Impact of Data Protection Laws on Mergers and

Acquisitions (M&A) Transactions

4 October 2019
By: Carolyn Bigg | Joe Bauerschmidt | Teerin Vanikieti

In recent weeks, the UK's Information Commissioner's Office (ICO) imposed major fines on several prominent
companies for data security hacking incidents that resulted in violations of the EU's General Data Protection
Regulation (GDPR).

In one of the cases, the buyer was held liable despite the data security incident reportedly taking place prior to an
M&A transaction.

This case prompted M&A lawyers to carefully consider the future ramifications of a data protection law violation on
M&A transactions and the parties to such transactions.

Extraterritorial impact of GDPR

At the outset, it is important to note that GDPR in certain circumstances may apply extraterritorially outside the
EU. For example, it may apply to firms established outside the EU but have processing activities related to (1) the
offering of goods or services to data subjects who are EU residents, or (2) the monitoring of the behaviour of such
data subjects which takes place in the EU. Businesses in Asia may be subject to GDPR if they market products or
services to EU residents or obtain data in connection with EU residents. For this purpose, the use of electronic
channels such as e-booking platforms (commonly used by hotel and airline businesses in Asia) and e-commerce
platforms which are accessible by EU residents may be caught by GDPR. The penalties provided under GDPR are
severe and can be up to 4% of the violator's total worldwide annual turnover of the preceding financial year or EUR
20 million, whichever is greater.

Therefore, in addition to the issues under the relevant data protection laws in each jurisdiction, both buyers and
sellers in an M&A transaction should not forget additional potential liabilities under GDPR.

Local Data Protection Laws

In addition, for M&A transactions involving targets in Asia, buyers and sellers must also consider national data
protection laws. In particular, unlike GDPR, the data protection laws in most jurisdictions in Asia require
organisations to have adequately notified data subjects, and obtained their consent, to transfer data as part of due
diligence or upon completion in the context of an asset sale.

What do these developments in data protection laws mean for M&A transactions?

Both the buyer and the seller in an M&A transaction should exercise extra care when managing the risks associated

DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com. This may qualify as
 with the target business. In particular, they should assess: (1) whether the data can be transferred at all as part of
the M&A transaction; and (2) whether the target has complied with the applicable data protection laws and address
any risks of non-compliance between themselves. Both of these are, in our data-driven world, key to pricing as well
as risk decisions in an M&A transaction.

While the biggest risks often arise in asset sales (as there will be a change in terms of the data “controller”), there
are still some important safeguards that both sellers and buyers should take even in share sales.

While many data protection laws in other jurisdictions (e.g. Singapore) contain helpful exemptions for M&A
transactions, this is not the case in all jurisdictions. Further, such exemptions usually only cover due diligence
processes, and so do not cover historic liabilities for data security incidents or use of data post-transaction.

Due Diligence

In light of the above, buyers (particularly those whose business handles a significant amount of personal data)
should conduct not only conventional legal and financial due diligence but also:

an assessment as to whether the data can be shared during the initial due diligence procedure (whether via data
subject consent or an exemption applying, depending on the relevant laws at play) and, more importantly, in the
case of an asset sale whether the target has the consent of the data subjects to transfer the data to the buyer;
an assessment as to what purposes have been notified to, and consented to by, data subjects, and whether
these are sufficient for the buyer's needs and ambitions going forward and, if not, the practicality as to whether
fresh consent must, and can, be obtained from the data subjects; and
a review of operational, IT and cyber security to ascertain whether the target is equipped with proper operational,
IT and cyber security policies and procedures. With an increased need for such a service, a number of
consultants and specialized IT firms have developed such a review service as part of their product offerings.

Warranties and Indemnities

As noted above, violation of data protection law may result in significant fines so the buyer should therefore
attempt to require the seller to give representations and warranties specifically confirming, inter alia, that the target
business:

has never had any data security breach incidents or engaged (and does not have the risk that it will engage) in a
dispute over a data protection offence;
is equipped with adequate IT and cyber security mechanisms;
is properly and regularly audited for its IT and cyber security compliance;
has in place a proper data protection officer (if required) and data protection policy; and
fully complies with data protection law.

Depending on the bargaining power of the buyer, in reality, a prudent seller would be quite reluctant to give all such
representations and warranties to the buyer.

In addition, if commercially possible, the buyer should require indemnification by the seller for any breach of these
representations and warranties, as well as for any failure to comply with data protection law as may have occurred
prior to the acquisition.

On the seller's side, whilst in principle any liability that may have been created when the seller exercises the control
of the target should be assumed by the seller, the sellers should also clearly define the limit of their liability,
whether in terms of amount, duration and/or nature of damages (say, excluding the liability for opportunity loss or
reputational damage).

Cyber-Insurance and Warranty and Indemnity Insurance

The buyer should also check the sufficiency of the target’s insurance coverage to protect the business should
there be any third party cyber-attacks, including such insurance’s coverage and exclusions. For example, a cyber-
insurance enables a policy holder company to alleviate risks and be compensated (which may include, business

DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com. This may qualify as
 losses, investigation and lawsuit costs) in relation to cyber-related security breaches (including a data breach and
contamination of data).

The seller and/or the buyer may also explore obtaining a warranty and indemnity insurance policy that specifically
covers the risk of loss in connection with unknown and unintentional data protection offences as a way to reduce
their potential liability (the premium on such a policy may also be shared between the parties). A variety of
insurance products for this purpose can be further explored in the regional market.

AUTHORS

Carolyn Bigg
Partner
Hong Kong | T: +852 2103 0808
[email protected]

Joe Bauerschmidt
Partner
Singapore | T: +65 6512 9595
[email protected]

Teerin Vanikieti
Senior Associate
Singapore | T: +65 6512 9595
[email protected]

DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be found at www.dlapiper.com. This may qualify as