Beyond the Border: GDPR and Other Privacy Considerations in Domestic M&A Transactions
January 24, 2020
By: Amber L. Lawyer
Data privacy should be a top concern for US businesses that may enter into merger and acquisition transactions this year. If your business collects, processes, stores, or transfers identifiable information relating to individuals (“Personal Data”) or if your business contracts with vendors that may collect, process, store, or transfer any Personal Data, your business is likely subject to several new data privacy laws and regulations including the European Union’s General Data Protection Regulation (GDPR) and/or the California Consumer Privacy Act (CCPA).
The following are questions that: (1) Sellers of domestic companies can expect to hear from potential Buyers during the sale transaction process and (2) Buyers should be asking Sellers during due diligence:
- Does your business collect or process Personal Data of persons located in the EU or California?
- Does your business use cloud storage to store employee or customer Personal Data?
- Does your business transfer Personal Data to other entities?
- Is your website accessible to users in the EU or California?
- Does your business process any sensitive data?
- What security measures has your business taken to ensure adequate data protection?
- What steps has your business taken to comply with domestic and foreign data privacy laws?
The GDPR, CCPA, and other data protection laws including the New York SHIELD Act can have a significant impact on both cross-border transactions as well as domestic transactions. These privacy laws may impact various parts of a transaction, including:
- The structure of the deal as a stock sale or an asset sale;
- The due diligence process;
- The representations and warranties that a Seller is being asked to make and on which Buyer relies;
- Indemnification and escrow holdbacks; and
- Purchase price adjustments.
Domestic Sellers that are considering selling their businesses should expect questions from potential Buyers regarding the Personal Data that the Seller collects, processes, and stores and its lawful basis for doing so under applicable data protection laws. Sellers are likely to receive requests for information regarding compliance with applicable data protections laws and may be required disclose any security incidents.
Sellers who are not in compliance with applicable data protection laws jeopardize the value of their businesses and risk fines and penalties from enforcement agencies. Sellers may need to be wary of how they represent and warrant compliance with applicable data protections laws because misrepresentation may result in breach of contract actions and associated litigation costs. Buyers will need to factor in the costs of remedying compliance issues after the closing, the risk of an enforcement action, and potential litigation based on a claim of non-compliance when considering risks associated with a deal. This is likely to affect the purchase price of a deal and may require post-closing indemnification or an escrow holdback.
What does this mean for your business? Businesses that collect Personal Data should become compliant with all applicable data protection laws as soon as possible. Businesses that are considering entering into a transaction this year should be concerned about data privacy and should take the aforementioned information into consideration before entering into any deal.
Bond’s Mergers and Acquisitions and Cybersecurity and Data Privacy teams cohesively work together on asset purchases, stock purchases, and mergers across various industries to assist Buyers and Sellers with: (1) selling business and developing compliance measures prior to the sale to limit exposure during the sale process; and (2) buying businesses and performing diligence to confirm the extent of the target company’s compliance with applicable data protection laws.
For more information regarding data privacy compliance for M&A transactions, contact Amber L. Lawyer or any one of our attorneys in our Mergers and Acquisition or Cybersecurity and Data Privacy practices.