Companies regularly store information about their customers, clients, employees, investors, partners and vendors. Privacy and data security are therefore important aspects of most m&a transactions. Although the risk of non-compliance with privacy laws may result in severe negative consequences, many m&a agreements still lack adequate privacy-related representations and warranties (R&W). This article discusses the rising importance of privacy issues and how to approach them effectively.
Know who you are and what you acquire
In order to frame an appropriate set of R&W, it is of vital importance for both parties to not only understand the target's business in general but also the privacy-related environment in which the target conducts its business (eg nature and amount of collected personal information, storage location and applicable privacy-related legal provisions). By properly assessing privacy and data security issues in the course of a due diligence, a buyer can manage transactional risks and ensure that m&a agreements contain provisions that adequately address the target's privacy-related issues. A thoroughly conducted privacy-related due diligence should therefore cover the following:
- the existence of adequate policies and procedures (eg data security governance, external or internal audits);
- past breaches and security incidents (eg history of breaches, pending and threatened litigations);
- future legal requirements (eg General Data Protection Regulation – GDPR);
- social media material (social media presence, activities and policies);
- employment privacy (eg e-mail use regulations and other aspects of employment privacy);
- international considerations (applicability of international privacy-related laws).
Default clause might not be enough
In many cases, practitioners simply rely on standard "compliance-with-laws-<wbr/>representations"; but these often do not adequately address privacy issues and usually do not provide enough protection for buyers. Of course, privacy-related representations should cover compliance with privacy laws – but they should not stop there. A sophisticated set of R&W should in particular cover the following:
- with all laws, including applicable laws related to privacy, data security and the processing of personal information, including (but not limited to) the requirement to (i) gain data subjects' con sent to transfer and use of their data and (ii) file any registrations with the applicable data protection authority;
- with the target's own policies, representations to consumers & employees, contracts and applicable industry standards;
- with future legal requirements (eg appropriate procedures to ensure compliance with the GDPR);
- with notices, consents and other information provided to data subjects regarding the processing of personal information;
- of adequate policies and procedures to ensure continued compliance with all applicable data protection and privacy provisions;
- of data security measures, including measures which are not necessarily required by law;
- no loss, damage or unauthorised access, use, modification or other misuse of any personally identifiable information maintained by or on behalf of the target;
- no claim or action with respect to loss, damage or unauthorised access, use, modification or other misuse of any such information; no reasonable basis for any such claim or action;
- no past, pending or threatened privacy-related disputes, claims or complaints with / by an individual or an administrative authority.
Caution is needed
This article aims to build awareness. Sophisticated privacy-related R&W in m&a agreements can indeed offer a certain level of comfort to buyers, but they are not a universal cure. Even if damages are awarded as a result of accurately drafted R&W, they may not be sufficient to compensate for the type of public relations and customer relationship damage often associated with privacy failures.
We're on top of legal developments in Austria and CEE. Are you? Subscribe to our weekly updates!