The European Union’s updated data protection laws present new, but addressable, risks for deal makers, as well as opportunities for businesses willing to meet the demands of an increasingly digital world.
Those were the overarching sentiments delivered by the panelists during Merrill Corporation’s recent webinar, How Revamped EU Privacy Regulations Impact Global M&A. Merrill Corp facilitates mergers and acquisitions worldwide through its industry-leading DataSite virtual data room, which enables firms to securely protect, share and collaborate on their most sensitive and confidential content.
The General Data Protection Regulation, the EU’s most significant overhaul in its data privacy guidelines in more than two decades, will apply on May 25, 2018. The European Commission's aim is to give citizens back more control over their personal data by applying stiffer standards in areas such as consent for uses of personal data and notification of data breaches. Potential fines for non-compliance are set at an eye-grabbing 4 percent of annual revenue, or €20 million euros, whichever is higher.
“It’s very clear that the introduction of fines is getting people’s attention and it’s getting people’s attention not just in the legal department, but at board level,” said panelist Rob Bratby, a partner at Arnold & Porter Kaye Scholer in London. “We’ve always had data protection within Europe, but the fines are new, and the level of the potential fines means that it becomes very serious.”
What is also serious, the panelists pointed out, is that data privacy can no longer be treated by businesses as an afterthought. “It comes to prominence, and it does mean that everyone now has to think about it in everything they do that involves their customer data,” said Robert Kerrigan, senior legal counsel at Funding Circle UK.
So, will the GDPR impact deal making? In the M&A context, Bratby argued that the regulation is no different than any other compliance risk – it’s just newer.
"I think all the traditional tools that we have to deal with things where the target doesn’t have everything quite right…can be used with respect to GDPR,” he said. Those may include certain warranties, insurance policies, material adverse change clauses, indemnities and escrow accounts, Bratby explained. "Those happen in all deals, it's just they’re being applied to data breaches and GDPR compliance,” he added.
In a poll of webinar attendees, 46 percent predicted the regulation will have very little impact on deal making, while 42 percent indicated it would have a moderate influence. When asked if the EU is becoming less attractive for M&A as a consequence of GDPR, 56 percent said no, while another 26 percent responded that it is too early to tell.
“It’s something that companies need to be aware of, but I don’t think it is something that’s going to put the brakes across M&A in Europe,” Bratby said. “I think macroeconomic factors are likely to play a much greater part in terms of attractiveness of the EU for M&A.”
Another key topic raised during the webinar was the GDPR's potential effect on the M&A due diligence process. “I would like to think that the risks associated with getting it wrong mean that data protection becomes an integral part of the due diligence process,” said panelist James Castro-Edwards, a partner at Wedlake Bell and author of a textbook on GDPR for The Law Society.
Panelist Gretchen Dahlberg, associate general counsel at Merrill Corp, said there may be some additional hurdles for companies that are just moving into the EU, or who do trans-border deals in unique settings, especially when they involve consumer data. "That's where US companies really need to have a strong understanding of the principles involved in processing personal information," she added.
Also, because of the potential fines, we are "likely to see greater use of IT consultants really looking at how secure are these systems," Bratby said. Even absent the revamped privacy laws, "acquirers are increasingly interested in IT security" during the due diligence process, he noted.
As for the fines, the panelists agreed that the draconian levels set by European authorities appear mainly aimed to grab the attention of management at the highest levels. That said, it’s possible that “some sizable fines may be issued to demonstrate the fact that the European Commission meant business,” said Castro-Edwards.
He also noted the Information Commissioner's Office, which enforces data protection regulations in the UK, is planning to increase its staff by 40 percent over the next two years to police the regulation. That could signal a higher threat of enforcement.
“I think the temperature is rising, and I do think we need to be a lot more careful and devote resources to getting this right,” Castro-Edwards said. While there is a certain level of "scaremongering" swirling around, the regulation does present an opportunity for businesses to fully embrace the protection of personal data as a top priority. "The reason that the European Commission has promoted (GDPR) is because it encourages trust in the digital economy," he added.
Funding Circle UK's Kerrigan said his firm sees the regulation as an opportunity. "We're a business that is data-led, and we hold ourselves out to be customer-motivated, so everything we do needs to look after our customers."