Ideas & Debate

Data protection rules will make or break M&A deals

cyber (1)

Summary

  • Some of the M&A transactions that proceeded without proper due diligence on the target entity’s GDPR compliance mechanisms ended up paying hefty fines as a result of the oversight as seen in the Marriot case.
  • With a robust Competition Authority and now a Data Commissioner in office, practitioners and transaction advisors in M&A in Kenya cannot afford to ignore data protection safeguards.

Elizabeth Denham, the UK’s Information Commissioner, in a statement about the authority’s intention to fine Marriot International Inc for breaching personal data protection rules reminded organisations of their obligations under the European Union General Data Protection Regulations (GDPR).

“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected,” said Ms Denham.

Marriott acquired Starwood Hotels Group in 2016 and the breach that led to the fine occurred in 2014. The breach occurred prior to both acquisition by Marriott and the commencement (May 25, 2018) of the GDPR and was only discovered post-acquisition in 2018. The breach exposed 30 million records of residents from 31 countries in the European Economic Area.

When the GDPR took effect, the mergers & acquisitions (M&A) landscape changed, particularly with the scope of due diligence to be conducted by potential buyers. Ongoing and prospective M&As had to be relooked in the context of data protection and privacy. Dealmakers across Europe had to factor in data protection and privacy mechanisms in place in the various target entities.

Those who factored in privacy measures in place either proceeded or put on hold the M&A. A 2018 survey of dealmakers across Europe by Merill Corporation had 58 percent of the respondents indicating that they had taken part in M&A transactions that had stalled as a result of GDPR Compliance concerns.

Some of the M&A transactions that proceeded without proper due diligence on the target entity’s GDPR compliance mechanisms ended up paying hefty fines as a result of the oversight as seen in the Marriot case.

With a robust Competition Authority and now a Data Commissioner in office, practitioners and transaction advisors in M&A in Kenya cannot afford to ignore data protection safeguards where a target entity’s core business involves processing of personal data. Every so often we will read about a techquisition or a successful seed fundraising round by a startup, Kenya being an innovation hub. On the flipside, some potential M&As have failed to take place as a result of insufficient data privacy provisions.

We have techprenuers with brilliant solutions. However, they tend to overlook data protection and privacy. Some mistake data security for data privacy. They overlook critical issues such as consent management.

The effect of this has been costly. Deals have collapsed midway, others have been delayed when the target requests for more time to rework their privacy notices and mode of obtaining consent to process personal data.

For target entities intending to raise capital, their founders have been forced to not only relook their processes, but spend money to have their processes audited and cleaned up. In addition, the valuation of your company, established or starting up, risks being eroded as it happened to Yahoo prior to its acquisition by Verizon.

Yahoo disclosed that it had suffered three data breaches — one in September 2016 and two in December 2016 just after the initial $4.8 billion deal had been worked out. Verizon ended up paying $4.48 billion, a reduction of almost $350 million as a result of the breaches.

It is for this reason that any entrepreneur intending to start a business that will involve processing of personal data is encouraged to have the right attitude and safeguards to privacy. Startups stand the risk of being killed by small fines in case of data breaches, leave alone attracting investors.

It is crucial to point out that data protection and privacy going forward will no longer be a reserve of supervisory authorities. Big tech companies are now seeing value in upholding the privacy of their users. This will have an impact on future M&As.

“Too many are still asking the question, ‘How much can we get away with?’ when they need to be asking, ‘What are the consequences?’” averred Apple CEO, Tim Cook, during his address in this year’s virtual Computers, Privacy & Data Protection Conference on World Data Privacy Day that was marked on January 28.

This was in reference to companies that tend to process and monetise personal data collected without the requisite consent. It is during this address that he talked of the recently introduced Privacy Nutrition Labels on the Apple Store. He affirmed that, “Every app, including our own, must share their data collection and privacy practices”.

This is one among many interventions that will be developed by big tech companies, with the hope of gaining the confidence of users who value their privacy online. A potential acquirer may decide not to invest in an application based on the fact that the application does not qualify for a Privacy Nutrition Label.

Techprenuers should strive to document their processes and decisions as this will help them with compliance with the regulator and also have an edge when potential acquirers want to check their entities’ compliance.

When users do not feel that their personal data are safe, they are willing and ready to move on to other options available. We all saw the surge in the number of new Telegram and Signal downloads globally after WhatsApp announced their new privacy terms.

To mitigate the risks associated with unknown breaches that occurred prior to an acquisition, warranties and indemnities have been relied upon by buyers. Globally, private equity practitioners are increasingly seeking warranties from individual sellers or the management teams in their personal capacity lest any of the warranties regarding data breaches turn out to be incorrect.

They strive “to have them liable for those warranties because the buyer wants those individuals to have some skill in the game”, as Leo Flindall of Marsh & McLennan put it in a past webinar on technology M&A risks.

Karanja is a data protection compliance & commercial law practitioner