Due diligence for tech M&A in Belgium

Due diligence

What are the typical areas of due diligence undertaken in your jurisdiction with respect to technology and intellectual property assets in technology M&A transactions? How is due diligence different for mergers or share acquisitions as compared to carveouts or asset purchases?

Since the target’s technology and intellectual property are the most valuable assets to an acquiring tech company, a thorough and comprehensive due diligence of such assets is essential to ensure future revenue streams and restrict legal actions in the post-merger phase. Such due diligence usually focuses on owned intellectual property, third-party intellectual property, IP disputes and IT assets.

An important feature of the review is analysing the ownership of the intellectual property. Under Belgian copyright law, software is protected for up to 70 years after the death of the author. However, only the form and expression of the idea is protected.

Anyone is allowed to write a program with the exact same functionality, provided that it is based on a self-developed source code. Just because the target company owns the intellectual property of a certain software, does not mean that it is protected against the copying of the idea. A solution could be found in patenting the software but that method is, in the European context, no guarantee, since there is great disagreement about the patentability of software.

The due diligence should not only focus on the ownership and value of the IP rights, but also - and foremost - on their transferability.

The objective of any intellectual property due diligence audit would be to answer one or more of the following questions about the target’s technology assets:

• What was the origin of the technology asset?
• When was the technology asset first conceived and when was the development completed?
• Who are the people who could claim to be an inventor or author?
• What types of IP rights might be available to protect the technology asset and have those rights been protected?
• Has any employee, consultant or other third party used any trade secrets or proprietary technology of others in the development, support, maintenance or enhancement of the technology asset?
• Does any third party have IP rights that could be violated by past or future uses of the technology asset?
• Have any offers of licences or assertions of proprietary rights infringement claims been received and is there any litigation pending or threatened?

Where consultants or independent contractors have been used to develop the technology asset, have adequate measures and agreements been taken to protect the proprietary interests of the hiring party and to ensure that the hiring party owns the rights to the technology asset?

• If any portions of the technology asset were purchased or licensed from third parties, what rights were acquired by the technology company? Are there any obligations that, if breached, could result in a reversion of rights back to the third party?
• Have necessary registrations been made and transfers recorded with the appropriate agency?
• Has the technology asset been used to secure performance of any obligations or are they encumbered by any security interests or liens?
• Do third parties hold any licence rights, joint ownership rights or other rights in the technology asset?
• Is the technology asset substantially similar in function, appearance or coding to the technology asset of others?
• If proprietary materials and documentation of the company are held in escrow, what are the terms of the escrow arrangement (eg, conditions for release).
• Are the technology assets sufficient to operate the licences?
• Are there any restrictions on the company’s technology assets (eg, exclusive rights of first refusal or negotiation, non-competition, pricing restrictions, no-assignment or change-of-control provisions)?

The answer to these questions may affect the value of the technology asset to be acquired and be determining for the decision whether or not to acquire the target company or the technology asset at all.

Another specific area of due diligence that is typically conducted in a technology M&A transaction is privacy and cybersecurity due diligence.

If a target’s data processing activities are not in line with applicable data protection laws, this entails major risks for the buyers. Violations of data protection laws within the European Union are, since the adoption of the GDPR, subject to fines up to €20 million or up to 4 per cent of the total worldwide annual turnover.

Recent high-profile data breaches on companies like Yahoo!, Equifax, Target, Anthem, Uber, Facebook and British Airways have highlighted the risks associated with data security. Data breaches subject companies to significant liability arising from shareholder lawsuits, government investigations, remediation costs and reputational damages. According to Juniper Research, the global cost of data breaches will rise to US$2.1 trillion (€1.8 million) by 2019.

Without sufficiently evaluating whether a target is data protection compliant, buyers risk acquiring a non-compliant business and thus buying into the hazard of serious fines or lawsuits from data subjects.

The only way to understand and mitigate these data protection risks is a comprehensive evaluation of the target. At best, identified non-compliance can be cured prior to closing (eg, by immediate actions of the target curing non-compliant behaviour itself). Where this is not possible or feasible, the identified non-compliance can at least be factored into the risk assessment and valuation in the course of the purchase decision.

For assessing the target’s data protection compliance status, the following documents should be requested by purchasers (or be provided by the seller, respectively) in the due diligence process:

• a record of processing activities (to verify that all of the target’s processing activities were for lawful purposes and whether the data can be processed for other purposes);
• relevant data protection documents (eg, privacy notices, guidelines, works council agreements, consent forms, data processing agreements, joint controller agreements and data sharing agreements);
• IT, data protection and security concept, documentation of technical and organisational measures;
• an expert session with data protection officers or other informed experts, and possibly the contract, description of tasks and place in the target’s organisational chart of the data protection officer;
• documentation of data protection-related self-assessment (eg, on a balance-of-interests test);
• a presentation of data protection organisation and data protection processes (in particular, relating to handling data subjects’ requests or the deletion of personal data);
• documentation of all personal data breaches and evidence of related communications with the data protection authorities and the data subjects;

any data protection impact assessments carried out;

• proof that IT programs used by the target are GDPR-compliant (human resources, payroll software, monitoring equipment and geolocation equipment);
• cybersecurity policies and response policies;
• information on all regulatory or criminal proceedings in relation to data protection issues (eg, correspondence with data protection authorities);
• information on all other disputes with data subjects (eg, civil claims);
• supporting documents that the target secured all essential rights to commercially use personal data and only for current or also for new purposes (eg, provisions in general terms and conditions, individual contracts, in the supply chain); and
• data privacy or cybersecurity insurance coverage.

A third area of specific due diligence that may be more relevant in technology M&A transactions involves the IT systems (eg, encryption, restriction of access, passwords, safeguarding of sensitive data). IT systems will include hardware and software. With respect to hardware, relevant due diligence information could include:

• diagrams of the hardware infrastructure;
• an inventory of the relevant hardware assets;
• relevant third-party agreements (eg, vendor maintenance agreements); and
• possible disaster recovery and business continuity protocols.

With respect to software assets, relevant due diligence could include:

• an inventory of software used by the target, including information on ownership and licences;
• agreements related to software assets such as licences, support, maintenance, development, assignment and escrow agreements;
• documentation, including policies, manuals and information on user access protocols; and
• active or planned development programmes.

With respect to the IT systems, buyers should check that:

• they are bug free;
• they have not had any material security breaches;
• they have not had any material outages affecting business;
• they are in fair condition and sufficient for the normal functioning of the business;
• all necessary licences are in place;
• the maintenance and support agreements are still running; and
• adequate IT investments are budgeted to meet the business plan and be compliant.

This due diligence is usually undertaken by the chief information officer of the buyer and his or her team, who should be involved from the beginning on a technology M&A transaction.

A final area of due diligence that may be more relevant in technology M&A transactions relates to websites, webshops and social media assets. Privacy policies, disclaimers, general terms and conditions, supply and logistics agreements; compliance with applicable laws (eg, information obligations, advertising), investigations, complaints and disputes may need to be reviewed.

The focus of the legal due diligence will vary slightly depending on whether the ultimate transaction is an asset or a share purchase. In an asset purchase the buyer will, of course, only focus on the assets it will purchase. Where in general the due diligence in an asset purchase transaction is not as demanding as in a share purchase transaction, in a technology M&A transaction, special attention will have to be given to the transferability of the intellectual property vested in the sellers’ technology assets (eg, formalities required to transfer intellectual property or no assignment clauses in licensing agreements) or the transferability of certain data assets that qualify as personal data (eg, legal consent of the data subject with the transfer).

What types of public searches are customarily performed when conducting technology M&A due diligence? What other types of publicly available information can be collected or reviewed in the conduct of technology M&A due diligence?

When conducting technology M&A, the seller usually performs advanced trademark, domain name and patent searches, as further discussed below. This is in addition to standard public searches of publications in the annexes to the Belgian Official Journal, which include details on the appointments and resignation of directors, persons in charge of daily management, members of the management committee and, in some cases, proxy holders (but not shareholders). Further, the company file, which will include the company’s articles of association and other notarial deeds that have been enacted (eg, capital increases), and documents filed with the National Bank (eg, annual accounts, report statutory auditor and annual report) should be with the registry of the commercial court.

What types of intellectual property are registrable, what types of intellectual property are not, and what due diligence is typically undertaken with respect to each?

Benelux trademarks can be registered with the Benelux Trademark Office in The Hague. European Trademarks can be registered with the EU Intellectual Property Office in Alicante (Spain). There is no separate Belgian trademark regime.

Patents can be registered with the Patent Section of the Intellectual Property Office of the Ministry of Economic Affairs or with the European Patent Office.

Benelux models and designs can be registered with the Benelux Models and Designs Office in The Hague. European Models and designs can be registered with the European Union Intellectual Property Office in Alicante. There is no separate Belgian models and designs regime. For European models and design, there is a separate mechanism in which no registration is required. Protection under this unregistered mechanism is, however, limited (up to a maximum of three years) and is subject to extra conditions.

Domain name registrations are not technically IP rights but are often addressed alongside IP registrations and applications. Belgian domain names can be registered with DNS Belgium. Top-level domain names can be registered with a whole range of international authorities.

In Belgium, copyright protection arises automatically as the work is created and published. No registration is required (or even possible). The same is true for trade secrets and know-how.

For intellectual property that can be registered, the seller will usually conduct a worldwide search through appropriate databases or with the assistance of specialised IP offices. In addition, due diligence is conducted on the documents made available by the seller to the buyer, such as applications, licences and litigations. With respect to unregistered intellectual property, such as copyright, know-how and trade secrets, buyers review all employment and third-party contractor agreements (including development contracts, confidentiality agreements and non-disclosure agreements) to make sure they include property confidentiality and invention assignment clauses. Often, IP due diligence cannot be conducted by lawyers alone, as it is not always apparent from the legal documents whether the IP protection is strong or weak, is sufficient to operate the target’s technology and if other companies use similar intellectual property.

Can liens or security interests be granted on intellectual property or technology assets, and if so, how do acquirers conduct due diligence on them?

With the increasing prominence of intellectual property as a balance sheet asset, it is common for lenders to include intellectual property as collateral in secured debt financing. Thus, the buyer needs to determine if the target has granted any liens or security interest on specific IP assets.

The most common types of intellectual property over which security is granted are patents, trademarks, designs and models. Such rights qualify as intangible movable assets under Belgian law.

Traditionally, it was debated among legal scholars whether it is possible to create a valid possessory pledge on intellectual property under Belgian law.

However, following the entry into force of the new Belgian act on security interests on movable assets on 1 January 2018, it is now possible to create a non-possessory registered pledge over intellectual property, to the extent that the pledge act is not contrary to other legal provisions in which such pledge rights are regulated specifically.

A non-possessory registered pledge will be perfected by registering the pledge in the national pledge register (which is a public, online register). Such registration remains valid for 10 years. Upon release of the pledge, it should also be removed from the pledge register.

However, if any specific law imposes additional perfection requirements for certain IP rights, it is recommended to comply with such additional requirements as well. For example, certain pledges must also be notified to, or registered with, the relevant IP authorities or registration offices to become effective against third parties.

Under the new rules, it is (in theory) also possible to create on non-possessory pledge on software and source codes (to the extent such rights are transferable). Given that the pledge register is a public register, it is not recommended to register the source code in the pledge register. A generic description (eg, ‘all kind of software and source codes developed by the pledgor’, or a general description of the software without revealing the source code) is also allowed, as long as the object of the pledge is sufficiently determined or determinable.

When conducting a due diligence, it is recommended to perform a search in the national pledge register, but also in the relevant IP registers.

What due diligence is typically undertaken with respect to employee-created and contractor-created intellectual property and technology?

When performing due diligence on a target company, the following documents are to be screened on specific clauses (secrecy or confidentiality clauses, IP clauses, etc) to assess the ownership and assignment of the IP rights of the target company:

• with respect to its employees: individual employment contracts (or covenants thereto), work regulations, codes of conduct, policies, any document holding unilateral instructions, guidelines, approvals or waivers pertaining to IP rights (notices, brochures); and
• with respect to its contractors: service or consultancy agreements (or covenants).

Belgian employment law also provides two types of protection for company secrets (including intellectual property):

• workers are forbidden from divulging any company secrets that they may learn during their professional activity. This ban is imposed on workers during and after the employment contract. Violating this obligation is considered misconduct and may lead to the immediate dismissal of the worker (article 17 (3) of the Act of 3 July 1978 on Employment Contracts); and
• a worker who divulges an industrial or fabrication secret may also commit a criminal offence, which is punishable with imprisonment and a fine (article 309 of the Belgian Penal Code), although this is rarely applied.

The Belgian Code of Economic Law (articles XI.336/1 to XI.336/5) provides in a definition of company secrets information that is secret (ie, not publicly known or not easily accessible); with a trade value; and submitted to reasonable measures to maintain its secrecy (contractual clauses, physical or virtual safety measures, etc).

Depending on the nature of the activity of the employer (principal) and the type of industry, the employment contracts or the service agreements customarily contain specific IP (transfer) clauses.

A distinction must be made between moral and patrimonial rights:

• moral rights (eg, the right to be named as author or the right to claim or refuse the paternity of an invention): for employee--created intellectual property or technology, these rights always belong to the employee and are not transferable; and
• patrimonial (economic) rights (eg, the right of reproduction or use of the intellectual property or technology) can be transferred to the employer.

The employer and the employee are free to set forth any IP rights transfer clauses in the employment contract (or in a separate agreement). Except where an agreement expressly states otherwise, an invention is understood as follows:

• a work invention: invention developed within the worker’s attributions, as described in his or her job description and while using the resources of the employer (such invention is owned by the employer);
• a free invention: invention made by the employee on his or her own, with his or her own means and outside his or her attributions (such invention is owned by the employee); or
• a dependent invention, such as:
• an invention of hybrid or mixed type; or
• an invention made by an employee outside the performance of an employment contract but using company resources; this is mostly considered to be owned by the employee, although this is disputed in case law.

It is recommended to insert a clause in the employment contract that the employer will own such inventions and will be entitled to file for patent protection, possibly with a compensation method for the employee.

Similar language will be required in contracts with independent contractors. Failing that, any inventions made by independent contractors will be owned by them.

Trademarks always belong to the natural person or legal entity on behalf of which the trademark is registered. Any transfer must be agreed in writing and registered with the relevant trademark office.

Under the Belgian Code of Economic Law (articles XI.187 and XI.296) there is a legal presumption of transfer of IP rights on the computer software and databases to the employer if the software or database is created during the execution of the employee’s functions or following the employer’s instructions, unless otherwise agreed.

Are there any requirements to enable the transfer or assignment of licensed intellectual property and technology? Are exclusive and non-exclusive licences treated differently?

In some cases, the technology or IP assets to be acquired in a technology M&A transaction will be subject to certain contractual provisions that either limit the buyer’s ability to exploit those assets or the intellectual property as expected, or prevent any transfer of the technology assets or intellectual property altogether. The following are the most common examples of scenarios leading to these unfortunate results:

• the target company has granted a third party a licence to use its intellectual property and:
• the licence is exclusive with respect to a particular field of use or territory, precluding the buyer from exploiting the intellectual property in overlapping fields of use or territories that may be key to the buyer’s business; or
• the licence is non-exclusive, but grants the licensee either an option to convert to an exclusive licence or a right of first refusal in the event of a pending acquisition; or
• the target company has licensed certain IP assets from a third party, and:
• the licence grants only non-exclusive rights to the target, leaving open the possibility that competitors will hold or be able to obtain a licence to the same intellectual property, which the buyer may deem critical to the ongoing business;
• the third-party licensor has retained the exclusive right to use the intellectual property within a particular field or territory;
• the licensed rights do not include the right to any improvements or enhancements of the licensed intellectual property that would permit the licensor or third-party licensees of the licensor to develop new versions of the intellectual property and compete with the buyer;
• the governing agreement requires continued payment of licence fees or royalties that will be the buyer’s obligation post-acquisition;
• the licence terms do not allow for sublicensing of the intellectual property, which may be critical to the buyer’s intended business model; or
• the licence terms expressly prohibit assignment of the licence to the buyer.

It is, therefore, important to scrutinise all of the target company’s agreements, pursuant to which, an IP licence is granted to or from a third party, focusing, in particular, on terms governing assignability and exclusivity, and to determine if any third-party consents or waivers must be requested as pre-closing conditions.

With respect to transferability, the intellectual property or technology licence agreements can either contain a no-assignment or a change-of-control clause. A no-assignment clause usually prohibits the licensee from assigning any of its rights under the licence agreement except with the prior written consent of the licensor and is usually triggered when there is an asset deal but not when there is a share deal. A change-of-control clause usually gives the licensor the right to terminate the licence agreement in the case of a change of control, and is usually triggered by a share deal but not by an asset deal. Usually, the buyer will require a written waiver or consent of the licensor as a pre-closing condition.

When there is a share deal and nothing is foreseen in the licence agreement, the licence agreement usually remains valid and no formalities must be fulfilled.

When there is an asset deal and no-assignment clause is foreseen in the licence agreement, the licensed intellectual property or technology can, in principle, be transferred by means of a written assignment agreement. Except in the case of copyright and know-how, the assignment must also be registered with the relevant agency:

• trademarks: the Benelux Trade Mark Office in The Hague or with the Trade Marks Section of the Intellectual Property Office of the Ministry of Economic Affairs;
• patents: the Patent Section of the Intellectual Property Office of the Ministry of Economic Affairs or the European Patent Office; and
• models and designs: the Benelux Models and Designs Office in The Hague or with the Models and Designs Section of the Intellectual Property Office of the Belgian Ministry of Economic Affairs.

Whether a licence agreement is exclusive should not change the treatment except that exclusive licences will more likely include no-assignment or change-of-control clauses and almost always require consent of the licensor with the assignment (asset deal) or change of control (share deal).

What types of software due diligence is typically undertaken in your jurisdiction? Do targets customarily provide code scans for third-party or open source code?

First of all, the buyer should investigate the seller’s rights in any proprietary software included in the purchased technology assets, particularly if the purchased software includes software that the seller licences or distributes to customers, and software licensed from third parties that is not readily replaceable or is costly to replace.

For software created by or for the seller and included in the purchased assets, the buyer should confirm that all relevant rights have been assigned to the seller and can be conveyed to the buyer. In particular, if the software is created by a non-employee, it is important that all rights are expressly assigned to the seller.

For software licensed to the seller by third parties and included in the purchased assets, the buyer should ensure that the rights licensed in to the seller are consistent with the rights the seller has licensed to its customers or other third parties. In particular, the buyer should confirm that, if the licensed rights are terminated, the applicable licences permit the buyer’s customers to continue using the licensed software; and the buyer continues to have the right to provide its customers with maintenance and support.

Further, for material third-party software licensed to the seller and included in the purchased assets, the buyer should determine whether the seller is either in possession of a copy of the source code or party to a source code escrow agreement.

A source code escrow agreement gives the licensee access to and the right to modify the licensor’s source code on the occurrence of certain conditions (for example, if the licensor enters bankruptcy or ceases operation and cannot continue providing maintenance and support).

Finally, it is customary for the buyer to ask the seller to show that the company understands the open source applications it uses and to ask to document how open source is used within the target and its products. Relevant due diligence information could include:

• policies and procedures;
• code reviews;
• ‘copyleft’ and similar open source usage; and
• attribution and notice requirements.

Best practices for a growing amount of companies involved in a technology M&A transaction include an independent code audit whenever software is a significant part of the deal. Indeed, more and more firms are realising that an open source code audit also should be part of their overall due diligence process, as in modern software development code is rarely written from scratch. Custom code now often comprises only 10 to 20 per cent of many applications, with the remainder being previously developed code, third-party code and, increasingly, open source code as the core foundation for applications. In fact, it appears that about 95 per cent of code bases contain undisclosed open source. Open source may come with legal obligations in their licence agreements that go with the usage of that code. There also may be security vulnerabilities within the code as well as operational risks such as versioning and duplications. Software audits allow to identify open source code and third-party components and licences and may allow to mitigate potential legal, operational and security issues. The software audit is mostly undertaken by the buyer, but can also be undertaken by the seller as part of its vendor due diligence to give assurance that it can give the strict IP representations and warranties that are usually required or can mitigate certain risks.

So, buyers must carefully review whether the target has combined open source with proprietary software in a way that requires the software to be made publicly available under the open source licence and evaluate the third-party code. Indeed, open source software licences can be important in a proposed transaction as they may dictate the terms on which software derived from such open software is licensed to third parties. If the buyer is expecting to use the target company’s technology exclusively, then discovering that the technology incorporates software that is subject to free-use rights could be a deal-breaker.

What are the additional areas of due diligence undertaken or unique legal considerations in your jurisdiction with respect to special or emerging technologies?

The focus of the approach of the due diligence set out above is on a more ‘traditional’ information technology environment. Information technology is increasingly being acquired as ‘software as a service’ or in the context of cloud computing and where a target engages or makes use of such services, this category of agreements will require separate and careful consideration. When acquiring or merging with a provider of cloud applications, platforms or infrastructure in the cloud, special attention should be paid to issues such as the ownership of the data or applications run in the cloud, compliance with mandatory rules with respect to international data transfers, exit possibilities, etc.

Machine learning, deep learning, neural networks and other forms of artificial intelligence are often already an integral part of a target’s business operations when conducting technology M&A. When conducting the due diligence and drafting M&A documentation in relation to an artificial intelligence (AI) company, buyers should give special attention to IP protection of data sets and algorithms (eg, copyright, trade secrets and patents), ownership of intellectual property developed by AI, ownership of content generated by AI, licensing issues, liability issues, regulatory, privacy and cybersecurity. Attention should be paid to the developments in the European Commission, which has created a Coordinated EU Plan on Artificial Intelligence so that Europe can become a world leader in this technology, but with AI based on ethics and European values.

Internet of things (IoT) devices often contain components of different manufacturers. They are often low price devices with low levels of security. So, when acquiring manufacturers or operators of IoT devices buyers should properly review liability, intellectual property, privacy, IT security and consumer protection (such as the new digital sales rules) issues. However, IoT could also raise additional environmental (eg, waste management) or health and safety issues.

Key technologies relating to autonomous or semi-autonomous driving include automated automotive technologies, collision avoidance technologies, artificial intelligence and machine learning, and others. When acquiring companies in this field, sellers should focus on the ownership of these technologies (eg, patents, trade secrets), ownership of data, regulatory issues (eg, government authorisations, test results) and insurance.

If a target is involved with big data, the seller should, during its due diligence, prioritise the following areas of the target’s business operations related to information and its related risks and liabilities: data privacy, data security, information governance, regulatory inquiries and insurance policies covering information-related topics (including data breach and infected system issues).