Dealing with cross-border transfers and other data protection issues in M&A deals

Briefing

Why is a target's data protection compliance important?

The General Data Protection Regulation is the cornerstone of EU data protection law, along with the ePrivacy Directive. In the UK, the UK GDPR applies alongside the Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications (EC Directive) Regulations (2003) (PECR), which implement the ePrivacy Directive). This article refers to the GDPR and UK GDPR together as the GDPR.

The GDPR focuses on the concept of accountability, and requires demonstrable processes, controls and proactive oversight of data processing activities – including in the context of mergers, acquisitions, investment and funding rounds. Failure to comply may result in high fines, reputational damage and loss of business opportunities. Compliance on the other hand, can make a target more attractive, and attract a higher acquisition price or level of investment.

If a target has a complex group structure and/or complex cross-border data flows, the buyer or investor will need to understand the roles of each party and the data journey to evaluate associated risks.

Deal-related data transfers

The due diligence process will be greatly helped if the target has robust data protection compliance mechanisms in place and is able to demonstrate them in accordance with the accountability principle.

During the due diligence process, it is possible that personal data will flow between different parties to the deal who may be located in 'third countries' outside the EEA. In this situation, the parties to the transaction need to ensure they comply with data protection law as they move data around to finalise the deal.

Who has what data protection role in an M&A deal?

It is important to know what data protection role each company involved will have, as this determines their responsibilities and what contractual provisions might be required, and impacts potential liability. Under the GDPR, a company will have one of the following roles for each use it makes of personal data:

Controller – deciding how and why to use any personal data, including processing personal data in line with its own professional judgement and obligations.

Joint controller – jointly deciding with another controller how and why to use any personal data (this is less common).
Processor – only uses data on behalf of a controller (for example, to provide a basic service to the controller).
Sub-processor – uses data on behalf of a lead processor.

In a typical M&A deal, we might expect to see the following:

deal-role_table

What happens if personal data is transferred internationally?

If a target company operates in the UK and/or EU/EEA, and the deal means relevant personal data will be transferred outside of, respectively, the UK and/or EU/EEA (for example, because the data room provider and investors are in the US) then a transfer safeguard must be in place to protect that personal data. A transfer safeguard should protect the relevant personal data in the same ways it would be protected in the country in which it originated.

Common transfer safeguard options in M&A deals include:

Adequacy decision

Personal data can be transferred to countries which the European Commission has recognised as providing an adequate level of protection.

So far this includes: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The UK has recognised each of these countries as adequate, as well as Gibraltar.

Standard contractual clauses (SCCs, also called model clauses)

Personal data can be transferred between two entities that have signed the SCCs. These are a form of standard contract for international transfers approved by the European Commission. They cannot be amended, although commercial provisions which do not lessen protections can be added. The SCCs can be used for transfers of UK and EU/EEA data.

Currently, there are SCCs which can be signed between:

a UK/EEA controller transferring data to a non-UK-EEA controller, or
a UK/EEA controller transferring data to a non-UK-EEA processor.

The European Commission is working on a new modular set of SCCs which will cover transfers between UK/EEA controllers or processors and non-UK-EEA controllers or processors (see here for more).

Case study

Imagine a deal where a Canadian company is considering buying a UK company. The UK company uses a US data room provider (that has appointed another company in Zimbabwe to provide technical support). Transfer safeguards might look like this:

Data protection issues at each deal stage

Initial preparations

Target's compliance: Assess the target company's current data protection compliance regime, and decide whether the company should undertake any preparatory remediation.
NDA: Include appropriate data sharing provisions in each NDA – for example, light-touch obligations on any potential buyers to restrict how they can use the data and manage potential risks (like a data breach), in addition to any transfer safeguard.
Transfer safeguards: If any organisation that will receive data is outside the UK and/or EU/EEA, put in place an appropriate transfer safeguard. Don't assume that the data room terms will cover this requirement.

Due diligence

Data room set-up: The company engaging the data room provider should ensure the agreement includes appropriate processor provisions (under Article 28 of the GDPR), including a transfer safeguard and sub-processor management provisions.

Standard Q&A: The buyer or investor should ask relevant questions to assess the target's compliance, including about standard documentation and higher risk issues (like data transfers, records of processing, data protection agreements, data protection risk assessments, breaches, subject rights requests, and DPO or representative appointments). Check that the target has been transparent with data subjects, for example through a privacy policy covering potential M&A transactions.

Populating the data room: The target company needs to balance full and fair disclosure with data protection principles, including taking a proportional approach and minimising the personal data that can be provided. Avoid providing unnecessary personal data, and anonymise or pseudonymise personal data, for example, by redacting it, where possible. Ensure there is a legal basis for the disclosure.

Deal terms

Deal documentation: Include appropriate data protection warranties in the purchasing agreements and check any disclosures carefully to ensure they are specific and don’t raise new issues. If there will be any transitional services, ensure the data protection wording reflect the parties' roles (eg will the target/seller become a processor if it provides services to the buyer?).

Completion and post completion

Data migration: Ensure the buyer and seller have agreed a process for any data migration and handover, including relevant supporting records (eg records of processing, or direct marketing consent/opt-out records). Where this involves transferring personal data to additional third countries, ensure appropriate transfer safeguards are in place.
Transparency: Inform data subjects of any change in controllership, being careful to take into account direct marketing rules – for example, it may not be possible to include a promotion for a new service offering when informing data subjects that the data controller has changed. Update privacy policies as needed.
Remediation: Implement a post-completion action plan to remediate issues flagged in the due diligence process, and to comply with any post-completion requirements.

Ongoing transfer issues

The landscape around data transfers continues to develop. As a result of the Schrems II CJEU judgment, and with the EC launching new SCCs, not to mention the UK's position independent of the EU, data transfers are a hot topic. Investors will want to make sure their targets continue to stay on top of compliance, and buyers will need to adapt to new requirements.