant to businesses based in the EU.
- Tread carefully. Understand what is meant by processing personal and sensitive data and redact/anonymise it where appropriate. Ensure that adequate security is in place, and that those processing and controlling the data understand their responsibilities and obligations. When reviewing personal data, do not transfer it outside the EU (e.g. to a non-EU server) without first ensuring that the transfer is permitted.
- Consider the impact of the new regime on the target's value.
- Plan for data integration after the deal.
- Start early. Don't wait to consider data protection.
- Remember national data protection legislation. While the GDPR is directly applicable across the EU without implementing national legislation, it contains many optional provisions allowing Member States to enact their own rules for certain subject matters, such as the handling of personal data in the employment context.