The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Can a company share information about its employees as part of due diligence with a potential acquirer?
When one company considers acquiring another the entities typically engage in extensive due diligence designed to help the acquirer assess the risks and benefits involved in the transaction. As part of that process, acquirers typically ask to obtain information about some, or all, of the employees of the target. Sometimes that information is used as part of the diligence process (e.g., in order for the acquirer to better understand who within the target may have certain pieces of information necessary in due diligence), sometimes that information is used to better understand the valuation of the target (e.g., the number of employees within a certain office or factory, their responsibilities, their role assignments, their salaries, etc.).
Transferring employee-related information from a target to an acquirer as part of pre-closing due diligence raises four potential issues under the GDPR: (1) whether there is a lawful purpose for disclosing the information, (2) whether the transfer is necessary, (3) whether the disclosure would violate a privacy representation provided to employees, and (4) whether the disclosure violates any prohibitions on cross-border transfers of information.
With regard to the first issue, included within the GDPR’s definition of “processing” is any “disclosure by transmission, dissemination or otherwise making available” personal information.1 A company cannot “process” information unless at least one of six situations applies. The following summarizes the applicability of each:
- Consent. Obtaining consent from employees during a merger and acquisition negotiation is typically not practical if the negotiation is confidential. In any case, most European Union Member States are skeptical about whether an employee’s consent can be effective given the imbalance of power in the employment relationship and, as a result, there is a significant risk that a supervisory authority would not permit disclosure based upon consent.
- Necessary to perform a contract. Disclosing employee information to an acquirer is not necessary in order for the target to perform its contractual obligations to its employees (e.g., payment for services). As a result, this basis is unlikely to help in the transfer.
- Necessary to comply with a legal obligation. Transferring employee information during due diligence is not typically required by European law. As a result, this basis is unlikely to help in the transfer.
- Necessary to protect vital interests of a natural person. Transferring employee information during due diligence is not linked to the “vital interest" of the employee.
- Processing is necessary for the performance of a task carried out in the public interest. Transferring employee information during due diligence is not relevant to the public’s interest.
- Processing is necessary for a legitimate interest pursued by a controller or a third party. If the purpose of processing is to further a legitimate interest of the controller (i.e., the target), the controller is permitted to process the data (i.e., disclose it to the acquirer) so long as its interest is not “overridden” by the interest or “fundamental rights and freedoms of the data subject which require protection of personal data.”2 In the context of a corporate sale, the target clearly has an interest in facilitating due diligence. The data subject (i.e., the employee) may have some interest in not having their information shared with an unknown third party, but that interest is arguably speculative and any risk associated with it can be mitigated by requiring the acquirer to limit its use of the information and protect the information while in its possession.
The net result is that Article 6(1)(f) should be available as a basis for transferring the data to an acquirer. While identifying the lawful purpose for the transfer may feel like an academic exercise, its identification is arguably required pursuant to the Article 30 record keeping requirements of the GDPR; it also informs what rights the data subject may have to learn about (and object to) the disclosure pursuant to Article 21.
Second, assuming that the transfer can be made pursuant to Article 6(1)(f), the GDPR independently requires that the information disclosed be “necessary” for the purposes of both the target (i.e., to move forward with due diligence) and for the purposes of the acquirer (i.e., to assess the transaction).3 As a practical matter this means that the target should only transfer the minimum amount of personal data that is needed by the acquirer. As an example, if the acquirer asks for salary information of employees in order to better understand the target’s cost structure, the parties should consider whether such information can be conveyed in a de-identified form. If some salary information is needed in an identifiable form or cannot be effectively de-identified (e.g., the salary information of top executives), the parties should consider whether information about other employees is needed in an identifiable form (e.g., janitors).
Fourth, if the above three criteria have been satisfied the GDPR prohibits the transfer of employee personal data outside of the EEA unless a mechanism has been put in place that imposes upon the acquirer many of the substantive obligations found within the GDPR. In situations in which a target is based in the EEA, and the acquirer is based in the US, as a practical matter the mechanism needed to effectuate the transfer will either be that (1) the acquirer has self-certified to the EU-US Privacy Shield Framework, or (2) the acquirer and the target have agreed to the Standard Contractual Clauses for transfers between controllers.