DealMakers - Q2 2021 (August 2021)
Data Privacy in M&A Transactions
by Priyanka Naidoo and Ridwaan Boda
In 2019, the UK's Information Commissioner's Office (ICO) fined Marriott Hotels £18,4m (about R1,9bn) for a compromise to personal information suffered by Starwood Hotels, an entity that Marriott Hotels had acquired after the data breach occurred. The ICO commented that its investigation had revealed that Marriott "failed to undertake sufficient due diligence when it bought Starwood…".
The Marriott case holds important lessons for companies engaged in M&A activities, including:
the importance of conducting a thorough privacy and cybersecurity due diligence in the context of mergers and acquisitions;
buyers of businesses, in particular, cannot be absolved of a target’s cybersecurity failures (even past failures);
parties and their advisors in M&A transactions must be more cognisant of the importance of data privacy legislation at all stages of the transaction, from inception of interest until post acquisition, and take proactive measures at each stage to ensure compliance with legislation and best practices;
for purchasers and their advisors, omitting data protection and cybersecurity as a separate and distinct subject of due diligence is simply no longer an option; it is core to the value of the business being acquired, and it is critical that the risk posed be thoroughly assessed;
from a data privacy and cybersecurity perspective, there are a number of enquiries that need to be specifically made by the purchaser as a separate topic of the due diligence exercise;
where the motivation of an acquisition is to acquire the target company’s data (e.g. marketing lists, consumer lists, health data, et cetera), the level of this due diligence needs to be even greater.
Now that the Protection of Personal Information Act, 2013 (POPIA) is in force, companies should heed the above lessons in order to avoid liability for non-compliance with POPIA, in addition to serious commercial consequences, including costs for remediation of the data breach, and reputational harm.
Data privacy and cybersecurity as a separate and distinct subject matter of due diligence
From the purchaser's perspective, it is critical that the seller's data privacy compliance and cybersecurity be thoroughly assessed as early as possible in the M&A process. These considerations should be applied as a separate and distinct subject matter of due diligence, including the need to ask the right questions when buying a business. Questions that would typically be included relate to items such as:
the status of the seller's compliance with POPIA;
policies, practices and controls in place to safeguard personal information processed by or on behalf of the seller, and whether these meet the standards imposed by POPIA;
the adequacy of staff training and awareness regarding data privacy and cybersecurity, given by or managed by the seller;
the measures that the seller has in place to prevent, detect, respond to, manage and remediate a data breach;
history of data breaches suffered by the seller.
Data privacy considerations during the due diligence phase
A large volume of this information will include personal information falling within the scope of POPIA. This will mean that the seller must ensure that (i) it has a lawful basis to disclose personal information to the seller, and (ii) that only personal information necessary for the purposes of due diligence and the acquisition is disclosed.
Parties typically conclude a non-disclosure agreement (NDA) to regulate the confidentiality of information disclosed during the due diligence process. These standard NDAs typically do not include robust clauses dealing with personal information and the parties' compliance with their respective obligations under POPIA and any other applicable privacy laws. Parties are strongly advised to conclude a ‘personal information sharing agreement’ on top of the standard NDA.
The sharing of information needs to be POPIA-compliant. If a party intends to rely on legitimate interest as a ground to disclose personal information, an opinion or privacy impact assessment should be drafted and kept on file to this effect. However, even in such event, the condition of ‘data minimisation’ should still be met. The seller should be guided by questions like whether the purchaser needs to know the identity of the seller’s employees, clients or customers, and whether any personal information can be anonymised or de-identified in a way that renders it impossible to identify the particular data subject. This must be balanced against the purchaser's requirements for reviewing the information requested. Sellers should not attempt to hide behind ‘data minimisation’ to avoid disclosing key information to the purchaser.
Third parties are often engaged to provide the virtual data room (VDR) through which information is shared and accessed. Regardless of which party is responsible for the VDR, steps must be taken to ensure compliance, including ensuring that security safeguards are in place.
Once the purchaser acquires the seller, it will need to consider what it can lawfully do with the personal information and whether it has any obligations in respect of such information. Where relevant, additional conditions precedent may need to be included in the purchase and sale agreement.
In the age where data is an asset and there can be serious consequences for non-compliance with privacy laws, companies engaging in M&A activities can no longer afford to ignore the relevance of data privacy and cybersecurity in M&A transactions.
Naidoo is an Associate in Corporate Commercial and Boda an Executive in TMT | ENSafrica.