The new legal framework may have an impact on the documentation and processes in mergers and acquisitions
All companies have been obliged by law to adapt the new General Data Protection Regulation (GDPR), but the question is whether M&A professionals have also adapted their practices to the new environment. Not so much as regards compliance with regulatory obligations, but rather the impact of the new framework on the processes and documentation involved in corporate sales and acquisitions. In this Viewpoint, we offer some advice and thoughts on the drafting and negotiation of share and asset sale and purchase agreements and, in particular, on the liability regime set out in the representations and warranties of the seller (R&W).
List of recommendations
No two companies are the same: It is hard to generalize when it comes to data protection. There are few fields in which the regulatory requirements depend on and vary so much according to the type of activity and business model of the target company or business. Before drafting the R&W, we should therefore ask ourselves the following questions about the target company, among others:
Is the company the data controller of its client and collaborator data and does it process the data directly (or outsource the processing to a third party)? Or, in contrast, is it the data processor of client and collaborator data for a third party that has given it a mandate? The business and legal position of the obligated party varies and the R&W need to be adapted to each specific case.
Does it process special categories of data, that is, data regarding children, medical data and other sensitive data, that merit a higher level of protection?
Does it offer products or services across the board through digital channels? Does it have a presence on social networks?
Is it involved in international data transfers, possibly within its own group?
Obligations under the previous regulations: Although the GDPR and its new features are now in force and even though certain obligations have now disappeared, the R&W must also comply with previous legislation (registration of filing systems with the authorities, for example), since infringements under the previous legislation are still punishable.
Non-EU legislation: The place of storage of the data and the source of the data may bring non-EU legislation into play.
Going beyond regulatory compliance: The R&W may cover more than simple regulatory compliance. They may also be drafted to capture compliance with internal policies and other areas of risk, such as leaks, loss of data and other incidents, even where there is no exposure to significant infringements. Reputational risk is also very important. However, sellers may be reluctant to guarantee the general risks inherent in the technology or activity, even when referring to past events.
To the best of the seller’s knowledge: The seller will argue that many of its R&W are subject to the a best knowledge qualifications. In this case, the purchaser may request that the R&W state that such knowledge and understanding refers to that of the company’s data protection officer, the new figure required by the GDPR in certain cases, and/or that of the other executive(s) involved.
Period for claims: The period for claiming on the R&W will also be a contentious issue. The seller will argue for a short period, of between 12 and 24 months, in line with many other R&W. The purchaser will want a much longer period, covering the statute of limitations period for administrative infringements and the time bar for bringing proceedings.
Caveat emptor: buyer beware
In relation to personal data, R&W are no substitute for a proper due diligence review. Accordingly, the wording of the R&W must also serve to elicit any documentation that the seller may not have provided in the due diligence process, which should be duly analyzed in order to assess the target company’s compliance with its data protection obligations.
The value lies in compliance
In the majority of cases, personal data should not be thought of simply as a compliance matter. Data is increasingly something that can lie at the heart of a business’s strategy and model. The purchaser may be interested, once it has acquired the target company, in capitalizing on the efforts made to compile documentation during the due diligence review in order to carry out a value analysis, enabling it to identify opportunities, strengths and threats, rather than just regulatory contingencies. Personal data needs to be approached from a strategic perspective.
Data protection is doubly important for venture capital funds investing in tech firms and new drug companies, given the importance of the GDPR in these industries. It is also important for private equity firms and buyers in general, since it is a sensitive issue and they must keep the reputational impact of any breach by the target company from escalating to funds and their investors. Few know the identity of the shareholders of Cambridge Analytica is not well known, but does anyone believe that if the shareholder had been one of the big private equity funds, its reputation wouldn’t have been tarnished by the scandal?
The professional M&A community needs to mainstream the GDPR into its practices, starting with bringing it into the negotiations and wording of the seller’s R&W. These representations and warranties should be adapted not only to the GDPR but also to the strategic importance of, and myriad risks arising from, personal data.
Rafael González-Gallarza and José Luis Ortín, partners, and Alejandro Padín, head of the IT, data protection and e-commerce practice at Garrigues