Deals increasingly involve big, valuable sets of data. In fact, these data sets have become a keystone in mergers and acquisitions, as business models across industries increasingly identify personal data as major corporate assets and intellectual property. As a result, companies on both sides of any transaction must understand — and predict — what promises, legal limits and risks apply to the large data sets at issue in the deal.
While a review of the acquired company’s public statements is the first step to privacy due diligence, it should not be the last. Acquirers should review of any public-facing websites and mobile applications to make sure they accurately reflect the companies’ privacy promises, and that there is no data leakage or inappropriate disclosure of information.
The acquired entity’s consumer privacy policies and public-facing activities are not all that the acquiring entity should examine. Employee privacy policies and handbooks, information security policies, and incident response plans also may pertain to an entity’s data practices and compliance with legal obligations and industry standards. Reviewing those policies for potential red flags, holes or inconsistencies is also critical. This may be especially true for transactions involving employee and human resources information and systems. Employee privacy policies or employee handbooks often include bring-your-own-device programs, employee monitoring practices, and whistleblower hotlines. Each of these practices may trigger various laws and obligations across both U.S. state and international lines, and harmonizing these approaches with the acquiring company’s own policies and practices will be an essential step after the deal closes.
In addition, special sets of data may raise further compliance concerns. For example, data regarding an individual’s health or medical care must be evaluated to determine whether the Health Insurance Portability and Accountability Act applies, and online services directed to children under 13 may trigger the Children’s Online Privacy Protection Act. Diligence must therefore include questions about the mechanisms and tools the acquired company uses to comply with all applicable privacy laws.
Companies considering international transactions must conduct a similar analysis for any personal data — including data about individual employees — governed by the local laws in the relevant international jurisdictions. The acquiring entity must determine the value and potential uses of any personal data that is subject to transfer in light of (1) how the acquired entity has complied with relevant international data protection laws, and (2) any additional restrictions triggered by the transaction and transfer of data. Valuation of any international transaction without reference to both of these privacy concerns may misrepresent — and most likely underestimate — the costs of compliance.
The European Court of Justice’s (ECJ) October 2015 decision invalidating the U.S./EU Safe Harbor mechanism for transferring personal data from the EU to the U.S. provides a compelling example. As a result of the ECJ’s decision, over 4,000 U.S.-based companies that were certified under the Safe Harbor program must now reassess how they can continue to lawfully transfer personal data from the EU to the U.S., undoubtedly impacting any potential corporate transactions with entities based in the EU. This decision illustrates not only the significant impact data protection laws can have on M&A, but also the necessity of understanding — through thorough privacy due diligence — the various data implicated in the potential transaction.
Furthermore, the ECJ’s decision demonstrates the challenging reality companies face in determining the costs of compliance in an ever-shifting legal landscape. Acquiring companies cannot afford to ignore the risks and costs of compliance inherent not only in the value of the acquisition, but also in successfully integrating the newly acquired assets into their current systems. Developing and implementing a thoughtful integration program for electronic systems and data flows is essential to maintaining privacy compliance — especially across borders as the international data privacy landscape continues to develop.
Despite the growing importance of privacy and cybersecurity concerns, the traditional due diligence process often treats privacy and cybersecurity questions as a secondary consideration. These risks may be under-emphasized because privacy and cybersecurity analyses require a different skill set than do typical transactions. In our experience, thorough privacy and cybersecurity analysis has materially modified transactions’ terms, due to identified deficiencies that may not have been discovered in traditional due diligence.
Companies should incorporate corporate privacy and cybersecurity assessments proactively into the transaction and due diligence process to avoid these pitfalls, taking into account current standards for commercial reasonableness. In this way, sophisticated companies and their privacy counsel will be able to understand the privacy risks and their potential costs, bringing the diligence and the deal to a successful close.