During the past few years, data privacy and cybersecurity concerns have risen from the depths of being an industry and deal-specific concern to requiring consideration in every deal. While sufficiently complicated in any given jurisdiction, increasingly global deals are forcing buyers and sellers to confront these issues directly commencing at the deal-structuring stage, through diligence, ultimate risk allocation and post-closing integration activities. Recent years have only solidified the recognition and importance of these issues as developments in the data privacy landscape have made front-page news, ranging from high-profile enforcement actions in the early years of the European Union’s General Data Protection Regulation (GDPR) to the effectiveness of the California Consumer Privacy Act (CCPA).

Regulatory and legal developments

Whether the consequences are primarily reputational or felt immediately at the negotiating table, the upshot remains that all parties to a deal must be cognisant of the implications of an evolving data security and privacy landscape. One of the most anticipated and influential data security and privacy regulations to date, the GDPR, came into effect on 25 May 2018 in the EU and has changed the compliance landscape with its extraterritorial scope, weighty obligations and significant penalties. In the United States, while holistic data security and privacy regulations have been slow to emerge at the federal level, states such as California have been aggressive in leading the way with broad legislation similar to that in the EU, with more proposals at the state-level following close behind. Additionally, other international regulations continue to come into force, such as the Lei Geral de Proteção de Dados in Brazil, which has echoes of aspects of the GDPR, or the Personal Data Protection Bill introduced in India in December 2019.

California’s Consumer Privacy Act of 2018

Unlike the EU, the US has not yet implemented a comprehensive, federal data security and privacy regulatory framework. Recent trends, however, have seen states take the lead on enacting significant legislation that impacts corporations looking to conduct business within certain jurisdictions or with citizens of those jurisdictions. One such instance was the CCPA’s enactment in 2018. The CCPA provides many consumer protections and compliance obligations reminiscent of the GDPR and adopts a particularly broad definition of ‘personal information’ that sweeps in any information of any California resident that ‘identifies, relates to, describes, is reasonably capable of being associated with, or that could reasonably be linked, directly or indirectly, with a particular consumer or household’. However, the CCPA does provide exclusions for publicly available information (subject to certain restrictions), as well as for de-identified or aggregate consumer information that cannot reasonably be linked to the underlying individual or household.

The CCPA came into effect 1 January 2020, and the California Attorney General’s enforcement power came into effect July 2020. The CCPA provides, among other things, certain ‘rights to be forgotten’, including the requirement that businesses must delete personal information upon request if such information is not necessary for a specific business purpose, legal compliance, or other expected internal uses. The CCPA also establishes a consumer right to request from businesses details about collected information, the purpose for such collection and third parties with whom the information has been shared. Furthermore, a consumer may request that businesses provide disclosures regarding sale of consumer data as well as an opt-out from such sale without discriminating against those who exercise the option.

While the CCPA has scope limitations, the breadth of the law reaches large international entities with exposure to California residents and researchers have estimated that it applies to more than 500,000 companies in the US alone. The CCPA provides exemptions for entities subject to Health Insurance Portability and Accountability Act of 1996 and data subject to certain other legal regimes. The California Attorney General submitted proposed final regulations under the CCPA for regulatory review on 1 June 2020, which provide some clarification on best practices for businesses’ compliance with the CCPA, including how required notices and responses to consumer requests should be handled.

Non-compliance with the CCPA presents a severe risk to businesses. The CCPA provides a private right of action for California residents who have been affected by a data breach, whether individually or through class actions, with statutory penalties between $100 and $750 per individual per incident or injunctive or declaratory relief without a requirement for the individual to prove actual harm. The California Attorney General is also empowered under the CCPA to pursue enforcement against business for penalties of up to $7,500 for each intentional violation of the CCPA. Additionally, penalties of up to $2,500 may be imposed for any violation of the CCPA which has not been cured within 30 days of notice of any alleged non-compliance. The CCPA is not clear regarding whether each violation, as used in calculation of damages for the California Attorney General, is on a per individual per incident basis or simply a per incident basis. Instruction based on early civil enforcement actions or an amendment to the law or further regulatory guidance on this distinction will be crucial in evaluating a business’s risk of non-compliance.

The contours of data privacy legislation in California may change again in the coming year, as California voters will have the opportunity to vote on the California Privacy Rights Act, a ballot initiative that would expand consumer’s data security and privacy rights and businesses’ related obligations under California law.

The EU’s GDPR

The GDPR became effective on 25 May 2018. The GDPR governs the processing of personal data by data ‘controllers’ and ‘processors’. A data controller is a person or entity who determines the purposes and means of the processing of personal data. A data processor is a person or entity who processes personal data on behalf of the data controller. Under the GDPR, the terms ‘processing’ and ‘personal data’ are defined broadly enough to capture essentially any activity performed on data related to an individual. Specifically, the definition of ‘personal data’ covers ‘any information relating to an identified or identifiable natural person (‘data subject’)’ and ‘an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’. Processing of personal data subject to the GDPR must be done lawfully, fairly and in a transparent manner and personal data may be collected only for a specified, explicit and legitimate purpose.

Among other operational, contractual, governance and notification obligations on data controllers and processors discussed below, the GDPR provides that controllers must implement ‘appropriate technical and organisational [security] measures’ for data protection and may use only processors who provide ‘sufficient guarantees’ to implement such measures. The GDPR also provides data subjects with certain rights with respect to their personal data, including, among others, the right to demand prompt erasure of any personal data collected (the ‘right to be forgotten’), the right to withdraw consent for or object to the processing of personal data, the right to restrict processing of personal data and the right to obtain the identities of third parties to whom their personal data is being disclosed. Following the end of the current transition period on 31 December 2020, potential changes may apply to businesses in the UK. While the GDPR will be retained in domestic UK law, the ‘UK GDPR’ will operate as a separate regulatory framework, so any violations under the GDPR may also trigger separate regulatory actions and penalties in the United Kingdom.

Complying with data transfer requirements

The various data security and privacy regulatory regimes upped the ante with respect to the technical measures companies need to implement for compliance purposes as well as the rights afforded to consumers whose data has been collected. In addition to these obligations, one of the most impactful trends when it comes to M&A has been data transfer restrictions, in particular in the EU, China, Russia and certain other jurisdictions. To the extent that a target has activities in those jurisdictions, appropriate consideration will be due with respect to whether personal data in those jurisdictions can be transferred out of the jurisdiction at all, potentially complicating business consolidation goals.

For example, under the GDPR in the EU, personal data can generally be transferred out of the European Economic Area only if the recipient jurisdiction has been deemed adequate by the European Commission. Absent such a determination (which the US has not obtained), another appropriate safeguard or derogation will be required and may complicate the data transfer process. The EU-US Privacy Shield, a data protection framework that was designed to permit transfers of personal data out of the EU into the US, passed an annual review by the European Commission in 2019, but was invalidated by the Court of Justice of the European Union on 16 July 2020. The court’s opinion also created uncertainty around the continued viability of the Standard Contractual Clauses with respect to transfers of personal data from the EU to the US. Additional guidance from EU regulators is forthcoming and this will be a closely watched topic in the coming months. Additionally, after the end of the transition period on 31 December 2020, sufficient safeguards or derogations may be required for transfers from the European Economic Area to the UK. Impermissible transfers are subject to the higher tier of fines under the GDPR, up to the larger of 4 per cent of global annual revenue or €20 million.

Impact on M&A transactions

For a well-advised purchaser or seller in an M&A transaction, the evolving landscape of data security and privacy necessitates understanding the impact these regulatory regimes have on risk allocation, structure and business flexibility.

In particular, parties to an M&A transaction need to be mindful of:

  • the extended jurisdiction of the GDPR which encompasses companies with establishments in the EU as well as companies, regardless of domicile, that process the personal data related to the offering of goods or services to data subjects in the EU;
  • the risk of substantial fines under the GDPR based on global revenue that increases the importance of conducting thorough due diligence on a target’s compliance with data protection laws; and
  • transaction structuring and risk-allocation mechanisms that should expressly contemplate data protection to ensure compliance, and allocate the risk of non-compliance, with the GDPR, CCPA and other data protection regimes.

Due diligence

Purchasers and investors should first consider whether the target’s data processing is subject to the GDPR or the CCPA.

Under the GDPR, processing of personal data is defined broadly to include nearly any act that is performed on personal data, including collection, organisation, storage, use and even the destruction of personal data. The GDPR covers processing of personal data that (i) occurs in the context of the activities of an establishment in the EU; (ii) is related to the offering of goods or services, regardless of whether payment is required, to individuals in the EU; or (iii) is related to the monitoring of individuals’ behaviour in the EU. The ‘offering of goods or services’ may be broadly construed and depends on ‘factors such as the use of a language or a currency generally used in one or more member states with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the [European] Union’. According to the UK data protection authority, the UK government intends that the UK GDPR (as retained in domestic law) will effectively continue to apply with the same scope as the GDPR. As a result, the GDPR may apply to companies that do not have substantial EU (or UK-based) activities and have not previously focused on EU/UK data privacy laws.

The CCPA applies to certain businesses that collect personal information from California residents, who are defined as ‘consumers’ under the CCPA. For purposes of the CCPA, a ‘business’ is any for-profit legal entity that:

  • does business in California;
  • collects, or directs others to collect, consumers’ personal information and determines the purposes and means of processing of consumers’ personal information; and
  • has annual gross revenues in excess of US$25 million;
  • annually buys, sells or otherwise commercially processes the personal information of at least 50,000 consumers, households or devices; or
  • derives 50 per cent or more of its annual revenues from selling consumers’ personal information.

An entity’s obligation to comply with the CCPA flows to majority-owned subsidiaries or parent companies with common branding, even if those entities do not independently meet the qualifications of a ‘business’ under the CCPA. As a result, evaluating whether a particular target is subject to the CCPA may require consideration of the activities of its subsidiaries or parent companies. A business and a consumer do not need to engage in a commercial transaction for the business’s collection of that consumer’s data to come within the purview of the CCPA, so data intermediaries, partners and service providers may also be subject to the CCPA.

Practice tips

  • Do not rely on the target’s explanation that it does not have material EU operations. Go beyond diligence questions and investigate the company’s online presence, including whether visitors to the target’s website from the EU are provided with local language or shipping options.
  • If the target appears to be subject to the GDPR, consider whether the purchaser will have access to personal data as part of diligence or in the data room. If so, the purchaser could be subject to the GDPR as well and non-disclosure agreements may need to be tailored accordingly. Unless necessary, some purchasers may prefer to affirmatively exclude any personal data from the data room or diligence process to avoid being subject to the GDPR.
  • Look beyond the target’s customer-facing business to consider possible obligations under the CCPA. While the CCPA includes a one-year exemption with respect to certain employee rights and related employer obligations, businesses’ obligations under the CCPA with respect to personal information of California employees, contractors or candidates will become effective in January 2021, so prudent businesses are considering these requirements now. Additionally, the current exemption does not excuse companies from certain notice obligations or potential liability in the event of certain types of breaches. Therefore, even a target that does not commercialise consumer data may still be subject to the CCPA if it collects routine human resources data about Californian employees, contractors or candidates. As a result, similar notice and consumer rights obligations may currently apply with respect to a target’s employees, contractors and candidates, and a target may be asked to demonstrate its efforts to comply with all CCPA obligations in connection with such data as of January 2021.
  • For sellers, anticipate purchaser GDPR and CCPA questions and consider practicing diligence responses with outside counsel to pre- pare for calls. Given the uncertainties regarding interpretation and enforcement, perfect confidence in GDPR compliance is unlikely to be expected, but being able to conversantly discuss the topics will give purchasers comfort that the issue is being thoughtfully considered.

To the extent that a company may be subject to the GDPR or the CCPA, a purchaser may need to re-evaluate and re-orient the target’s data processing activities after the transaction. Such a review may look into the process by which the company obtains ‘freely given, specific, informed and unambiguous’ consent from individuals, the company’s use of the data and whether it is consistent with the GDPR’s data processing principles, and the support of data subjects’ rights (including the right to access, rectification, erasure – the ‘right to be forgotten’ – and portability). Post-closing review may also include consideration of the company’s mechanisms in place to respond to consumer requests under the CCPA. Additionally, under the GDPR and CCPA, companies must maintain records of their data collection and processing activities relating to persons protected by the regulations, including the purposes of the processing, a description of the categories of data subjects and personal data, the categories of recipients, duration of processing, third-country transfers and general descriptions of the applicable technical and organisational security measures.

Practice tips

  • The target’s records of processing activities will often be a good starting point to approach the key questions, including: Whose personal data is being processed? What kind of personal data is being processed? For what purpose? For how long? Is data transferred to other parties? Is data transferred out of the EU? What security measures are in place?
  • If the target is subject to the CCPA, consider whether it has adequate mechanisms to track consumer requests and separate databases of personal information to segregate personal information that cannot be sold. Following the processing of a consumer’s opt-out request, a business may not request subsequent authorisation to sell personal information for at least 12 months.

Careful diligence should be conducted on the target’s contracts with third parties that are processing data on its behalf. Amendments may be necessary to conform to requirements under either the GDPR or the CCPA that such contracts contain specific provisions relating to the processing of personal data. Under the GDPR, transfer of personal data outside the EU may typically be made only to countries where the European Commission has determined that the country has an adequate level of protection for personal data. Absent such an adequacy determination (and the US has not been deemed adequate), transfers may be made only on the basis of implementation of appropriate safeguards; or enumerated derogations. Diligence should be conducted with a focus on the existence of such transfers of data outside the EU (which, in the case of a US target, may be likely absent local servers) and the applicable justifications for such transfers. Under the CCPA, a business that receives a consumer’s request to delete personal information may be obligated to direct third party service providers, including data processors, to delete that consumer’s personal information from their records. Consideration should be given to whether a target’s contracts with service providers allows the target to comply with this obligation.

In addition to heightened obligations regarding the processing of personal data and responding to consumer requests, the GDPR and CCPA also impose affirmative requirements for companies to implement appropriate technical and organisational measures to ensure a level of data security appropriate to the risks presented by the nature, scope, context and purposes of the company’s data processing (or penalties for a lack hereof). Under the GDPR, companies must ensure such measures are taken by a company’s third-party processors as well.

The GDPR institutes the strictest data breach notification obligations of any generally applicable cybersecurity law. Companies must notify their ‘competent supervisory authority’ ‘without undue delay and, where feasible, not later than 72 hours’ after becoming aware of a data breach. For particularly egregious breaches, a company may also be required to notify the affected individuals. Whether notification is required or not, the company is required to maintain a breach register and document all breaches – the related facts, effects and remedial actions taken – subject to verification by the supervisory authority. During diligence, requesting a copy of the target’s breach documentation is prudent. If the target does not maintain a record of breaches then it may be operating in violation of applicable law and further diligence may be required to identify whether the target has suffered data breaches that may present future regulatory or litigation risk. Breach-related documentation may also be scrutinised for insight into the target’s data breach remediation procedures and approach to risk management and compliance. While the CCPA does not include any data breach notification obligations – though the CCPA allows for private actions for damages from data breaches, as discussed below – companies subject to the CCPA may be subject to California’s breach notification law, which requires companies to notify individuals affected by a breach ‘in the most expedient time possible and without unreasonable delay’.

Practice tips

  • GDPR compliance will not be satisfied – or considered properly covered by due diligence measures – by a check-the-box approach. Request a copy of the company’s latest data map. The company will need to be able to provide it to a regulator on short notice and if it does not have one ready it may be a sign of an overall lax approach towards compliance.
  • Companies outside of the EU may benefit from building direct relationships, typically through their data protection officer, with appropriate data protection authorities in the EU to facilitate a smoother notification process, as a single data breach may trigger notification obligations in the US as well as the EU.
  • With the rise of remote working practices, evaluate whether the target has evaluated impacts of a shift in working practices (and any corresponding increase in data security threats) on its data security procedures and practices. A failure to appropriately revise such procedures and practices may expose a business to additional regulatory scrutiny, or private actions under the CCPA, as a result of data breaches.
  • For sellers, pre-empt onerous document requests by proactively providing high-level summaries of the target’s personal data practices.

Non-compliance with the GDPR and the CCPA presents a serious risk. Both regimes provide for regulatory enforcement, while the CCPA’s private right of action is limited to data breaches.

Relevant data authorities are empowered under the GDPR with broad investigatory and corrective powers. These include the power to compel companies to provide whatever information may be required to evaluate compliance with the GDPR and conduct data protection audits, including obtaining access to a company’s premises. The corrective powers include injunctive relief (including modifying a company’s data processing processes, forcing a company to provide notice of a data breach to a data subject or imposing a temporary or permanent ban on data processing) and the ability to impose administrative fines. Administrative fines under the GDPR are not merely compensatory for loss suffered by a data subject, but are rather structured to be ‘effective, proportionate and dissuasive’. The GDPR provides limits to the administrative fines of up to the greater of €20 million or 4 per cent of global annual revenue for violations of core substantive requirements (including with respect to the GDPR’s principles for processing, conditions for consent, data subject’s rights, and international transfers of data). For more procedural violations, there is a lower threshold of the greater of €10 million or 2 per cent of global annual turnover. As noted above, additional attention should be paid to the ongoing enforcement of the GDPR in the United Kingdom, as the ‘UK GDPR’ may operate as a parallel enforcement regime alongside the GDPR following the end of the transition period on 31 December 2020, and violations of the GDPR may, therefore, trigger fines or other penalties by UK regulators as well as other European bodies.

The CCPA provides for enforcement by the California Attorney General for any violation of the CCPA. The California Attorney General may bring actions for an injunction and civil penalties of up to $2,500 for each violation, or up to $7,500 for each intentional violation, after a 30-day notice and cure period. In addition, as previously noted, the CCPA provides a private right of action for consumers whose non-encrypted personal information is subject to an unauthorised access or disclosure as a result of a business’s failure to implement and maintain reasonable security practices. Among other forms of relief, after a 30-day notice and cure period, a plaintiff may seek to recover damages valued at the greater of actual damages or statutory damages, which range from $100 to $750 per consumer per incident depending on the nature of the violation and the defendant’s assets, liabilities and net worth.

Even two years after the GDPR’s implementation, and as observers watch for regulatory and private enforcement under the CCPA, business and legal communities are still evaluating trends in global enforcement actions. While not all fines levied in the first two years of the GDPR reached its size, perhaps the most newsworthy penalty determined in the first year of GDPR enforcement was the January 2019 €50 million fine imposed by the French National Data Protection Commission against Google. This was followed in 2020 by fines proposed by the UK Information Commissioner’s Office against British Airways and Marriott International, of £183 million and £99 million, respectively. These demonstrated the possible magnitude of the penalties under the GDPR. While private actions under the CCPA could be brought beginning in January 2020, and regulatory enforcement actions may soon be instituted, it remains to be seen how penalties under the CCPA will be implemented by private and regulatory actors.

Practice tips

  • Investigate the company’s history of cooperation with data privacy regulators in the EU, and its past handling of data breaches. A history of regulator cooperation may help mitigate future fines.
  • Carefully probe the company’s personal data retention practices with an eye towards confirming that the company only retains personal data as necessary.
  • Investigate the target’s mechanisms to process data subject requests. Additionally, consider the target’s past handling of data breaches as an indication of the level of risk that the target presents.

Valuation considerations

Should the GDPR or CCPA regimes apply, consider: (1) how consistent the valuation model is with the scope of the company’s ability to use its personal data; (2) the potential costs to bring the business into compliance with legal obligations from an operational, contractual and governance perspective; and (3) reputational and financial risks associated with non-compliance with the GDPR or the CCPA. While both the GDPR and the CCPA provide for  the use of personal information, the laws’ constraints may impact a target in different ways. 

Considering first the GDPR, one of the law’s core principles is the purpose limitation, which binds companies to the specified, explicit and legitimate purposes communicated to data subjects when their personal data is collected. Further processing beyond the original communicated purposes is allowed only to the extent that such processing is not incompatible with the original purpose. If the purchaser’s or investor’s valuation model relies on different or expanded use of the target’s database of personal data, a purchaser may need to communicate a new privacy statement to each data subject and, in certain instances, obtain affirmative consent to be compliant. The cost and time associated with this exercise may impact the purchaser’s business plan as the GDPR may require affirmative consents that may not be satisfied by, for example, simply updating a privacy policy on a website.

The CCPA does not contain a purpose limitation in line with that of the GDPR, but it does provide consumers with a right to opt out of the sale of their personal information and a right to be forgotten through the deletion of personal information previously collected or shared with service providers. If the purchaser’s or investor’s valuation model relies on the continued use of existing databases of personal information, the model should reflect the risk that a portion of California consumers may request the deletion of their personal information or may opt out of future collection. Purchasers and investors should also consider whether a target’s operational model feasibly allows the business to stop selling or sharing data upon a consumer’s request.

Practice tips

  • Push financial modellers on their models and assumptions and communicate personal data-related assumptions to legal and business teams to focus on during diligence.
  • For sellers, update privacy policies or obtain appropriate consent before the transaction to ensure that the company’s database of personal data may be transferred in connection with a merger or similar transaction.

The implementation of certain operational, governance and contractual measures prescribed by the GDPR and CCPA, including those described above, may impose additional financial costs. For instance, in a scenario where the acquisition expands the data processing activities of the target to constitute large-scale, regular and systematic monitoring of data subjects, the appointment of a data protection officer may be required under the GDPR. Under the GDPR, the company may also need to implement extensive documentation processes and conduct data protection impact assessments. The CCPA requires the implementation of California-facing privacy notices and mechanisms through which consumers can submit requests to the company. These requirements would be in addition to the obligation to amend the company’s existing contractual arrangements with third parties (which beyond the diversion of resources may require additional consideration) and the implementation of appropriate data protection measures. The total costs of such measures could be significant.

Practice tip

  • The diligence gap analysis should include a review of technical cybersecurity and physical security operations as well as an appreciation of the headcount of the company’s data privacy compliance function. IT upgrades can be a significant expense and, if the compliance function is understaffed, additional resources may be required.

Non-compliance with the GDPR and the CCPA risks severe financial and reputational harm. As discussed above, administrative fines for non-compliance with both laws can be punitive, and the indirect costs of dealing with a data breach can also be significant, involving potentially huge damages awarded to private plaintiffs under the CCPA, as well as third-party costs of investigation and remediation (and may involve notifications and credit monitoring, where applicable). Reputational harm associated with a data breach can be even more problematic for companies that rely heavily on consumer trust.

Practice tips

  • Nearly every company faces actual or attempted data security breaches with regularity. For example, the UK data protection regulators report that about 14,000 personal data breach reports were submitted from 25 May 2018 to 1 May 2019. The more important question is whether the target company is aware of these attempts and taking measures to ensure its data is as secure as reasonably possible. Do not limit diligence to the target’s legal staff; also speak with the Chief Information Officer regarding penetration testing, patch and logging procedures, and the target’s information security and breach response plans. Consider whether the target has received any notices for CCPA violations that were subsequently cured.
  • For sellers, if the company has a history of data breaches, carefully summarise the scope of the breaches, the company’s responses and any material impacts on the business.

Acquisition agreements

Prudent purchasers and investors are factoring GDPR and CCPA compliance into their acquisition agreement structuring and risk allocation mechanisms. If the transaction is structured as an asset purchase, particular care will be needed to determine whether the transfer of the target’s databases itself may violate the GDPR (eg, by exceeding the scope of the applicable consent or by transferring data outside of the EU to a jurisdiction that has not been deemed adequate by the European Commission). If the target is subject to the CCPA, particular care should be exercised to determine whether the transfer of any personal information qualifies as a merger or acquisition that is exempt from the definition of a ‘sale’ of personal information under the CCPA, to ensure that consumer opt-out requests do not prevent wholesale transfers of personal information. Covenants may be appropriate to ensure continued compliance (or development of a compliance programme) or notification of any new breaches between signing and closing the transaction. Risk allocation provisions should also be thoughtfully negotiated to ensure appropriate excluded liability, representation and indemnity coverage. Representations regarding compliance with law are insufficient to fully address data privacy risks and should be expanded to cover data-privacy related contract provisions, industry standards and practices, and existence and handling of data breaches. Representations to consider also include:

  • operation in accordance with the company’s written privacy policy;
  • provision of all applicable privacy and cybersecurity policies;
  • absence of written notices regarding related investigations;
  • existence of a commercially reasonable information security programme;
  • absence of restrictions with respect to target’s successors’ rights to use, sell, license, distribute, and disclose personal data; and
  • absence of data security breaches, loss of data and unauthorised disclosures of personal sensitive information.

Practice tips

  • In an asset deal, consider making GDPR or CCPA non-compliance an excluded liability. Include not only pre-closing operations, but also a reasonable period of time post-closing so that the purchaser has a covered window to bring the business into compliance.
  • Depending on the duration between signing and closing, consider adding a covenant for the target to bring itself into compliance with the GDPR or CCPA before closing. Purchasers that are operating companies with their own robust privacy programmes may instead prefer to simply onboard the target as part of post-closing integration.
  • To the extent possible as part of the larger deal dynamic, indemnities backing the related representations should be uncapped or subject to limitations of liability sufficiently high to cover the GDPR’s global revenue-based fines and the risk of significant private damages under the CCPA.
  • If a purchaser is planning to rely on representation and warranty insurance, ensure that data privacy is not on the list of exclusions and carefully discuss with outside counsel the extent to which data privacy diligence should be conducted (as known liabilities are typically excluded from the scope of coverage, regardless of whether they are ultimately disclosed as part of the transaction agreement). Also keep in mind that representation and warranty insurance, which is often capped at 10 per cent of purchase price in the US, may be insufficient to cover fines under the GDPR.

Post-closing

The post-closing process of transferring and integrating data can last for up to several years, especially if the acquisition involves a business carve-out with related transitional services arrangements. During this period, either the seller or the purchaser may be required to continue data processing for the other. In these cases, the GDPR or the CCPA may require the incorporation of specific contractual provisions between the parties in the applicable transitional services agreement, whether structured as a controller-processor or controller-controller relationship.

After the transaction, the purchaser may want to consolidate the target’s data at the purchaser’s existing data centres. If the transfers involve the movement of data outside the EU, specific measures must be complied with if the recipient country has not been deemed adequate with respect to the protection of personal data by the European Commission. The European Commission is in the process of negotiating additional adequacy determinations. As noted above, purchasers should monitor regulatory determinations regarding transfers of personal data out of the EU into the US and UK to ensure that such transfers remain compliant with the GDPR’s obligations.

Conclusion

Although they may have different geographic scopes, the GDPR and the CCPA represent major and impactful developments in a broader global trend towards stricter and more comprehensive data privacy and cybersecurity regulation. As the implications of these regulations may impact all phases of a deal, a well-advised party would do well to keep in mind such consideration starting in the deal-structuring stage, through diligence, ultimate risk allocation and post-closing integration activities. With the passing of the first anniversary of the GDPR coming into force, the Information Commissioner’s Office in the UK and other regulatory agencies continue to produce guidance and monitor the impact of the law on businesses, organisations and individuals.  Companies should continue to monitor developments in the field as interpretation and enforcement trends with respect to the GDPR, the CCPA and any additional privacy regimes on the horizon continue to evolve.