One of the most pertinent issues which has come to the fore in recent times is the implication of Data Protection Laws on Mergers and Acquisition (M&A) transactions. Since the concerns revolving around the development and shaping of Data Protection Laws in India have gained popularity, these implications have also been widely discussed since the parties to M&A transactions shall also be bound to comply with these new Data Protection and Privacy norms and regulations.
If such norms are not complied with by the Target Firm (viz. the firm that is being acquired), it will not only lead to a conflict between the parties involved, but will also instill a sense of apprehension in the parties while engaging in such similar M&A transactions in the future.
In this paper we will be dealing with some emerging issues of data protection, current regulatory regime for data protection laws in India and the ways in which parties can mitigate the risk of data protection & cyber security issues in a M&A transaction.
During an M&A deal/transaction, in order to confirm all the pertinent facts and information brought up, Due Diligence (DD) is the process opted for the verification and investigation of the potential transactions as well as to get a better understanding of the background of the Target Firm. When it comes to M&A transactions in particular, the objective of the DD is to determine any issue relating to the concerned deal/transaction with respect to the assets, liabilities, and operations of the Target Firm that can potentially impact the completion of the transaction between the parties.
The process of DD differs depending on the transaction on hand and the existing relationship, if any, of the parties thereto. However, it still serves the basic purpose of aiding the Acquiring Company (Acquirer) in acquiring the Target Firm and to determine the various risks, impediments etc. associated therewith. Therefore, it can be said that the DD plays an important part in the success of the M&A transaction overall.
Further, DD also marks the first major step in such M&A transactions, because the verification and investigation of several corporate documents such as the corporate agreements, charters and other commercial documents, internal reports, compliance reports, etc. is indispensable.
The main tools for conducting DD for such documents are either to be found in the Physical Data Rooms (PDRs) or Virtual Data Rooms (VDRs). These Data Rooms consist of several important documents which are to be kept for reviewing so as to facilitate communication and make the DD Report more exhaustive, effectively smoothening the M&A transaction for all stakeholders.
DATA PRIVACY IN M&A
Data Protection and other issues pertaining to Privacy were, even up till quite recently, were not readily acknowledged as a major risk. However, after the enactment of the General Data Protection Regulation (GDPR), most companies – especially those that are parties to M&A transactions – have started to pay more attention to Data Protection issues as well.
Moreover, taking into consideration the fact that the Target Firm must disclose a plethora of documents to the Acquirer in due course of such M&A transactions, privacy concerns are inevitable and must be strategically dealt with. The increasing influx of technology and data-sharing in day-to-day corporate life has made this concern even more pressing and concrete.
It also goes without saying that the intimidating amount of Administrative Fines in the relatively recent GDPR regime, combined with other sanctions stipulated therein, have had a colossal effect on the companies falling under the purview of GDPR and its complex compliance process. For the purposes of this paper, we have narrowed down our focus on the data issues that might prove to be an impediment in the various phases of an M&A transaction.
That being said, it is undoubtedly important to mention that concerns pertaining to Data Privacy and Data Security arise depending on the structure of the M&A transaction on hand. For instance, if the matter is a Share-related deal/transaction, there probably wouldn’t be any substantial data transfer involved. But, on the other hand, in the case of a transaction specifically pertaining to a company’s assets, the parties must be careful with regards to the privacy of the data as the probability of sharing sensitive information increases manifold in such situations.
Several examples from across the globe have come to light, where parties have been distressed in an M&A transaction due to Data Protection and Cyber Security concerns. One such example is the case of the data breach at ‘Yahoo!’ which was discovered Verizon, which had become Yahoo!’s parent company after its acquisition thereof. Verizon had reported that senior officials at Yahoo! had been completely aware of the data breach and had not been able to hide it whilst the acquisition was in process. As a result, Verizon had to face a Class-Action Suit for the breaches committed by Yahoo! prior to the acquisition.
Similarly, Marriott International had been held responsible by the Information Commissioner’s Office (ICO) in the U.K. for a violation of the GDPR committed by Starwood Hotels in 2014. Since Marriott International had subsequently acquired Starwood Hotel in 2016, it had to pay the fine of £99,200,396 imposed by the ICO on Starwood Hotels, for the breach.
These two cases were alarming and brought the focus of the corporate world to the dire consequences that might be potentially faced on account of lax data security, thereby creating a sense of awareness in the international community with regards to the importance of Data Protection and Cyber Security concerns that must be addressed in the course of M&A transactions.
Resultantly, parties to such transactions started investing huge sums of money, especially in the process of due diligence, in order to mitigate such risks. One such example of hefty spending in order secure the data in an M&A transaction is Sysco’s acquisition of U.S. Foods, wherein Sysco reportedly spent $53 million on data-related integration during the transaction.
India is yet to enact a concrete legislation governing the issues as well as framework of Data Protection and Data Security. However, these global precedents should be carefully considered by the Indian corporate community as well, so as to be better prepared for such contingencies in the future.
With the changing times, data has become one of the most valuable assets which the company possesses. Panels, trackers, and forecasting models that have been built over the years are unquestionably the main source of a research company’s value. In an increasingly growing global industry bound by several thousands of national and international legislations, protection of data and ensuring data privacy and data security is of utmost importance, especially during M&A transactions.
Due Diligence is a process of maximal importance. In any such transactions, data privacy should be given importance in both, the Due Diligence process of the Acquirer as well as the preparatory strategies of the Target Firm. Most importantly, the contract/agreement signed between the parties must be reflective of their understanding as to the Target Firm’s compliance with the prevailing Data Protection Laws and the Acquirer’s liability in case of a lapse found therein.
– Team AMLEGALS assisted by Ms. Shereen Samant and Ms. Shwetna Jain (Interns)
For any query or feedback, please feel free to get in touch with email@example.com or firstname.lastname@example.org.