Privacy and data security issues do not yet loom large on M&A parties’ radar screens, but the regulatory environment and customers might soon change that. About two-thirds of the respondents in Dykema’s 10th annual M&A survey said that cybersecurity ranks about the same this year in terms of their due diligence focus, but the other third is paying more attention this year than last.
The field is broad and the environment is changing, so M&A professionals could be forgiven for wondering which issues should be on their radar. Here are some issues that often escape attention but can be major problems if not addressed early and well.
When the deal involves transfer of personal information to the buyer
Where customer personally-identifiable information (PII) will be transferred in the course of the deal, it matters what the parties have promised customers. If a party (usually the acquisition target) has promised its customers that it will not transfer their PII to a third party, it is possible that the Federal Trade Commission (FTC) will step in and hold up the deal.
For example, in 2011, the FTC intervened in the sale of certain operations of bookseller Borders, Inc., then a bankruptcy debtor, to Barnes & Noble. Borders’ privacy statement stated, in relevant part, that “we will only disclose your email address or other personal information to third parties if you expressly consent to such disclosure.” Citing six other recent enforcement actions, the FTC warned that breaking a promise like that to a customer would likely be an unfair or deceptive trade practice.
The S.D.N.Y. Bankruptcy Court ultimately approved the $13.9 million sale, but the parties had to agree to notify customers of the transaction by email and an ad in USA Today, and give customers 15 days during which to opt out of the transfer. The FTC’s actions in the Borders case are particularly noteworthy because of the bankruptcy context. Bankruptcy law contains a strong preference for the maximization of the value of the bankruptcy estate. The Bankruptcy Code removes many rights or obligations, such as anti-assignment clauses, that would otherwise obstruct the alienation of estate assets, but the FTC took the matter seriously enough that it intervened even in this field.
When the deal involves cross-border PII transfers
As commerce — and, accordingly, M&A transactions — become increasingly international in nature, parties must consider the implications of international transfer of PII. This is a particularly important point for U.S.-based enterprises. The U.S. has a sectoral (e.g., financial, healthcare, education) model of privacy and data-security regulation in which, practically speaking, whatever is not prohibited by is allowed. Not so elsewhere in the world.
Foreign regulators, notably the data protection authorities of European Economic Area member states, prohibit the movement of PII of their citizens across international borders to places where local law does not provide the scope of data protection of the home jurisdictions. This is not necessarily a deal-stopper. U.S. enterprises can comply with international data transfer law in many ways, such as the U.S. Commerce Department Safe Harbor program or European-Commission-mandated model contracts, to name just two. But it requires analysis and planning in advance. EEA law pays close attention to which party is an importer or exporter and which party is a “controller” or “processor” of the PII. Additionally, although 1995 regulation by the European commission was intended, in part, to make compliance across EEA member states easier and more uniform, in practice, regulation and enforcement varies widely across individual EU member states.
And additional problems arise for new or existing outsourcing operations. A U.S. enterprise might be able to bring foreign PII onto U.S. soil, but the protection must follow the data wherever it goes, including into the hands of the U.S. enterprise’s service providers. Many service providers have their own safe-harbor, model-clause or other conduits in place, but these often work only when the provider is the actual importer or exporter of PII, making it unlikely that even comprehensive frameworks will work with new data flows. As soon as a new flow from a new jurisdiction occurs, management must reevaluate the entire system of data flows.
The importance of international data transfer compliance varies depending on the origin country. EEA data protection authorities vary widely, from the comparatively laid-back UK to the more stringent Germany and Spain. And other nations present restrictions that are nearly unbelievable by managers accustomed only to U.S. privacy regimes. South Korea’s law, for example, requires fully-informed consent by the data subject and that consent must identify every transferee by name (not role, as is permitted under other regimes). And South Korea’s law contains criminal sanctions for violators.
Beyond strictly compliance-based issues, restrictions on international transfers can affect the business case for a deal. Deals often depend on scale or leverage of back-office functions. If data centers in the U.S., India, China or elsewhere can’t receive or process EEA, Australian, Swiss, South Korean or other PII, the economies that make the business case work could be defeated.
When consumer reaction matters
Consumers and others are beginning to care more about who has their data. For example, on Jan. 14, 2014, Google acquired Nest Labs for $3.2 billion. Nest makes thermostats and other devices, some of which feature, among other things, motion sensors and WiFi capability that connects them to Nest through the Internet. The transaction drew comment from various industry watchers and even a parody presentation and website (since taken down) by Peng! Collective, a German activist group. Those events show that there is a forum for discussion of what combinations of data mean for privacy. And future transactions should take into account the likely reactions in that forum.
What’s on the horizon?
The landscape of regulation and consumer sentiment is still developing. The FTC held a conference in 2013 to talk about the networking of personal devices — the so-called “Internet of Things.” The European Commission expects to adopt a general data protection regulation in 2015, effective in 2017. The best strategy for the moment is make room in the due diligence process and deal planning to identify any PII involved in any transaction and be prepared to take into account the evolving regulatory environment and likely consumer reaction.