The EU's General Data Protection Regulation (GDPR), which came into force a year ago this weekend (on 25 May 2018), has created a lot of work for privacy lawyers in the last 12 months.
With the notable exception of the €50 million (£44 million) fine levied on Google by the French data regulator CNIL for its "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" in January this year, some of the frenzy around GDPR is starting to subside.
As the dust settles, and companies turn their attention back to other matters, it is becoming clear that many businesses are still lacking adequate privacy policies.
Corporate law tends to intersect with privacy during transactions, i.e., mergers and acquisitions (M&A), disposals, joint ventures, private and public fundraisings.
In the past, privacy matters, if they were thought of at all, tended to be considered at a late stage in an M&A transaction – generally, when it was necessary to issue warranties and indemnities in the due diligence (DD) phase, and also during post-merger integration (PMI) phase – and dealt with hastily and perfunctorily.
Now, in the post-GDPR age, robust privacy policies are becoming essential to kick-start corporate transactions.
Corporate lawyers are urging clients to consider privacy as early as possible in the pre-transaction process, with the aim of attracting investment in the first place and minimising surprises later on, which threaten to send deals of all sizes off the rails prior to completion.
It is not unheard of for privacy problems to become apparent once a deal has been completed, when previously undetected legacy issues come to light during the PMI phase – a situation which can result in lengthy and expensive litigation.
Here, we consider the different stages of the M&A process and highlight where privacy questions ought to be raised and how they should be dealt with.
What is being transacted?
The first question M&A lawyers should ask a corporate client (buyer or seller) undertaking a transaction is: How critical is data to your company’s revenue stream?
The answer will determine the level of granularity corporate and privacy lawyers need to adopt in the DD phase and relies on both the client and its lawyers having a firm grasp of the company's business model.
In corporate M&A, the acquisition target will either be a going concern, or a non-going concern.
For data-rich businesses, non-going concern business acquisitions typically arise only when the buyer is purchasing a database as a standalone asset – and possibly taking on any staff who service that database.
Generally if the purchaser is buying the whole business, this will be classed as a going concern.
If the purchaser is only buying shares in the target company, there will be no change of data controller.
If the purchaser is buying assets, there will inevitably be a change of data controller, as the employer of any employees and the contracting party with any customers involved with those assets will change.
Under Article 13 of GDPR, there is an obligation to notify these parties (including any lenders) of the change of data controller.
In a share acquisition, corporate lawyers may ask privacy experts to assist in drafting the warranties and any indemnities that may be required from a GDPR perspective.
Privacy expertise will usually be drafted into a corporate M&A transaction during the DD phase, which typically lasts two-to-three months or more, depending on the size and nature of the deal.
DD gives the seller an opportunity to disclose the extent to which they are GDPR-compliant, including details of any known data breaches.
The buyer's lawyers have the chance to "red flag" any privacy concerns they come across in their DD exercises, which normally involve reviewing the target's privacy policies, procedures, correspondence with the Information Commissioner's Office (ICO) and any GDPR appointments the seller has made.
The M&A agreement can then be amended and warranties and indemnities drawn up to reflect the privacy disclosures, removing any data protection stumbling blocks further down the line.
Post-GDPR, corporate lawyers are increasingly seeing issues in the PMI phase that have arisen as a result of privacy lawyers’ DD – issues that are not conditions precedent that will prevent the buyer from closing the deal, but which are significant and which the company/its advisers will want to put right post-acquisition.
For example, it may emerge that the target’s, or indeed the buyer’s, privacy policies or procedures are deficient under GDPR. This creates challenges when it comes to integrating businesses post-transaction.
In the run up to the implementation of GDPR, many companies took non-legal advice from advisers and consultants, which tended to focus on mapping data flows and other functional aspects of their data collection and storage, which they believed were sufficient to comply with GDPR.
However, in lots of these cases, the companies had failed to look in practical terms at what GDPR meant for their underlying contracts and their relationships with customers – and it turned out that, despite having forked out on costly privacy exercises, many were, in fact, not GDPR-compliant at all.
Early mover advantage
After a year of living with GDPR, experience tells us that it is rarely, if ever, too early to take advice on privacy.
Corporate lawyers acting for a seller on an exit from an asset, shareholding or business, will now often look to engage privacy experts at the pre-sale preparation stage.
It is important to stress that privacy is not just a box-ticking exercise for lawyers, or even simply something companies have to do to avoid fines.
Taking advice on privacy is increasingly a condition for companies to invest into other companies, so getting data protection input can be pivotal to a company receiving the funding they need to grow the to the next level.
As companies grow, they find they can negotiate with more authority and sign contracts according to their own terms and conditions, rather than those of their (often larger, more powerful) customers.
This throws a lot more focus onto their terms and conditions.
When negotiating with large customers, it’s helpful for a company to be able to say it has thought about privacy in its policies and procedures, both on its internet portal and in its terms and conditions.
As clients do not like being peppered with questions from lawyers for the sake of it, when privacy specialists get involved in the PMI phase, it is important to take a proportionate approach.
Corporate lawyers will usually instruct their privacy colleagues on what level or reporting is necessary for the particular transaction.
Rubber stamping a company's privacy policies will usually be a judgement-based assessment and will depend on the nature of the business.
If the business only holds HR and customer data, these records are common to any business and means lawyers can take a standard approach.
If they have more sensitive or detailed kinds of data, closer attention will be required.
Increasingly, companies are holding large marketing databases as part of their sales and customer outreach functions.
A buyer of that company will want to know how the consents for those marketing contacts were gathered and whether or not they can legally continue to use that data.
Given how central these databases often are to a company's revenue stream, ensuring the data is GDPR-compliant is a vital legal exercise.
Some large acquirers have formulaic processes when it comes to acquisitions and may use their own DD questionnaires for targets.
But since GDPR, privacy has become a matter of corporate governance and it may be that standard questionnaires are starting to become deficient in terms of data protection, particularly regarding cyber security.
Failing to spot an issue which ultimately leads to a cyber breach can cause huge reputational damage to a business that ultimately destroys the value of an M&A transaction.
Corporate and privacy lawyers should be engaging in constructive conversations with clients about the commercial benefits of receiving and implementing good privacy advice.
In a carrot and stick approach to GDPR, the stick has certainly been more vigorously brandished over the last 12 months – but the Google fine notwithstanding, penalties for GDPR non-compliance have been slow to materialise.
Perhaps more significantly for businesses, there is also a clear marketing benefit in having enhanced privacy policies and provisions.
Larger corporate players in the M&A market now expect consideration of GDPR to be embedded in their targets, so those that do not may find themselves dropping off shortlists for acquisitive investors.
It is important that corporate and privacy lawyers work together on transactions, as neither set of experts will necessarily ask all the right questions to deliver the water-tight result clients have a right to expect from their advisers.
Equally, companies need to be willing to cooperate with their advisers and recognise that privacy is more than just a compliance issue, but a vital value indicator in M&A.
Finally, as GDPR is only a year old, market practice around privacy and data protection continues to develop, so approaches by businesses and their advisers need to be kept fluid.
This article was authored by Fieldfisher corporate partner, Tim Bird with input from Fieldfisher's industry-leading privacy, security and information and cyber security teams. For more information on Fieldfisher's corporate and privacy expertise, please contact the authors or visit the relevant pages of the Fieldfisher website.
Sign up to our email digest