Privacy laws have evolved as technology has reshaped the ways organizations interact with their customers and markets online. Consistent with the increasing scrutiny on privacy and cybersecurity, related protections and the associated risks are essential considerations in virtually any merger and acquisition, or financing transaction. This reflects increasing international regulatory and consumer focus on privacy and cybersecurity practices and the emergence of data as a core element of a business's value. As a result, businesses should be mindful of managing privacy and cybersecurity risks in anticipation of, and throughout all aspects of, a transaction lifecycle.
The Changing Legal Landscape
Privacy and data protection law and regulation focuses on how organizations collect, use and share personal information. Personal information is vast; and includes the obvious such as a person’s name, email, address, telephone number, etc., and the more nuanced, such as a person’s internet browser preferences, movie ratings, and purchase history. The definition of personal information has broadened due to the proliferation of online products and services that capture and create new types of personal information. The digitization of personal identity has narrowed the sphere of individual privacy and anonymity, and many countries have introduced privacy and data protection laws to mitigate the emerging risks. These laws impose legal obligations on all organizations that collect, use or otherwise process the personal information of consumers, business contacts, employees and other individuals – which includes almost every organization of every size. In Canada, the government has proposed significant changes to modernize our federal privacy regime, which will generate additional risks associated with non-compliance. For more information, see our Bulletin, The Canadian Government Undertakes a Second Effort at Comprehensive Reform to Federal Privacy Law.
Many organizations are either unaware of the scope and breadth of their obligations regarding personal information, or have inadequately prioritized privacy compliance, erroneously regarding it as low risk. The potential risks associated with failing to adequately account for privacy and cybersecurity considerations include losses, costs, and liabilities associated with an incident (e.g. a compromise impacting an organization’s information technology systems and potentially resulting in the loss or improper disclosure of data and personal information), as well as risks associated with non-compliance with relevant laws. This ranges from complaints, administrative and regulatory oversight and fines, litigation costs, investigative and remediation costs, loss of revenue, brand depreciation, and reputational harm. Further, failure to proactively prioritize privacy and cybersecurity and develop internal means to ensure timely responses to incidents can expose parties to a merger and acquisition or financing transaction, and potentially their Directors and Officers, to liability risk. For example, in Quebec, Directors and Officers will have increased liability risk for data privacy and security compliance starting September 22, 2023. Many Canadian organizations may be subject to additional industry-specific privacy or cybersecurity laws or regulation. Numerous financial industry regulators across Canada have issued cybersecurity guidance and related requirements, consistent with international trends.
The reality is that businesses can no longer afford to ignore privacy and cybersecurity, even in the early stages of maturation.
The Value of Compliance At Any Stage
There are a number of steps organizations can take, at any stage of development, to address privacy compliance in anticipation of future growth and transactions. The benefits are obvious; protecting present and future value of a business or assets that are or could be the subject of a future M & A transaction, and include:
- Avoiding Consumer Scrutiny and Reputational Harm - By ensuring that an organization has up to date and compliant privacy policies and internal notices, organizations can minimize risks associated with individual complaints to relevant regulators or otherwise reduce the likelihood that the organization will be investigated by their applicable regulator, suffer a privacy incident, or for negative press to occur.
- Avoiding Fines or Other Losses - Some jurisdictions globally and within Canada have the power to levy administrative fines for an organization’s non-compliance with privacy and data protection laws. If passed, Canada’s new federal privacy regime would allow for the imposition of significant fines; up to either 3% of global revenue or $10M, and Quebec’s Privacy Act will impose fines starting September 22, 2023. By tackling compliance at earlier stages of organizational growth, and throughout maturation, organizations can minimize the risk of incurring fines and potential civil liabilities in the Courts.
- Increase Value of Data Assets and Business - During financings or a merger or acquisition transaction, an organization’s value will be assessed. One of the assets valued is the data that an organization holds and processes within its organization. If data is obtained and used by the organization in compliance with privacy and data protection laws, the value of this data will increase. The increase in an organization’s data assets will also increase the value of the organization, resulting in higher levels of financing or a higher sale price.
- Streamlined Due Diligence and Increased Investor Confidence - When potential purchases or investors are evaluating whether or not to acquire or invest or otherwise finance an organization, they will undertake due diligence on the company, including of the organization’s overall privacy and data compliance, and evaluate the associated risks. The greater the organization’s ability to demonstrate compliance with privacy and data protection obligations, the greater the investor or purchaser confidence. If an organization is unable to demonstrate they have adequately addressed privacy and data protection obligations, they risk delaying or compromising a transaction. Further, if there is a risk that a privacy breach occurred due to a lack of internal processes in the seller’s organization, which is found in due diligence, the buyer may take the costs of such breaches into consideration when valuing the deal.
With specific respect to financing or M&A transactions, organizations should ensure they work with legal counsel to address privacy and cybersecurity risks inherent in transactions:
- Ensuring that technologies used to share confidential information are properly vetted and that appropriate confidentiality agreements are implemented prior to any information sharing which adhere to specific requirements imposed Canadian privacy laws. Many jurisdictions impose specific obligations on disclosure of personal information in commercial transactions, and those laws are subject to ongoing modernization efforts;
- Conducting or responding to due diligence on the organization specifically directed to privacy and cybersecurity compliance issues;
- Ensuring that representations and warranties in agreements adequately address privacy and cybersecurity matters and appropriately allocate the risks amongst the transacting parties; and
- Ensuring that post transaction reporting obligations or other transitional matters are appropriately addressed in a manner compliant with the relevant laws and regulatory requirements.
The increased scrutiny on privacy and data security is here to stay, and will only grow as the value of data increases globally. As such, organizations should be proactive in remediating non-compliance, and building out robust internal compliance frameworks to ensure their ability to meet or exceed additional standards or requirements as they come into force. Every organization can benefit from privacy compliance with a minimal amount of resources invested at strategic stages of the organization’s growth. If an organization does not review and update their privacy compliance, the organization will be paying the cost at multiple stages of growth.