This is the first in a series of monthly articles on how to leverage the value of data and navigate the potential obstacles. Our recent report, The next drivers of strategic M&A, identified the importance of data for businesses looking for acquisition targets. Throughout this series, we will discuss how data as an asset is impacting M&A transactions and other strategic business areas.
In this article we examine data as an asset in the context of corporate law transactions.
There are many statistics and examples of acquisitions one could draw upon to demonstrate the commercial value of data – in fact too many. And I think we can assume it is agreed that, amongst other drivers, organisations invest in and buy because of the commercial value or, in the public sector, the wider public benefit of a target’s or relevant owner/licensor’s data assets. So let’s start from a few fundamental principles of data as an asset:
- data often has a significant commercial value (e.g. an investor or buyer may set a purchase offer or sale price upon a multiple tied to the per user value attributable to a target’s user base and the data that user base makes available or other comparable license fee per unit of data – e.g. in an enterprise context)
- separately, in the public sector, providing open access to data, can exponentially increase efficiencies previously unavailable from closed, segregated data sets (e.g. New York Mayor’s Office, NY Open Data, which resulted in significant reductions in ambulance response times)
- in the same vein, data can equally determine a liability value, either resulting from a failure to keep that data asset secure (in that an organisation may suffer a loss directly arising from loss of control of its data assets), contractual non-compliance (leading to claims for IP infringement, for instance) or regulatory non-compliance leading to sanctions in the way of fines or notifications to customer and reputational damage
- whilst data is often perceived as having value where it is personally identifiable (i.e. it contains personal information relating to an individual), data may equally have value as a trade secret, know-how, confidential information or other source of commercial or national security intelligence. Collections of data, in particular, may have very significant commercial value and be protected by IP rights such as Database Right (in the EU and UK), trade secrets, as well as contractual and legal restrictions around access and use
- handling data which comprises personal information carries with it particular compliance requirements to keep that data secure and to process it fairly
- achieving a certain degree of control over a specific category or categories of data or entering into arrangements, whether to share data or otherwise, may trigger competition and antitrust laws to avoid unfair competitive advantage
Data in M&A
Just as is required for, say, GDPR when appointing a processor to process any personal data on your behalf, prior to investing or buying a target, it is advisable to carry out effective due diligence (DD) and make suitable enquiries of a seller. Where data is involved, don’t assume that your customary DD enquiries and applicable step plan address all the appropriate questions and issues at hand. For instance: -
- where there is a concern around regulatory or contractual compliance, is it simply resolved by requiring an indemnity?
- have you explored ownership of IP rights associated with collections of data, such as Database Right, trade secrets and (in some jurisdictions) copyright, as well as any contractual restrictions which apply to access to and use of the data?
- do your questions elicit sufficient responses around (i) ownership and use cases for data? and (ii) security incidents or near-misses?
- and when does the seller respond to those questions – in the first or final round of further and more DD enquiries? Similarly, have the DD enquiries been tailored to the nature of the target’s business and the data it processes.
- have you asked about associated rights in algorithms and ownership in AI and data insight tools (it’s not necessarily just about the data but the value of the tools which process that data)?
- do your enquires cover compliance with AI regulation, bias and ethical governance?
- if you are a seller, have you ensured that all legacy data has been purged from systems (where that data is not part of the assets sold)?
Often, a breach of a compliance requirement may occur shortly after (not before) completion – where this is the case, a warranty which only applies up to completion may not bite.
Accordingly, it may be necessary to consider adjusting warranties to cater for non-compliance which arises from a failure to invest in effective compliance in the period preceding completion, coupled with either a price reduction or money held in escrow (together with a separate, distinct liability cap). In addition, the parties may agree a reduction in price attributable to an estimated cost – perhaps limited to a specific period - of remedying years of failed or insufficient investment in compliance.
Similarly, in restructuring, we’d advise reviewing the relevant data assets and applicable data flows (in and out) are assessed, so as to consider whether it may be necessary to assign or re-locate any data sets or corresponding responsibilities for compliance (or notification with relevant authorities). As part of this, establishing effective data retention will also be important to manage risk and reduce liability.
Data in Joint Ventures
Often in Joint Venture arrangements, the parties to a Joint Venture will inevitably share or need access to each other’s data. Sometimes this may be driven by a commercial opportunity and one of the parties may have access to a particular data set which may be needed by the other Joint Venture partners. Elsewhere, a regulator may have issued a mandatory requirement for suppliers in a specific industry vertical to share and report on certain operational or regulatory audit data. Whatever is the driver, it will be important clearly to set out:
- the purposes for which such data is shared and any limitations around other use,
- how the data may be shared and stored (e.g. by means of a portal to which restricted access is granted - ‘data sharing portal or repository’)
- which party will own IP rights associated with collections of data, which typically expand and evolve over time
- any potential antitrust implications for the proposed data sharing arrangement
- who is responsible for implementing and operation of the data sharing portal or repository
- who is responsible for any regulatory compliance relating to that portal or repository
- how any implementation, operational and associated compliance costs will be borne and shared
- corresponding warranties and indemnities relating to accuracy and rights in the data shared
- return and use of data after the termination of the Joint Venture, including new data obtained by the Joint Venture during its life
Leveraging and managing data assets
Data is just another form of content – and, although it may not be perceived as having quite the same attraction or value as a Hollywood blockbuster, Terry O’Neill photograph or Taylor Swift track, it arguably has a greater value. Like any content licence, consider how best to exploit or limit usage by considering the extent to which any sharing arrangement or restrictive covenant is drafted including:
- any exclusivity
- clear explanation of the purpose(s) for which data is shared
- any restrictions upon onward sharing or usage rights
- ownership and licensing of IP rights
- rights to suspend or terminate data sharing
- what rights there are into and to pre-existing data, secondary or resulting data arising and any associated tools, methodologies or know-how developed
In particular, from a technical and operational perspective, it may also be necessary to de-sensitise any data before it is shared and configure the access and usage rights associated with the corresponding portal or repository, to reflect and manage the terms upon which the data is shared. The parties may also wish to attach certain metadata to the data concerned to help manage tracking and auditing the use of the data, as well as help apportion or calculate and licence revenue or costs incurred as a result.
Carrying out a brief review of applicable licences in and out of various data sets and sources which may be feeding and emanating from a data repository will help inform any licensing or compliance risk and potential opportunities for commercial partnerships.
Competition and antitrust considerations
From a competition perspective, it may be appropriate to draft any such usage terms from the perspective of intellectual property (IP) licensing, rather than as simple contractual restrictions – the reason being that an IP licensing framework may be easier to defend and justify from an antitrust perspective, than a discussion around dividing field(s) of use and segregate particular usage areas and corresponding markets.
We’d always recommend that a competition counsel reviews and considers any data sharing arrangement to seek to identify any potential roadblocks or pitfalls arising.