How Special Is Your Data?
Special categories data in M&A transactions
The use, handling and transfer of personal data in M&A transactions has become an increasingly important aspect of the deal management process, given both the volume and value of M&A in the UK (according to the Office for National Statistics, in 2019 alone, there were 871 completed £1m plus domestic M&A transactions, with an aggregate value £8.7 billion). Moreover, as companies have recently been increasing their internet presence and online offerings adjusting to the new normal, data is likely to continue to play a significant role.
Focusing on sensitive personal information (formally known as “special categories of personal data”), this blog post looks at the processing of personal data in M&A transactions and sets out a number of practical issues which could be relevant for a company involved in an M&A transaction, whether as a seller or a buyer.
Getting your house in order
Regardless of whether or not you are thinking about selling your company or business, it is important that you remain accountable for your data and take steps to ensure that you process it in accordance with applicable laws. Otherwise, there is a risk that you could incur a substantial financial penalty under the General Data Protection Regulation (up to EUR 20 million or 4% of your company’s global turnover, whichever is higher) as well as damage to your reputation, if details of a potential data breach become public. Relatively little has changed in this respect as a result of the UK’s departure from the European Union: the EU GDPR has been transposed into UK’s domestic law under which the maximum administrative fine remains equally significant – up to £17.5 million or 4% of your company’s global turnover, whichever is higher.
At all times, organisations must process personal data in accordance with the general principles, including lawfulness, fairness, transparency, purpose limitation and data minimisation. To be lawful, the processing has to be based on one or more lawful bases: the person’s consent, a contract you have with them, your legal obligation, protection of their vital interest or general public interest, or on your legitimate interest. You – as the data controller – should specify the lawful basis justifying your processing upfront.
At the same time, processing special categories of data is generally prohibited, subject to some exemptions. Special categories of data (known as “sensitive personal data” before the GDPR) include information about a person’s ethnic origin, religious beliefs, trade union membership, sex life, or health-related and biometric data. A controller will be exempt from the general prohibition in a narrow range of instances, such as where they have obtained the data subject’s consent, if the data subject has made the information public, or where such processing is necessary for the employer to enable them to carry out their rights and obligations in the course of employment. For example, an employer will be able to justify collecting and storing health-related data of a physically impaired employee in order to arrange for appropriate working conditions for them, while complying with equality law. On the contrary, a smart speaker manufacturer may find it difficult to justify storing details of a customer’s sex life for the purpose of serving to them targeted advertising, unless the customer has granted their consent.
A word about consent
While it is tempting to justify a processing activity by the data subject’s consent, it may prove challenging to show that the consent you have obtained is valid under the applicable law. While this may previously have been considered adequate, for a consent to be valid under the current law, a controller has to prove that they have obtained a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, has signified agreement to the processing of personal data relating to him or her.” Generally speaking, the GDPR now leans against consent, the logic being that if the data controller cannot rely on another lawful basis for processing, then that in itself raises questions as to whether the data should be processed in the first place (this is a major change from the pre-GDPR position).
In practical terms, the smart speaker manufacturer would likely not comply with data protection law by processing customer data based on a blanket implied consent, such as by stating in their terms that “By using this device you give us consent to process your personal information.” Instead, they would be required to take a granular approach and request a separate consent in respect of every single purpose. For example, a separate consent would have to obtained for the recording and storing of the user’s voice to adjust to the user’s preferred communication style (i.e. the learning functionality), storing and analysing the history of user-accessed content to deliver a more appropriate content and ads (the commercial opportunity), and processing of the sound recording of the user’s behaviour whilst the device is idle, watching out for the “wake word” (part of the ‘smart’ functionality).
In addition, the controller needs to be able to show that the user has granted their consent in an affirmative, clear and documented manner. Silence or inaction does not amount to a valid consent, nor does the use of pre-ticked boxes or similar circumventing practices widely and wildly adopted in the past. Moreover, in some situations, including employer-employee scenarios, the apparent imbalance of power between the parties is likely to render consent not freely given.
Preparing for target screening
In an anticipated M&A transaction, before a seller discloses any details about the target company to the buyer, the seller should:
- Ensure that its customers and employees have been notified about the processing of their data. By default (and before any transaction is considered), customers and employees must be informed about the processing of their personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- Carry out an impact assessment. A thorough data protection impact assessment should give you a good reflection of your current processing activities as well as an opportunity to address any shortcomings.
- Inform data subjects about a potential transaction upfront. If personal data is likely to be used for a purpose other than for which it had originally been collected, the data subject must be informed about this new purpose. Therefore, our advice here is that companies should list potential M&A transactions amongst their data processing purposes, in order to identify an appropriate legitimate interest on which they would rely. This will help them to keep the details of the contemplated transaction confidential during early stages of the deal.
- Anonymise the data sets. Depending on the volumes of customer data processed and the extent of employee lists provided in the target screening process, anonymisation should be considered. When properly anonymised, this data will no longer be considered personal data and any non-compliance risks will therefore be significantly lower. However, anonymisation may not be practically possible in small organisations or small teams. Due to limited numbers of personnel, working with aggregate data in such circumstances may inevitably lead to linking de-identified data sets to individual employees, thus producing personal data again.
- Secure your data. When processing personal data an organisation must apply appropriate technical and organisational security measures. While relying on off-the-shelf IT solutions will likely help organisations comply with this requirement, it is just as important that they adopt customised measures and internal policies unrelated to state-of-the-art technology, such as limiting the number of people within the organisation with access to data, screening people with access, adopting policies about taking data offsite, and clean desk policies. These measures must also be applied during target screening and any future data transfers.
- Sign a confidentiality agreement and a data sharing agreement with the buyer. An organisation must not share any personal data during the target screening without appropriate confidentiality and security safeguards from the buyer, and must demonstrate that it has a reason to trust that the buyer will abide by these. In addition, where the buyer shares the disclosed data with its advisors and other third parties, they may need to adopt further data sharing agreements. Note that data sharing arrangements will be subject to complex rules depending on the country which this data is transferred into. Finally, it remains to be seen how these rules will change after the end of the current Brexit transition period (although the UK has deemed all EEA countries as granting adequate protection to personal data, EU’s adequacy decision in respect of the UK has not yet been issued).
- Avoid disclosing special categories data. While disclosing employee lists containing personal information may be justified by the seller’s carefully identified legitimate interest, there is no legal ground permitting a seller to share with the buyer special categories data during target screening (unless consent has been granted or this data has entered public domain). Although such data may be processed where it is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, in target screening, the prospective buyer must be treated as a third-party, not an employer. As a result, they should generally have no access to any special categories data on the target’s files.
During the transaction
Data controllers remain accountable for personal data they process throughout the entire data lifecycle. This includes any data processing (in its widest sense, including collecting, using, sharing, disclosing, transferring and reorganising) that occurs during target screening and transaction negotiations. In particular, attention should be paid to the following, at this stage:
- Data sharing with professional advisors. Where the parties share any personal data with their professional advisors (typically including lawyers, auditors, and accountants) they remain the controllers of such personal data and may need to adopt appropriate data sharing agreements with the respective third parties. As discussed above, these will be subject to complex rules depending on the country which this data is transferred into. Most importantly, the disclosing party will remain responsible for the purposes for which its advisor uses the data and accountable for any breaches that occur as a result. Special categories data must not be shared with professional advisors, unless an exemption applies.
- Disclosures to individual shareholders. Although company shareholders technically own the company and regulate its affairs, they do not form its part and act independently of its operations. This means that in a transaction, appropriate organisational measures should be put in place to ensure that no personal data is shared with any shareholders without an appropriate data sharing agreement. Special categories data must not be shared with shareholders, unless an exemption applies.
- Maintain adequate security. During a transaction, both the disclosing and the receiving parties must maintain adequate security of personal data they store and share. Any disclosures to third parties should be justified, legal, and made on the basis of existing data sharing agreements. In addition, where data is disclosed to professional advisors, the disclosing party should ensure that such advisors have also adopted adequate organisation and technical security measures.
- Respond to access requests. Employees and customers whose personal data is being processed (i.e. collected, stored, shared and potentially transferred) have the right to obtain from the controller confirmation as to whether or not their personal data is processed, as well as the purposes of such processing and information about the recipients to whom their personal data has been disclosed. They may do so by submitting a subject access request to the controller, who must comply with this request within one month of its receipt which may become a particularly relevant and sensitive issue in confidential transactions.
Our advice is that, after completion of an M&A transaction, it is important that the following matters are properly addressed:
- Review data protection arrangements, register with the ICO and pay the fee. As a result of the transaction, the buyer (in the case of a business purchase, or the purchase of a company followed by a hive up of the business) will have become the controller of the data relating to acquired customers and employees. In a pure share purchase, although the target company will remain the same, it’s likely that the target is now part of a group, and that as a result, other members of the group (particularly the holding company) will need to access that data. This should trigger a review of the data processing arrangements for all companies in the group which are affected. In addition, if the they have not already done so, the buyer must register with the Information Commissioner’s Office (ICO) and pay the data protection fee. The buyer should also pay close attention to its actual or potential personal data processing taking place in other EEA countries and comply with the respective local registration requirements.
- Establish the basis for the processing of special categories data. On completion of a business purchase, a buyer is likely to receive employee files containing their special categories data. As the buyer will now be the employer of the relevant employees (whose employment will transfer automatically under the TUPE regulations), the buyer may be able to rely on the employment exemption in processing their special categories data. However, where the buyer does so, they must ensure that any such processing is necessary for the purposes of carrying out the obligations and exercising specific rights and obligations in relation to the employment. Where processing is unnecessary, another suitable exemption must be considered or the processing of this information must stop and the data be erased. Any processing acquired in a share sale should be carefully reviewed in order to establish whether the existing bases are appropriate with respect to the current purposes.
- Adopt an appropriate policy document. Where the buyer processes special categories data they must have a policy document that details their procedures for complying with the data protection requirements and sets out their policies for retaining and erasing the special categories data. This document must be periodically reviewed.
- Comply with the principles. Data protection rules are principle-based. There is no exhaustive list of obligations for organisations to comply with. Therefore, it is essential that sellers and buyers remain accountable for the data they hold and only process personal data in accordance with the general principles.
Stay in control
The value of personal data is significant and rising. The number of data breaches targeting data-heavy organisations (e.g. in aviation and hospitality sectors) confirm this. Sellers and buyers need to be aware of the value of personal data they hold, or intend to acquire, and protect it appropriately. Otherwise, they risk hefty fines from supervisory authorities in the short-run, and significant loss of reputation and customer confidence in the long-run. In addition, sellers and buyers need to remain vigilant to see if and how the rules on personal data processing change after the end of Brexit transition period.
Please contact Andrew Katz or Tim Astley in Moorcrofts’ Technology Team, if you would like further information about the use of personal data in M&A transactions, or you have any general queries on privacy and technology law.