In today’s digital world, a company’s compliance with the EU General Data Protection Regulation (“GDPR”) and emerging digital legislation can have a significant impact on its valuation in an M&A context.

This article discusses key European data protection, AI and cybersecurity considerations to be taken into account when a company acquires or merges with another business and obtains personal data as a result of the transaction.

Assessing a target company’s compliance pre-closing (due diligence)

Data protection, AI and cybersecurity considerations and related due diligence are growing in importance in the context of mergers and acquisitions. In light of this, deal lawyers should determine key due diligence goals in this respect and seek to identify and assess, at the outset, the target’s:

• Exposure to the GDPR and the emerging digital laws in the EU;
• Data practices (e.g., collection and use of employee and/or customer data, online tracking practices, data sharing with third parties, processing of sensitive personal data, etc.);
• GDPR compliance status and maturity of its data protection compliance program (e.g., notice and consent mechanisms, records of data processing activities, data protection impact assessments (“DPIAs”), agreements with vendors, customers and partners, the existence of a data protection officer (“DPO”) function where required, procedures allowing individuals to exercise their GDPR rights, and other internal governance policies and procedures);
• Approach to international transfers of personal data, including the existence of appropriate data transfer mechanisms, assessments regarding foreign government access requests and measures taken to protect personal data in the destination country;
• Information security, audit and testing program, including pseudonymization and encryption practices if any, incident response plans, and cybersecurity preparedness efforts;
• History of personal data breaches and related notifications made to data protection authorities and/or affected individuals, as well as any ongoing or anticipated vulnerability that may result in an information security incident;
• Exposure to other European digital laws, for example, the EU’s Artificial Intelligence Act, taking into consideration what AI systems are developed or used by the target and what the related level of compliance effort and risk is; and
• Any history of complaints, investigations, legal proceedings or enforcement actions alleging non-compliance with data protection, AI and cybersecurity laws and regulations.

Once the due diligence process is complete, a risk assessment should be conducted to evaluate data protection, cybersecurity and AI-related risks and liabilities that may arise in the event of the merger or acquisition.

From a contractual perspective, the parties should negotiate appropriate risk allocation provisions in purchase agreements or other transaction agreements, including representations, warranties and indemnities. The acquiring party should make sure to obtain important warranties, such as that the target is not subject to pending complaints, litigation, investigations or other enforcement action under the GDPR.

To assess whether the target’s data protection, AI or cybersecurity posture would have a material effect on the transaction, it is important to identify whether any immediate shortcomings can be remediated or mitigated before the deal is concluded or shortly thereafter. For example, major compliance threats or risks may require contractual commitments for indemnity or price correction in a specific case.

Updates to due diligence processes in light of the new EU AI Act

On August 1, 2024, the EU Artificial Intelligence Act (“AI Act”) entered into force. The AI Act introduces a risk-based legal framework that imposes requirements based on the level and type of risks related to the  AI systems a company develops or deploys. The AI Act distinguishes the following types of AI systems: (i) prohibited AI systems, (ii) high-risk AI systems, (iii) AI systems with transparency requirements, and (iv) general-purpose AI models.  The AI Act applies to “deployers” of AI systems that are based within the EU. The AI Act further imposes stringent obligation on “providers” of AI systems placing AI systems on the EU market or putting them into service, or placing general-purpose AI models on the market in the EU, irrespective of whether those providers are based within the EU. The obligations set forth in the AI Act will become applicable in different phases. The provisions with respect to prohibited AI systems will become applicable on February 2, 2025. Specific obligations for general-purpose AI models will become applicable on August 2, 2025. Most other obligations under the AI Act, including the rules applicable to high-risk AI systems and systems subject to specific transparency requirements will become applicable on August 2, 2026. The remaining provisions will become applicable on August 2, 2027.

Given the new, comprehensive legal framework in the EU requiring significant compliance efforts from companies developing or using certain AI systems and providing competent authorities with strong enforcement powers, AI-related due diligence will become increasingly important. Deal lawyers should consider updating existing privacy due diligence processes to include relevant considerations related to the new legal requirements, as well as in connection with the target’s AI management responsibilities, leadership and oversight in general. The requirements and related enforcement risks under the EU AI Act depend on the type of AI systems the target is using and whether it qualifies as a deployer or provider of these systems. If the target company is an AI provider or deployer under the EU AI Act, the acquiring party should obtain warranties and representations regarding the target’s approach to compliance with the EU AI Act, as compliance with the new legal framework can be complex and may require further investment.

Post-closing strategy and assessment of residual privacy and cybersecurity risks 

The post-closing strategy should include a more detailed gap analysis to identify the data protection, AI and cybersecurity issues that require immediate remediation (e.g., update privacy notices and consent mechanisms and implement risk-mitigation measures for high-risk data processing activities). In addition, a compliance strategy should be developed and implemented as necessary to address data protection and cybersecurity issues associated with the integration of the target. It may, for example, be necessary to restructure the company’s internal governance, privacy notices, policies and procedures to integrate the newly acquired personal data. From a cybersecurity perspective, additional information security measures or processes may need to be implemented to protect new data sets acquired in the context of the merger or acquisition.

Under the GDPR, data protection authorities may impose administrative fines of up to 20 million euros or up to 4% of a company’s total worldwide annual turnover, whichever is greater. In addition, data protection authorities have the power to issue orders, warnings, and reprimands or impose bans or restrictions on the processing of personal data if such processing violates the GDPR. If severe violations of the GDPR or significant data breaches have occurred at the target, these can be a real threat to the brand and reputation of the acquiring party and undermine the acquiring party’s business objectives, future plans and growth. In some cases, regulators may impose restrictions on what the acquiring party can do with the data to protect the reasonable expectations of customers. There can be significant liability in connection with acquiring a company when fines, orders or restrictions are imposed on the acquiring party for GDPR violations and cybersecurity shortcomings, in the context of a post-deal enforcement action.  There have, for example, been enforcement cases in the past where data protection regulators impose significant fines on an acquiring company for cybersecurity issues that have occurred before the acquisition of a company.

Conclusion

Data protection, AI and cybersecurity risks can result in unanticipated liability, costs and financial harm following M&A transactions if the risks are not identified pre-closing. The acquiring party should carefully evaluate these issues and devise a strategy to mitigate potential risks.

Reprinted with permission from the August 21, 2024 issue of Global Banking and Finance Review. Further duplication without permission is prohibited. All rights reserved.