United States: Privacy Issues in Cross-Border Transactions

Data Protection and M&A

There is a new area of due diligence that M&A counsel must address in trans-border transactions: "data" acquisition and transfer. This due diligence requires a specialized knowledge about data protection requirements in the European Union, United States, and other countries. Many transactional counsel are not aware that "personal data" includes supplier and employee data -- in other words, data that virtually any global enterprise collects and transfers. The failure to properly perform this due diligence can materially affect an enterprise’s operational integration into an acquiror, as well as its economic value.

In the U.S. as well as in Europe, data protection issues have long been disregarded in M&A transactions. However, certain factors -- such as the ability to electronically collect, process, and analyze vast amounts of personal data; the transformation of the Internet from an interconnected information exchange to a commercial business platform; and the increasing possibilities to electronically and globally process personal data without individuals like you and me even being aware of such processing -- have led to increasing legislative efforts in the U.S. and in Europe to protect an individual’s privacy.

On October 24, 1995, the European Commission enacted Directive 95/94/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Privacy Directive"). The Privacy Directive has brought some significant changes to the national privacy laws in the European Union.

Given that any European corporate entity providing for the processing of personal data now has to comply with a detailed set of requirements regarding the collection, processing, use, and transfer of personal data, compliance requirements have turned in the focal interest of European companies. Since the criminal sanctions for noncompliance in the different Member States range between two to five years of imprisonment, the acquiror of a target company in Europe should make sure that the target either already is compliant or can be turned compliant within a short period of time after closing. In this regard, data protection issues compare to environmental liability: Once acquired without being detected in time, they can raise significant additional liabilities post closing. Therefore, data protection issues should be added to the due diligence checklist in an M&A transaction.

From Due Diligence to Compliance

The Privacy Directive turned privacy into an international and multijurisdictional topic. Each day, a company collects, processes, uses, and transfers a significant amount of personal data domestically and internationally. This may require compliance with the laws of multiple jurisdictions. Therefore, a due diligence exercise first needs to enter into a factual analysis of the actual data processing activities within the target company before addressing the compliance requirements under national, European, and foreign laws.

In Europe, any collection, processing, use, and transfer of personal data is prohibited unless specifically permitted by applicable laws. Some European countries require governmental approval for the processing of personal data. All European countries require processing policies, governmental monitoring, and corporate security mechanisms. And personal data is lurking everywhere in a target company: It’s not only HR, R&D, or customer data; it's any data relating to an identified or identifiable person, notwithstanding whether stored in sophisticated electronic databases or simply noted by putting pen on paper.

However, the EU Member States do not only regulate "if’ but also "how" a collection, processing, or transfer of personal data may be handled. The processing of certain types of personal data (i.e., so-called sensitive data such as health or ethnic data) is subject to greater scrutiny than the processing of other personal data. The Privacy Directive sets forth certain protection principles that need to be obeyed when collecting, processing, or transferring personal data. For example, a company should always collect personal data directly from the concerned data subject. Further, a "good-to-have" approach in the collection of personal data is not recommended. A company may only collect personal data in a scope essentially required for the purpose for which the data is collected. Grabbing as much data as you can "because you never know" is definitely not in compliance with the Privacy Directive and the national privacy laws of the Member States. These are only two examples of issues to be considered in a due diligence exercise.

The Cross-Border Transfer of Personal Data

The Privacy Directive as well as the applicable national laws in the Member States prohibit a transfer of personal data in a country not providing for an adequate level of data protection. Therefore, unless alternative measures are taken to provide for an adequate level of data protection, no personal data can be transferred from Europe to, for example, the U.S. There are severe penalties for unlawful transfers of personal data, which can reach from imprisonment and fines to cutting the connection in a corporate intranet. Since blocking the transfer of personal data within a multinational group of companies can lead to a stand-still of its business, the EU Commission decided that under certain alternatives, a transfer to a country not providing for an adequate level of protection is permissible if any of the following requirements are met:

• unambiguous and informed consent from each concerned data subject to such transfer has been received;
• a recipient of personal data (data importer) in the U.S. has joined the so-called Safe Harbor (this alternative is only available with data importers located in the U.S.);
• transferor and transferee of personal data enter into an agreement providing for a level of data protection with transferee that complies with the European requirements (for this purpose, the EU Commission provides for boilerplate agreements also known as "Standard Contractual Clauses"); or
• the holding of a multinationally operating group of companies establishes a so-called "Code of Conduct" – a data protection policy applicable to all of the group’s subsidiaries worldwide providing for a group-internal level of data protection that complies with the applicable European privacy laws.

Therefore, transferring personal data across European borders requires compliance with a two-step process: First, the personal data to be transferred must be collected and processed in accordance with the protection principles set forth by the Privacy Directive and/or applicable national laws. In a second step, the transferee needs to ensure the provision of a level of data protection that can be deemed "adequate" under European laws. If the transferee is located in a jurisdiction providing for less protection of privacy, conflicts of laws issues can arise.

Doing the Deal with Privacy

Privacy issues are not only to be considered in a due diligence exercise. In an M&A transaction, the parties are confronted with various disclosure requirements before, during, and after closing. The question of whether certain personal information (e.g., HR data) may be disclosed at a certain point in the transaction may have privacy implications. Similarly, the disclosure of certain disclosure schedules to the purchase agreement containing personal information on and/or after closing can be subject to applicable privacy laws. Once collected, the Privacy Directive puts a protective cover around the personal data of European citizens regardless of where in the world it is processed. M&A lawyers should always be on alert whenever they come across "European" personal data in an M&A transaction. Therefore, it is recommended for an M&A lawyer to involve a privacy lawyer who is familiar with the Privacy Directive and the applicable national laws of the concerned EU-Member States early in the deal, so that privacy issues can be appropriately addressed in time.