Representations and warranties relating to data protection law can help to reduce costly risks in the context of M&A transactions. It is essential to address the relevant items and, in first place, to understand liabilities that may otherwise jeopardize contractual protective measures.
Why should companies go to so much trouble?
Without exception, personal data is processed by all companies in the course of their business activities, whether this is customer data or employee data. Due to the all-encompassing application of data protection regulations, including the EU General Data Protection Regulation (GDPR) or the Health Insurance Portability & Accountability Act (HIPAA), to name just two examples, it is not simply typical data-driven tech companies which are affected, but also medium-sized companies from the so-called Old Economy. Fines running into the millions imposed against H&M (clothing industry) or Deutsche Wohnen (real estate industry) illustrate the range of potential risks and the accompanied costs for companies. Up until now, the high-risk field of potential claims for damages due to data protection breaches brought by natural persons, which could extend to millions of customers, have not been in the focus of many companies.
The most common data protection risks can be found in (1) inadequate organization of data protection, (2) “black holes” due to insufficient knowledge of data flows and relevant processing, or (3) data protection compliance which is allegedly complete but which only exists on paper.
Representations – What is already in place?
Representations in the area of data protection usually initially relate to adherence to general compliance requirements, such as the proper appointment of a data protection officer or the maintenance of a register of processing operations.
In addition, further attention should be paid to compliance with the requirements regarding the extensive rights of the data subject. Particularly regarding implementation of obligations to delete personal data, representations made to the buyer can potentially close up expensive gaps in knowledge.
The same applies to so-called data breaches, which refers to violations of the protection of personal data, compliance with the associated reporting obligations and, above all, the completeness of documentation, provided this was made available during the due diligence procedure.
International transactions focus in particular on third-country transfers, which have always required numerous measures to ensure their legality. Usually, representations in this area are accompanied by the request for warranties.
Particular care must be taken to the link between representations and indemnifications to avoid any loopholes. Representations are often drafted too broadly or refer to a specific fact which is not suitable in the context. For example, a representation that a register of processing activities has been kept is worthless if it fails to list all relevant processing activities and therefore the indemnification would not cover potential fines.
Warranties – What should be in place?
In theory, warranties can be used to financially cushion possible data protection breaches committed by a target. In reality, such comprehensive warranties can rarely be negotiated successfully, because sellers will most likely not agree to provide warranties that focus on the lawful processing of data right down to the most remote division of the company. Instead, it is necessary to identify early on with a sense of proportion during the due diligence stage, which data processing activities are really relevant and carry risk in terms of liability. For these, warranties can then be drawn up that address the actual risk and can be priced in a way that makes economic sense.
Particular attention must be paid to the limitation periods. In the worst case, regulatory offence proceedings with long limitation periods can - depending on the structure of the indemnification clause - fall outside the scope of the indemnification. Proceedings involving the regulatory authorities often drag on for years and for this reason, if the contractual provisions are drafted accordingly, they can end up being a liability problem. Buyers and sellers must pay careful attention to the starting point which triggers the warranties, and whether this is based on the breach itself or the legal consequence.
Conclusion: The unclear legal situation and its implications
Data protection law is not a static area of law, but is subject to constant change and further development. The attempt to create a uniform legal framework in Europe with the GDPR ends with the enforcement of the law, despite “one stop shop” and “lead authority”. In cross-border transactions, the sometimes diverging legal views on data protection law can be challenging even in Europe. In transactions extending beyond the borders of the European Economic Area, the complexity is even greater. UK and European data protection law, for example, should actually be harmonised - but there is already an irreconcilable conflict between the scope of the UK GDPR and the EU GDPR. Representations and warranties must take these challenges into account.
On the part of the seller, it is essential to ensure that the respective warranties do not go far beyond the legally required framework - data protection law is characterised by (non-binding) opinions of the authorities which have only been conclusively confirmed by the courts in a few cases up until now, particularly in Germany.