Technology
GDPR, AI and Cybersecurity Considerations in M&A Transactions
Global Banking & Finance Review®
Company
Pateraki, Anna
Dumont, David
David Dumont, Partner, Hunton Andrews Kurth LLP
Anna Pateraki, Counsel, Hunton Andrews Kurth LLP
In today’s digital world, a company’s compliance with the EU General Data Protection Regulation (“GDPR”) and emerging digital legislation can have a significant impact on its valuation in an M&A context.
This article discusses key European data protection, AI and cybersecurity considerations to be taken into account when a company acquires or merges with another business and obtains personal data as a result of the transaction.
Assessing a target company’s compliance pre-closing (due diligence)
Data protection, AI and cybersecurity considerations and related due diligence are growing in importance in the context of mergers and acquisitions. In light of this, deal lawyers should determine key due diligence goals in this respect and seek to identify and assess, at the outset, the target’s:
Once the due diligence process is complete, a risk assessment should be conducted to evaluate data protection, cybersecurity and AI-related risks and liabilities that may arise in the event of the merger or acquisition.
From a contractual perspective, the parties should negotiate appropriate risk allocation provisions in purchase agreements or other transaction agreements, including representations, warranties and indemnities. The acquiring party should make sure to obtain important warranties, such as that the target is not subject to pending complaints, litigation, investigations or other enforcement action under the GDPR.
To assess whether the target’s data protection, AI or cybersecurity posture would have a material effect on the transaction, it is important to identify whether any immediate shortcomings can be remediated or mitigated before the deal is concluded or shortly thereafter. For example, major compliance threats or risks may require contractual commitments for indemnity or price correction in a specific case.
Updates to due diligence processes in light of the new EU AI Act
On August 1, 2024, the EU Artificial Intelligence Act (“AI Act”) entered into force. The AI Act introduces a risk-based legal framework that imposes requirements based on the level and type of risks related to the AI systems a company develops or deploys. The AI Act distinguishes the following types of AI systems: (i) prohibited AI systems, (ii) high-risk AI systems, (iii) AI systems with transparency requirements, and (iv) general-purpose AI models. The AI Act applies to “deployers” of AI systems that are based within the EU. The AI Act further imposes stringent obligation on “providers” of AI systems placing AI systems on the EU market or putting them into service, or placing general-purpose AI models on the market in the EU, irrespective of whether those providers are based within the EU. The obligations set forth in the AI Act will become applicable in different phases. The provisions with respect to prohibited AI systems will become applicable on February 2, 2025. Specific obligations for general-purpose AI models will become applicable on August 2, 2025. Most other obligations under the AI Act, including the rules applicable to high-risk AI systems and systems subject to specific transparency requirements will become applicable on August 2, 2026. The remaining provisions will become applicable on August 2, 2027.
Given the new, comprehensive legal framework in the EU requiring significant compliance efforts from companies developing or using certain AI systems and providing competent authorities with strong enforcement powers, AI-related due diligence will become increasingly important. Deal lawyers should consider updating existing privacy due diligence processes to include relevant considerations related to the new legal requirements, as well as in connection with the target’s AI management responsibilities, leadership and oversight in general. The requirements and related enforcement risks under the EU AI Act depend on the type of AI systems the target is using and whether it qualifies as a deployer or provider of these systems. If the target company is an AI provider or deployer under the EU AI Act, the acquiring party should obtain warranties and representations regarding the target’s approach to compliance with the EU AI Act, as compliance with the new legal framework can be complex and may require further investment.
Post-closing strategy and assessment of residual privacy and cybersecurity risks
The post-closing strategy should include a more detailed gap analysis to identify the data protection, AI and cybersecurity issues that require immediate remediation (e.g., update privacy notices and consent mechanisms and implement risk-mitigation measures for high-risk data processing activities). In addition, a compliance strategy should be developed and implemented as necessary to address data protection and cybersecurity issues associated with the integration of the target. It may, for example, be necessary to restructure the company’s internal governance, privacy notices, policies and procedures to integrate the newly acquired personal data. From a cybersecurity perspective, additional information security measures or processes may need to be implemented to protect new data sets acquired in the context of the merger or acquisition.
Under the GDPR, data protection authorities may impose administrative fines of up to 20 million euros or up to 4% of a company’s total worldwide annual turnover, whichever is greater. In addition, data protection authorities have the power to issue orders, warnings, and reprimands or impose bans or restrictions on the processing of personal data if such processing violates the GDPR. If severe violations of the GDPR or significant data breaches have occurred at the target, these can be a real threat to the brand and reputation of the acquiring party and undermine the acquiring party’s business objectives, future plans and growth. In some cases, regulators may impose restrictions on what the acquiring party can do with the data to protect the reasonable expectations of customers. There can be significant liability in connection with acquiring a company when fines, orders or restrictions are imposed on the acquiring party for GDPR violations and cybersecurity shortcomings, in the context of a post-deal enforcement action. There have, for example, been enforcement cases in the past where data protection regulators impose significant fines on an acquiring company for cybersecurity issues that have occurred before the acquisition of a company.
Conclusion
Data protection, AI and cybersecurity risks can result in unanticipated liability, costs and financial harm following M&A transactions if the risks are not identified pre-closing. The acquiring party should carefully evaluate these issues and devise a strategy to mitigate potential risks.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the EU that governs how personal data is collected, stored, and processed.
Cybersecurity refers to the practice of protecting systems, networks, and programs from digital attacks, ensuring the integrity and confidentiality of data.
Due diligence is the process of investigating and evaluating a business or investment opportunity to assess its potential risks and benefits before a transaction.
A Data Protection Officer (DPO) is a designated individual responsible for overseeing data protection strategies and ensuring compliance with GDPR and other data protection laws.
Risk assessment is the process of identifying, analyzing, and evaluating potential risks that could negatively impact an organization or project.
Explore more articles in the Technology category
