The Israeli Law, Information and Technology Authority (ILITA) recently published a new draft directive regarding the handling of customers’ personal information (which is organized as a registered database or a database under compulsory registration) when it is held by an acquiree company and is being transferred to the acquirer company within the scope of a merger or acquisition transaction. In this context, the draft applies to acquisitions of assets, acquisitions of companies, company mergers and receiverships.
The draft directive asserts that customers’ personal information is not the property of the acquiree, even when the acquiree’s business is based on this personal information, but rather that it belongs to the customers themselves. Thus, the acquiree cannot transfer such personal information as it deems fit.
The draft directive further prescribes that in instances in which the identity of the company was a decisive factor for the customers when originally consenting to disclose their personal information, and if the acquirer company’s characteristics are significantly different—to the extent that they deviate from the customers’ reasonable expectations and are liable to prejudice their rights—then the acquiree company is obligated to obtain its customers’ consent to the transfer of their personal information. For example, the customers’ consent must be obtained when fiduciary relations are involved (such as physicians, attorneys, accountants, and insurance agents) or when an Israeli company is being sold to a foreign company.
Additionally, in instances in which the reason for using (or the mode of use of) the personal information changes, then the acquiree company is obligated to obtain its customers’ consent to the new use of their personal information. However, if the reason for using the personal information does not change subsequent to the transaction, then the acquiree company only needs to inform its customers about the change in ownership, in order to enable the customers to decide whether they want their personal information to be deleted.
Referring to the notification to customers, the draft directive recommends it be made both by sending personal notifications and by way of a public announcement (such as on the acquiree company’s website).
Comments to the draft directive may be forwarded until October 1, 2017.
As is evident from the contents of the draft directive, ILITA is proposing a real revolution in the M&A market, particularly in instances in which one of the considerations for engaging in a transaction is the personal information held by the acquiree company. Consequently, businesses and companies who base their business models on the use of customers’ personal information, and who want to maintain flexibility in relation to M&A transactions based on the use of such information, should act quickly to submit their comments to the draft. Concurrently, they should consider taking appropriate preparatory actions to accommodate the arrangement proposed by ILITA, insofar as the draft is ratified as a binding directive.