Data Privacy Due Diligence is Critical in M&A

by Jessica E. Brown, Esq.

Given the complexity and diversity of privacy regulations globally, it's important to consider various aspects of data privacy in Mergers and Acquisitions. Voters in California approved the California Privacy Rights Act (CPRA) in 2020, which amended the California Consumer Privacy Act of 2018. Other comprehensive state laws relating to data privacy exist in Virginia,2 Colorado, Utah, and Connecticut as well.

At the federal level, industry-specific laws address personal data and its protection. For example, the Gramm-Leach-Bliley Act (GLBA) protects personal data in the financial sector. The Privacy Rule issued pursuant to the Health Insurance Portability and Accountability Act (HIPAA) covers personally identifiable information in the healthcare industry, and the Family Educational Rights and Privacy Act (FERPA) addresses data privacy in the educational arena.

Internationally, the most notable data privacy aw is the General Data Protection Regulation (GDPR), which applies in the European Economic Area. But comprehensive privacy laws also exist, in China (Personal Information Protection Law), Brazil (General Data Protection Law), Argentina (Personal Data Protection Act), Japan (Act on the Protection of Personal Information), and Singapore (Personal Data Protection Act). These laws govern what companies can do with data and often restrict its transfer elsewhere in the world.

The Privacy Component of Due Diligence Crucial

Due diligence identifies deficiencies that either the target should cure prior to closing the acquisition (such as implementing a data breach plan) or which the acquiror will want to rectify post- acquisition (such as implementing a privacy-by-design program). Here are some key aspects of data privacy in the context of M&A.

1. Data Due Diligence:

   • Data Inventory: Conduct a thorough assessment of the target company's data assets. This includes identifying the types of personal data collected, processed, and stored, as well as understanding the purposes for which the data is used.

   • Compliance Check: Evaluate the target company's compliance with relevant data protection laws and regulations. Identify any ongoing or potential legal issues related to data privacy.

2. Legal Compliance:

   • Consent and Notice: Assess whether the target company has obtained proper consent from individuals for processing their data and whether privacy notices have been appropriately provided.

   • Data Transfers: If the target company operates in multiple jurisdictions, assess how data is transferred across borders and ensure compliance with international data transfer regulations.

3. Contracts and Agreements:

   • Review Contracts: Examine existing contracts, agreements, and privacy policies to understand the obligations and liabilities related to data privacy.

   • Data Processing Agreements: Identify if there are any data processing agreements in place with third-party service providers and assess their compliance with data protection requirements.

4. Risk Assessment:

   • Data Breach History: Investigate the target company's history of data breaches and the measures taken to address them. Assess potential risks and liabilities associated with data security incidents.

   • Litigation and Complaints: Check for any ongoing litigation or regulatory complaints related to data privacy issues.

5. Integration Planning:

   • Data Mapping: Develop a plan for integrating data systems and processes while minimizing the impact on data privacy. This may involve mapping how personal data flows within the newly merged entity.

   • Employee Training: Provide training to employees on data privacy policies and practices in the merged entity.

6. Communication and Transparency:

   • Stakeholder Communication: Communicate changes in data practices transparently to employees, customers, and other stakeholders. Ensure that individuals are informed about how their data will be handled post-merger.

7. Post-Merger Compliance:

   • Data Protection Impact Assessment (DPIA): Conduct DPIAs where necessary, especially when there are significant changes in data processing activities.

   • Continuous Monitoring: Implement continuous monitoring and auditing mechanisms to ensure ongoing compliance with data protection laws.

Data have Value

Often, companies will consider deleting unprotected or misused data upon closing the acquisition. But what if such data is one of the main assets being acquired? It turns out that often there are ways of curing issues with data. A new consent or privacy notice can be sent to individuals. A permissible secondary purpose can be identified based on the original reasons for obtaining the data. The data can be anonymized by aggregation among other methods, and thus cease to be personal data, and thus it will not lose its value (often this is the case where the acquiror wants to use data to power machine-learning applications).