By now, most companies understand that data privacy issues should be part of routine due diligence when evaluating a proposed transaction. Acquiring parties need to look-out for potential privacy related liabilities based on the target’s compliance with applicable data protection laws. Target companies need to be prepared to respond to such inquiries, and address any potential gaps or issues.
As part of the due diligence process, acquiring parties should address data-related information that will ultimately relate to warranties and indemnities that they would likely want to obtain from the target. For example:
Another important diligence aspect that parties to a transaction must consider is whether data held by the target can be shared taking into account both the scope of any data consents and any exemptions or prohibitions that may exist in governing data protection laws.
Substantively, most countries have laws restricting buying and selling personal data, but in the case of an acquisition it is possible those protections could effectively disappear when a company is acquired. As a consequence, regulators are likely to closely scrutinize this issue in data-driven transactions. So, parties embarking on data-driven mergers that may be subject to regulatory merger reviews would be well served to include individuals with privacy expertise as part of the team engaging in the merger discussions with regulators.