The General Data Protection Regulation is the cornerstone of EU data protection law, along with the ePrivacy Directive. In the UK, the UK GDPR applies alongside the Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications (EC Directive) Regulations (2003) (PECR), which implement the ePrivacy Directive). This article refers to the GDPR and UK GDPR together as the GDPR.
The GDPR focuses on the concept of accountability, and requires demonstrable processes, controls and proactive oversight of data processing activities – including in the context of mergers, acquisitions, investment and funding rounds. Failure to comply may result in high fines, reputational damage and loss of business opportunities. Compliance on the other hand, can make a target more attractive, and attract a higher acquisition price or level of investment.
If a target has a complex group structure and/or complex cross-border data flows, the buyer or investor will need to understand the roles of each party and the data journey to evaluate associated risks.
The due diligence process will be greatly helped if the target has robust data protection compliance mechanisms in place and is able to demonstrate them in accordance with the accountability principle.
During the due diligence process, it is possible that personal data will flow between different parties to the deal who may be located in 'third countries' outside the EEA. In this situation, the parties to the transaction need to ensure they comply with data protection law as they move data around to finalise the deal.
It is important to know what data protection role each company involved will have, as this determines their responsibilities and what contractual provisions might be required, and impacts potential liability. Under the GDPR, a company will have one of the following roles for each use it makes of personal data:
In a typical M&A deal, we might expect to see the following:
If a target company operates in the UK and/or EU/EEA, and the deal means relevant personal data will be transferred outside of, respectively, the UK and/or EU/EEA (for example, because the data room provider and investors are in the US) then a transfer safeguard must be in place to protect that personal data. A transfer safeguard should protect the relevant personal data in the same ways it would be protected in the country in which it originated.
Common transfer safeguard options in M&A deals include:
Personal data can be transferred to countries which the European Commission has recognised as providing an adequate level of protection.
Personal data can be transferred between two entities that have signed the SCCs. These are a form of standard contract for international transfers approved by the European Commission. They cannot be amended, although commercial provisions which do not lessen protections can be added. The SCCs can be used for transfers of UK and EU/EEA data.
Currently, there are SCCs which can be signed between:
The European Commission is working on a new modular set of SCCs which will cover transfers between UK/EEA controllers or processors and non-UK-EEA controllers or processors (see here for more).
Imagine a deal where a Canadian company is considering buying a UK company. The UK company uses a US data room provider (that has appointed another company in Zimbabwe to provide technical support). Transfer safeguards might look like this:
Data room set-up: The company engaging the data room provider should ensure the agreement includes appropriate processor provisions (under Article 28 of the GDPR), including a transfer safeguard and sub-processor management provisions.
Populating the data room: The target company needs to balance full and fair disclosure with data protection principles, including taking a proportional approach and minimising the personal data that can be provided. Avoid providing unnecessary personal data, and anonymise or pseudonymise personal data, for example, by redacting it, where possible. Ensure there is a legal basis for the disclosure.
The landscape around data transfers continues to develop. As a result of the Schrems II CJEU judgment, and with the EC launching new SCCs, not to mention the UK's position independent of the EU, data transfers are a hot topic. Investors will want to make sure their targets continue to stay on top of compliance, and buyers will need to adapt to new requirements.
To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber team.