WWW.AST REAL AW.BE

Privacy and M&ASteven De Schrijver, Partner

September 2015

WWW.AST REAL AW.BE

2

Privacy and M&A

Who am I?

• Partner with Astrea• Full-service independent law firm• Offices in Antwerp and Brussels• 10 partners, 40 fee earners• Combined practice in corporate/M&A and commercial IT

(outsourcing, IT projects, licensing, cloud computing, data protection)

September 2015

WWW.AST REAL AW.BE

3

Privacy and M&A

Introduction• Collection and use of personal data becomes more important in

business in general− Exponential growth of E-commerce (often to consumers)− Online marketing and targeted/behavorial advertising on social

media (often with use of big data)− Outsourcing of data processing (e,g,, pay roll, service desk, help

desk)• More scrutiny and enforcement by national data protection

authorities− Examples:

• EU is currently considering fines for non-compliance of up to 2% of the annual turnover of organizations

September 2015

WWW.AST REAL AW.BE

4

Privacy and M&A

September 2015

Introduction• Facebook’s acquisition of WhatsApp in February 2014 resulted in the US

Federal Trade Commission (“FTC”) sending a warning to both companies that the failure to honor WhatsApp’s personal data promises to its customers would constitute a deceptive act under the FTC Act

• Barnes & Noble’s recent acquisition of Borders’ customer list resulted in intense FTC scrutiny due to past promises by Borders not to share its customers’ data without their consent.

• on July 30, 2015 the Bavarian DPA announced that it fined two companies, both the seller and the acquirer, in an asset deal for transferring customer e-mail-addresses collected while operating an online shop in violation of the German Federal Data Protection Act (Bavarian DPA took offence at transfer of telephone numbers, email addresses, credit card details without customer content or opt-out option; company interest is not a valid justification for transfer) (https://www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/150730%20-%20PM%20Unternehmenskauf.pdf)

Growing importance of data privacy compliance in M&A

WWW.AST REAL AW.BE

5September 2015

Privacy and M&APrivacy is often overlooked in M&A transactions• Many M&A agreements lack specific and sufficiently elaborate

representations and warranties regarding privacy issues, especially where the target company lacks e-commerce websites or retail stores that collect consumer data

• Often too little attention is paid to privacy compliance of (a) buyer and seller in the transaction process and (b) the target company in the due diligence process both in respect of past practices (liabilities) and future activities (post-closing compliance)

Early attention to privacy issues in M&A transaction planning and due diligence can mitigate risks for both buyers and sellers

WWW.AST REAL AW.BE

6

Privacy and M&A

September 2015

Different perspectives of buyer and seller in relation to privacy compliance in M&A transactions

• Buyer concerns:– Compliance of the Target with applicable data protection laws

(past and present)– Impact of transaction on personal data held by the Target: do not

forget – gathering personal data through due diligence is also a collection of data and can trigger application of privacy laws!

– Ensure compliance with respect to future use of the personal data (post-completion): what might be cost impact?

– Provide for appropriate representations and warranties to cover privacy risks: however contractual measures can never come in lieu of contractual measures!

WWW.AST REAL AW.BE

7

Privacy and M&A

September 2015

Different perspectives of buyer and seller in relation to privacy compliance in M&A transactions

• Seller concerns– To which extent can personal information of employees,

customers and suppliers be disclosed during the due diligence process

– How to avoid violation of privacy laws and internal external data privacy policies

Important: any transfer should always be necessary and proportionate in view of purposes of initial processing

WWW.AST REAL AW.BE

8

Privacy and M&A

September 2015

Start M&A

Seller:- Disclosure of personal information to the Buyer during the M&A process

End M&A

Buyer- Verify data privacy compliance of the Target (past)- Ensure compliance with respect future use of personal data (post-closing)- Assess impact of transaction on personal data

WWW.AST REAL AW.BE

9

Privacy and M&A

September 2015

Seller’s perspective: disclosure of personal information during M&A process

– Seller should designate a person that is responsible for data privacy compliance

– Seller may under certain circumstances disclose personal data of employees, customers/consumers and suppliers for due diligence purposes: processing must be permitted (implicit/explicit consent, necessary and proportionate in view of initial processing)

– Seller needs to review the Target’s privacy policies to assess which information may be shared

− Internal employee privacy policies− Customer facing privacy policies and notifications (on website)Note: even if sale is not immediately contemplated, it is advisable to check whether privacy policies allow for disclosure in M&A transactions

WWW.AST REAL AW.BE

10

Privacy and M&A

September 2015

Seller’s perspective: disclosure of personal information during M&A process

– If required (and permitted under the relevant privacy policy), data subjects should in principle be notified of the disclosure of their data in the context of the transaction and of any transfers abroad (e.g., virtual data room that is accessible from US) and data privacy obligations may need to be complied with (e.g., notifications, consents, EU model clauses or safe harbour) (hard to achieve in practice)

– Disclosure of personal data should be limited to a minimum (leave out certain information or anonymize data)

– Sensitive information such as health information, sexual preferences, racial origin, religious beliefs, criminal conduct, trade union membership, genetic/biometric information can only be transferred with explicit consent

WWW.AST REAL AW.BE

11

Privacy and M&A

September 2015

Seller’s perspective : disclosure of personal information during M&A process

– Disclosing data that could trigger security breach notification obligations (e.g., Social Security numbers, credit card numbers or medical data) should be avoided(beware: new draft EU Data Protection Regulation intends to expand data breach notification obligations to all data controllers, not just the telecommunications sector)

– Seller should also require that disclosures be subject to appropriate nondisclosure agreements (to be entered into by the Buyer and its counsels) and that information is only shared on a need to know basis

– Disclosure should be conducted via a secure method that allows controlled access (e.g., use of the basic version of Dropbox, with limited security and inability to track on forwarding of information, will not be appropriate)

– Seller should ensure that any disclosed personal information is deleted or returned at the end of the due diligence

WWW.AST REAL AW.BE

12

Privacy and M&A

September 2015

Buyer’s perspective: privacy implications of the transaction

– Also for Buyer it is best to designate a person who is responsible for privacy compliance in relation to the transaction (sometimes there are full-time data protection officers on both sides who should then be involved)

– Due diligence can be seen as collection and thus processing of personal data and can trigger data privacy obligations for Buyer

– Buyer should put in place proper data processing agreements with Seller and third party service providers

– Buyer should implement appropriate technical and organisational measures (keep due diligence information possibly containing personal data separate and destroy/return the information if the deal does not proceed)

WWW.AST REAL AW.BE

13

Privacy and M&A

September 2015

Buyer’s perspective: scope of the Buyer’s privacy due diligence

A. Due diligence with respect to past liabilities

1. Determine the extent of the collection, processing and use of personal data of employees, customers and suppliers– Review of internal and customer facing privacy policies and other relevant

documentation and discussion with company’s personnel (management, data protection officer, if any, IT department, etc.)

– Check for failures to comply with the applicable policies and request copies of any complaints filed by data subjects (as the case may be, the buyer should negotiate specific indemnities in the acquisition agreement)

– If the Target has current and prior versions of its policies, the buyer should assess (i) whether applicable restrictions are different under each version, (ii) what particular data was collected under each version and (iii) how such data is stored (e.g., separately by policy version or segregated).

WWW.AST REAL AW.BE

14

Privacy and M&A

September 2015

Buyer’s perspective: scope of the Buyer’s privacy due diligence 2. Identify and verify any mandatory data processing notifications

3. Review and verify security measures implemented by the Target – due diligence of IT infrastructure and processes (may require assistance

from IT specialists)– Review any recent audit reports

4. Review whether personal data is shared with third parties (intragroup transfers, external data processors, business partners, etc.) – Map data flows– Review applicable data processing agreements

WWW.AST REAL AW.BE

15

Privacy and M&A

September 2015

Buyer’s perspective: scope of the Buyer’s privacy due diligence

5. Identify international data transfers (in particular outside the EEA) – Review Data transfer agreements (EU Model clauses or other)– Review currency of Safe Harbor Certification (including related internal assessments and

compliance materials)– Review Binding Corporate Rules

6. Identify risks and either remedy/mitigate them or allocate liability for such risks in the sale/purchase agreement

B. Due diligence with respect to envisaged future use of personal data

Identify any restrictions that are inconsistent with the Buyer’s intended use of the personal data (will use of personal data processed by the Target remain the same after closing?) and determine steps needed to comply with such restrictions (e.g., notifications obtain consent from the individuals affected): prepare plan and cost estimate for measures to be taken post-closing

WWW.AST REAL AW.BE

16

Privacy and M&A

September 2015

A few notes with respect to asset deals

• Buyer and Seller should identify the requirements to ensure that the personal data may be transferred (notification to data subjects, obtain consent)

• Even if Buyer is not assuming liabilities for the past, it should still seek representations and warranties from Seller that Seller has complied with applicable laws in collecting the personal data e.g. by providing sufficient notice and obtaining any legally required consent

• It is also recommended for Buyer to seek gurantees that transfer of personal data to Buyer is permissible

WWW.AST REAL AW.BE

17

Privacy and M&A

September 2015

Buyers should NOT:

• Wait until the last minute to consider privacy compliance;• Forget (or choose not) to implement relevant security measures in

respect of the transaction process;• Assume that the Seller will provide all necessary (or even requested)

information (such is often not the case!); • Ignore or underestimate the privacy issues identified and their

potential impact;• Collect, retain or process as part of the due diligence process more

information than is absolutely necessary for their legitimate purposes; or

• Underestimate or ignore any post acquisition steps required to achieve appropriate privacy compliance

WWW.AST REAL AW.BE

18

Privacy and M&A

September 2015

Conclusion

• As with other M&A areas, the privacy issues highlighted in this presentation are not insurmountable

• These issues will be discovered through appropriate consideration and proper due diligence and may be dealt with via pre- or post-closing remedial action or an allocation of risk through the agreement or otherwise

• However, it is clear that privacy both in terms of the transaction process and the due diligence process as well as the Target’s business privacy compliance have now become an important consideration in all M&A transactions

WWW.AST REAL AW.BE

THANK YOU FOR YOUR ATTENTION

BRUSSELS

LOUIZALAAN 235/AVENUE LOUISE 235 B-1050 BRUSSELST +32 2 215 97 58 F +32 2 216 50 91

ANTWERP

RODERVELDLAAN 3 B-2600 ANTWERPT +32 3 287 11 11 F +32 3 287 11 12