M&A in the tech sector – privacy and trade secrets
M&A activity took a sharp decline amidst the COVID-19 uncertainty, but seems again to be on the rise as buyers and sellers have readjusted expectations. In this article, we will address (1) the relevance of the new act on trade secrets, and (2) the development of privacy issues, in the context of M&A transactions.
The new Norwegian act on trade secrets was passed in March and expected to enter into force 1 January 2021. The act implements Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) and contains a definition of trade secrets which should find its way into NDAs, data room instructions and transaction documents such as the SPA or APA. Companies should also update their routines and measures to protect and ensure their trade secrets from entering the public domain or misappropriated by third parties, or even previous employees/contractors. Lack of such focus could be devastating to the value of such companies.
Regarding privacy in the context of M&A, we had hoped to allocate a substantial part of this last TMT newsletter before the summer to provide an update on the Marriott matter, in which the UK Information Commissioner's Office July of last year issued a statement of intention to fine Marriott GBP 99 million for data breach in connection with an M&A transaction. However, so far no follow-up to the matter has been announced. The issue at the heart of the matter does still remain valid and is unlikely to be overturned; i.e. that assuming the responsibility for data in connection with a transaction, without sufficient focus on the quality of that data, may be a breach of the accountability principle contained in the GDPR. Be reminded of the statement of the Information Commissioner:
"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
We had expected to see an increased focus on privacy issues in M&A transaction, not only to reduce the risk of fines, but even more importantly, to ensure that data may be utilized by the buyer as envisaged in the valuation of the target. We see increased maturity in bespoke warranties that no data breaches have occurred and exemptions from liability and time barring of data protection related claims. Little is however done to guarantee the quality of the data or investigations performed to check if the data of the seller has a legal basis compatible with buyer's intended use. We also see a still growing number of large data breach issues and companies becoming victim to ransomware attacks, but surprisingly, separate cyber security due diligence remains scarce. M&A players appear not to have taken real notice of the relevance of the Marriott matter. We hope that no large fines will need to be issued before this is sufficiently recognized in M&A transaction.
Finally, another issue, which in our view is under-communicated in relation to transaction, is time lines taking into consideration the obligation to notify data subjects where data is transferred from one entity to another at closing, or where data will be transferred outside of the EU. Careful drafting of notices must in such instances be made to strike the correct balance between providing the correct level of information, at the right time, while not relying on a basis for transfer which may lead to a significant volume of data subjects objecting to the transfer.