Data Privacy in M&A Transactions: Due Diligence Risks and Red Flags

During mergers and acquisitions (M&A), one company joins or purchases another company. In the process, a lot of information is shared, including the personal information of customers or clients, as well as information on employees.

This information-sharing process, called due diligence, raises cyber security and privacy risks for personal data.

A number of privacy laws apply to the personal data of both customers and employees. As a result, it is important to make sure that the M&A process is carried out with cybersecurity and privacy in mind, or you could be subject to fines or other penalties.

This article covers what M&A transactions are, what due diligence is, what privacy risks there are, red flags, how to carry out a due diligence process in compliance with privacy laws, and what legal agreements or clauses you can use to help you comply.

What are M&A Transactions?

Mergers and acquisitions (M&A) are legal processes of combining companies. In some cases, one company buys another. In other cases, the two companies combine their businesses. These transactions are usually done because it can expand a company's market, give them access to new customers, or help them continue to grow as a business.

During the process, investigations into the financial and operational aspects of the purchased or acquired company will take place. This is called due diligence.

What is Due Diligence?

Due diligence is the process of going through a company's financial, legal, and operational information. It involves looking through large amounts of documents to identify any risks, financial exposure, or other issues that could cause the transaction to fall through or to be a bad decision.

Due diligence is a process that needs to be carried out carefully, as there are a number of legal risks inherent in it. Businesses need to be cautious when sharing commercial information, as this can bring competition law issues to the fore. For instance, when two companies who plan to merge share confidential information, this could later be used to harm competition in the market.

Privacy risks arise as well. Some of the information accessed through due diligence is, for example, client information, customer relationship management data, employee files, financial statements, HR records, performance reviews, client transactions, legal contracts, and more.

If personal data is not dealt with appropriately in the due diligence process, breaches of privacy law, data security breaches, or other legal issues could arise.

What Privacy Risks and Red Flags are there in Due Diligence?

In the due diligence process there are a number of risks, and important privacy and security processes need to take place. This includes, for example, a thorough cybersecurity and privacy review, to identify potential issues, reduce risks, and ensure a compliant process.

As part of a cybersecurity review, you need to consider the breach history and security framework maturity of the organisation. Identity and Access Management (IAM) processes also need to be examined, to determine whether or not they are robust and sufficient.

This helps to identify whether there are any major weaknesses or security gaps that need to be filled. Identifying compliance risks at an early stage helps to make sure that the organisation's attack surface is minimised, and that any issues can be resolved before an M&A transaction takes place.

Privacy issues may arise in the early due diligence process, if you find that the target company does not have good cybersecurity and privacy practices in place. Some of the privacy risks in due diligence include:

• Sharing personal data without a legal basis for sharing
• A lack of data minimization or purpose limitation
• Sharing employee or customer data without consent
• Security issues related to data transfers
• Overlooking sector-specific laws

Numerous privacy laws around the world have set out rules for dealing with personal information, and a lack of care around due diligence processes can result in compliance issues, as well as penalties and fines.

Potential red flags in a due diligence process include:

• Lack of cybersecurity protections
• Lack of customer notice or employee privacy notice
• Sharing personal information early in the process
• No security or controls over personal data
• Transferring data overseas without appropriate transfer mechanisms

If you are going through an M&A process you need to make sure you comply with relevant privacy laws, particularly in relation to customer or client data, employee data or other personal data that could be accessed or shared.

Let's take a look at these privacy laws, and how to carry out a due diligence process that complies.

Privacy Laws Affecting Due Diligence

For due diligence, you need to be aware of privacy laws that could apply to employee and customer data. This includes general privacy laws, as well as sector specific laws and rules that apply to international transfers if both companies are not based in the same jurisdiction.

Important laws to consider include:

• The General Data Protection Regulation (GDPR)
• The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• International transfer rules

GDPR

Under the General Data Protection Regulation (GDPR), customer and client data, as well as employee data is considered to be personal data, which is protected by the law.

You'll need to comply with the GDPR if your business is based in the EU, or if you have customers, clients, or employees that are in the EU. Each country in the EU has its own national law that implements the GDPR.

To comply with the GDPR you'll need to have a lawful basis to share the personal data of your customers or employees. This is set out under Article 6 of the GDPR.

To share data, you'll need to make sure you either get the consent of your employees or customers, or can prove you have a "legitimate interest" in sharing the data. In most cases, "legitimate interest" is relied upon.

You'll also need to follow GDPR principles including data minimisation, purpose limitation, transparency, accountability, and accuracy, and make sure you apply appropriate security measures to protect data during the process. These principles are set out in Article 5 of the GDPR.

CCPA and CPRA

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) protect privacy rights in California. As the US has no federal level privacy law, state laws like these need to be considered.

The CCPA and CPRA protect the data of consumers. If your business will be transferring customer data during an M&A transaction (which would be expected), the CCPA and CPRA will apply.

In section 1798.100(d) of the CCPA, the law states that if a business "collects a consumer's personal information and that sells that personal information to, or shares it with, a third party", there are a number of obligations that follow. For example, the purchasing business (the one receiving the personal data) must also comply with CCPA rules. You can see this in the section below:

The CCPA initially only provided limited protection for employee data. However, in 2023 this was expanded upon by the CPRA. As a result, employee data was fully protected by the CPRA from then on.

This means that if you are based in California or have employees in California, you'll need to comply. Employees have the same rights as other "consumers" under the CPRA, so you'll need to treat your customers and your employees the same in terms of notifying them of their rights.

The law also applies to job applicants, former employees, as well as contractors and freelancers. As you can see in the CPRA text, the privacy rights of employees and contractors should also be protected by the law (not only consumers).

As you can see below, the rights for both consumers and employees under the CPRA include:

• The right to know who is collecting personal information, how it will be used, and to whom it will be disclosed
• Control of personal information including limiting sensitive personal information
• Access to information
• Correction, deletion, and portability

It shows:

This means that if you are carrying out an M&A transaction, you'll need to let both employees and customers know that the transfer is proposed, and allow them an opportunity to delete their information before it is transferred, if they wish to do so.

Now let's take a look at some more specific privacy laws.

PIPEDA

Laws like the Personal Information Protection and Electronic Documents Act (PIPEDA) could apply if your business is in Canada, and is a "federally regulated organisation".

Federally regulated organisations are those, for instance, in the banking sector, telecommunications, or airlines. You can see a list of federally regulated organisations from the Office of the Privacy Commissioner of Canada below:

Like the CPRA and GDPR, PIPEDA applies to both customer data, as well as the personal information of employees.

Other jurisdictions such as Brazil (LGPD), China (PIPL), and India (DPDP Act), as well as several U.S. states beyond California, also regulate employee data. Be sure to review local and extraterritorial data rules where your transaction involves operations or staff in those regions.

Other sector-specific or limited privacy laws may also apply to personal data that you would share or transfer in an M&A transaction, so be sure to consider your jurisdiction, your business sector, and seek legal advice on which privacy laws apply to you.

International Transfers

You also need to make sure you consider whether you are transferring any data overseas. If the target company is in the EU, but the purchasing company is overseas, you'll need to consider GDPR rules.

This includes checking whether an adequacy decision exists, using appropriate transfer mechanisms, and conducting a transfer impact assessment (TIA).

An adequacy decision is a decision made by the European Commission about whether another country has sufficient privacy laws, in comparison to the EU.

Without an adequacy decision, you'll need to use standard contractual clauses (SCCs), which set out rules for how personal data is dealt with, or binding corporate rules (BCRs), which apply within large multinational companies.

If you want to carry out a transfer based on SCCs or BCRs, you need to conduct a transfer impact assessment (TIA).

A TIA helps you to assess the potential consequences and risks of transferring personal data to another country outside of the EU. A TIA needs to be carried out before any data transfer takes place.

Now let's take a look at the rest of the due diligence process for M&A.

How to Carry Out a Privacy-Compliant Due Diligence Process

Now that we've covered what the risks are and the privacy and security issues that need to be kept in mind, let's go through the process of an M&A transaction.

First, you'll need to conduct a thorough privacy and cybersecurity review of the organisation. Check for weaknesses and vulnerabilities of all types, or processes that need to be amended before you can continue.

If you are going to transfer customer or client data during a merger, you need to notify your customers. As M&A transactions are commonplace business practices, the possibility that personal data could be shared during the process should already be covered in your Privacy Policy.

You can also send your customers a notice letter, and give them an opportunity to opt out and have their data deleted, or to request that their data should not be transferred.

You also need to make sure you have appropriate privacy notices for employees in place before you even begin any merger or acquisition.

Once you begin, create an M&A agreement to govern the process, including in relation to privacy and security. Then, your M&A process needs to follow data privacy principles and slow, step-by-step data sharing.

A compliant due diligence process in an M&A transaction includes:

• Notifying customers and clients through a Privacy Policy of ownership change
• Setting up an employee privacy notice
• Creating an M&A agreement with clauses for privacy and security
• Only sharing anonymised and aggregate data at first
• Data minimisation and purpose limitation principles
• Applying supplementary measures
• More detailed data can be shared once it's certain the deal will proceed

Let's take a look at each of those steps now.

Notice to customers and clients

When you conduct an M&A transaction, you need to check whether the acquired company has obtained consent from their customers, or whether they have another legal basis that they rely upon to collect and process data.

You also need to check whether the acquired company has a Privacy Policy, and whether the Privacy Policy has the appropriate sections. In the Privacy Policy it should specify that data can be shared for the purpose of a merger or acquisition, and that the lawful basis for this is either consent or legitimate interest.

If you are the acquired company, you should already have these documents and legal steps in place.

The Privacy Policy should cover:

• What data will be collected
• How you collect data
• The purposes of data collection
• When you share data (e.g. such as through an M&A transaction)
• When you transfer data and where to (including to other jurisdictions)
• Customer rights, such as the right to accurate data, the right to update data, delete data, or restrict processing of sensitive data
• Contact information

Here's an example from DealFront's Privacy Policy, which covers data sharing for mergers and acquisitions:

In this example from ClearStream you can see that the purposes of data collection are specified, including their lawful basis. One of the purposes is explicitly stated as "due diligence", and is justified under the legitimate interest lawful basis.

Statements like this in the Privacy Policy help to prove that the appropriate consent from customers is there, or that appropriate notice has been given that customer data may be shared in an M&A process.

If you are the acquired company, make sure you have obtained freely given, specific, informed, and unambiguous consent to your Privacy Policy, such as through the use of a check box on your website or sign up forms. If you are the acquiring company, double-check that the acquired company has obtained valid consent to their Privacy Policy.

If you are the acquired company, you can also send an additional letter to notify your customers that their personal data will be shared with the purchasing company. This letter should specify that the merger or acquisition is taking place, what data will be transferred, and give your customers an opportunity to have their data deleted.

Now let's take a look at employee data.

Employee privacy notice

Before any M&A transaction takes place, you should already have an agreement with your employees about how their personal data is handled.

This is sometimes included in a clause in their employment contract, or is covered by an employee privacy notice.

An employee privacy notice sets out:

• What employee data is collected
• Why data is collected
• How data is shared, including in processes such as M&A transactions
• Employees rights

In this example from Volvo, the employee privacy notice sets out what personal information is collected, the lawful basis for doing so, and the purpose of processing.

One of the purposes is explicitly stated as for internal reorganisations, as well as M&A projects.

In addition, you can see in this example from Deutsche Bank, in Germany, the employee privacy notice sets out the lawful bases on which data is used:

The sections specifically mention the relevant articles from the GDPR.

In this example from Simplify, you can see that the employee privacy notice also explicitly mentions the sale of or restructuring of the business:

The Royal Association for Deaf People also includes information on employee rights in their employee privacy notice, in line with GDPR principles:

Having an employee privacy notice like this helps to make sure your employees have been notified of data sharing that may take place during an M&A transaction.

It ensures you have their consent, or have notified them of legitimate interest grounds under which you might transfer information to third parties.

Creating an M&A Agreement with Privacy and Security Clauses

In the M&A agreement, you need to include certain clauses to make sure you are not taking unnecessary risks of exposure that could lead to issues later on. Clauses to consider including are:

• Cybersecurity and privacy-specific representations and warranties: The company being acquired or sold should provide representations and warranties that outline their privacy and security practices and the measures they have taken to comply with privacy laws and protect data. If it is true, they should also provide a guarantee that there have been no major incidents or breaches in the past, and that lawful bases have been established for employee and customer personal data to be transferred.
• Warranty survival clause: A warranty survival clause establishes how long these warranties are valid for. In relation to privacy and security issues, you should ensure that any warranties are valid for as long as the period of time that employees or customers could bring a claim for.
• Holdback clause: A holdback clause keeps a certain proportion of funds back, until a condition has been met. In M&A, you can hold back part of the purchase price until you have seen with more certainty that there are no privacy or security issues that could expose you to risk, penalties, or other compliance issues.
• Indemnity clause: An indemnity clause limits your liability in the case of an issue that comes up after the transaction is finished. This could be, for example, an indemnity for GDPR fines, legal fees, or business interruption losses.
• Indemnity cap: If there are undiscovered privacy or security issues that only arise later in the process after the M&A transaction has taken place, the seller usually wants to make sure that there are caps on their liability. Buyers usually don't want any cap on liability. For privacy and security issues penalties can be high, so it's important to consider what the potential fines could be if an issue arose, who would be responsible, and negotiate an appropriate cap (if any).

Now let's take a look at how data should be shared once the transaction proceeds.

Sharing Anonymous and Aggregate Data

Once the M&A transaction is underway, first share only data that is anonymous and aggregated. This could include data such as number of employees in any given business location, or number of employees in a certain role. In addition, employee data at the aggregate level also includes information such as salary bands, staff turnover statistics, staff leave statistics, and so on. In relation to customers, this could include customer numbers and averages, aggregated customer demographics such as location or income bands, and so on.

Sharing only aggregate and anonymised data at an early stage of the M&A process helps to protect employee and customer privacy. This is especially important if you're not sure if the process will go ahead.

Follow Data Minimisation and Purpose Limitation Principles

Once you've started sharing personal information at a later stage in the process, you need to make sure that you follow data minimisation and purpose limitation principles. These are covered by many privacy laws, and set up a privacy-respectful process for an M&A transaction.

The data minimisation principle means that you should share only the minimum amount of data that is necessary for the transaction to be carried out, and no more. For instance, you shouldn't share full CRM files, client information, employee files or HR data unless it's strictly necessary for the transaction. This will also depend on what point in the transaction you are at.

Purpose limitation means that you should only share data for the purposes of the M&A transaction, and nothing further.

Apply Supplementary Measures

For any data transfers, including during M&A transactions, you need to make sure you apply supplementary measures to protect data during transit and storage. This applies particularly if you are transferring M&A data to another jurisdiction.

Supplementary measures include storing data securely (physically), applying access controls, training employees on appropriate data handling processes, and using techniques like encryption and pseudonymisation.

You should also have an agreement through the M&A transaction between the buyer and seller company, such as a non-disclosure agreement (NDA), so that data cannot be shared further than the parties involved in the transaction.

Only Later Share More Detailed Data

Once you get further in the M&A transaction you can share more detailed information on customers and employees, particularly once the transaction is already going ahead with certainty.

This ensures that privacy is protected appropriately for each stage of the process, and still allows business, financial, and liability concerns around data to be uncovered during due diligence.

Summary

M&A transactions are great for helping your business grow. However, there are a number of privacy risks when it comes to sharing company data, particularly customer, client, or employee personal data.

Consider whether laws like the GDPR, CPRA or PIPEDA apply to the personal data that you would transfer in the M&A transaction, and examine in particular whether any of this data will be transferred overseas. If so, you'll need to take compliance steps to protect privacy, transfer data securely, and take a privacy-first approach to minimise your risks of penalties and fines.