Connect with us

Global Banking and Finance Review is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website. .

Technology

GDPR, AI and Cybersecurity Considerations in M&A Transactions

iStock 952063606

Published : , on

Pateraki, Anna

Pateraki, Anna

Dumont, David

Dumont, David

David Dumont, Partner, Hunton Andrews Kurth LLP

Anna Pateraki, Counsel, Hunton Andrews Kurth LLP

In today’s digital world, a company’s compliance with the EU General Data Protection Regulation (“GDPR”) and emerging digital legislation can have a significant impact on its valuation in an M&A context.

This article discusses key European data protection, AI and cybersecurity considerations to be taken into account when a company acquires or merges with another business and obtains personal data as a result of the transaction.

Assessing a target company’s compliance pre-closing (due diligence)

Data protection, AI and cybersecurity considerations and related due diligence are growing in importance in the context of mergers and acquisitions. In light of this, deal lawyers should determine key due diligence goals in this respect and seek to identify and assess, at the outset, the target’s:

  • Exposure to the GDPR and the emerging digital laws in the EU;
  • Data practices (e.g., collection and use of employee and/or customer data, online tracking practices, data sharing with third parties, processing of sensitive personal data, etc.);
  • GDPR compliance status and maturity of its data protection compliance program (e.g., notice and consent mechanisms, records of data processing activities, data protection impact assessments (“DPIAs”), agreements with vendors, customers and partners, the existence of a data protection officer (“DPO”) function where required, procedures allowing individuals to exercise their GDPR rights, and other internal governance policies and procedures);
  • Approach to international transfers of personal data, including the existence of appropriate data transfer mechanisms, assessments regarding foreign government access requests and measures taken to protect personal data in the destination country;
  • Information security, audit and testing program, including pseudonymization and encryption practices if any, incident response plans, and cybersecurity preparedness efforts;
  • History of personal data breaches and related notifications made to data protection authorities and/or affected individuals, as well as any ongoing or anticipated vulnerability that may result in an information security incident;
  • Exposure to other European digital laws, for example, the EU’s Artificial Intelligence Act, taking into consideration what AI systems are developed or used by the target and what the related level of compliance effort and risk is; and
  • Any history of complaints, investigations, legal proceedings or enforcement actions alleging non-compliance with data protection, AI and cybersecurity laws and regulations.

Once the due diligence process is complete, a risk assessment should be conducted to evaluate data protection, cybersecurity and AI-related risks and liabilities that may arise in the event of the merger or acquisition.

From a contractual perspective, the parties should negotiate appropriate risk allocation provisions in purchase agreements or other transaction agreements, including representations, warranties and indemnities.  The acquiring party should make sure to obtain important warranties, such as that the target is not subject to pending complaints, litigation, investigations or other enforcement action under the GDPR.

To assess whether the target’s data protection, AI or cybersecurity posture would have a material effect on the transaction, it is important to identify whether any immediate shortcomings can be remediated or mitigated before the deal is concluded or shortly thereafter. For example, major compliance threats or risks may require contractual commitments for indemnity or price correction in a specific case.

Updates to due diligence processes in light of the new EU AI Act

On August 1, 2024, the EU Artificial Intelligence Act (“AI Act”) entered into force.  The AI Act introduces a risk-based legal framework that imposes requirements based on the level and type of risks related to the  AI systems a company develops or deploys.  The AI Act distinguishes the following types of AI systems: (i) prohibited AI systems, (ii) high-risk AI systems, (iii) AI systems with transparency requirements, and (iv) general-purpose AI models.  The AI Act applies to “deployers” of AI systems that are based within the EU. The AI Act further imposes stringent obligation on “providers” of AI systems placing AI systems on the EU market or putting them into service, or placing general-purpose AI models on the market in the EU, irrespective of whether those providers are based within the EU. The obligations set forth in the AI Act will become applicable in different phases. The provisions with respect to prohibited AI systems will become applicable on February 2, 2025.  Specific obligations for general-purpose AI models will become applicable on August 2, 2025.  Most other obligations under the AI Act, including the rules applicable to high-risk AI systems and systems subject to specific transparency requirements will become applicable on August 2, 2026.  The remaining provisions will become applicable on August 2, 2027.

Given the new, comprehensive legal framework in the EU requiring significant compliance efforts from companies developing or using certain AI systems and providing competent authorities with strong enforcement powers, AI-related due diligence will become increasingly important.  Deal lawyers should consider updating existing privacy due diligence processes to include relevant considerations related to the new legal requirements, as well as in connection with the target’s AI management responsibilities, leadership and oversight in general.  The requirements and related enforcement risks under the EU AI Act depend on the type of AI systems the target is using and whether it qualifies as a deployer or provider of these systems. If the target company is an AI provider or deployer under the EU AI Act, the acquiring party should obtain warranties and representations regarding the target’s approach to compliance with the EU AI Act, as compliance with the new legal framework can be complex and may require further investment.

Post-closing strategy and assessment of residual privacy and cybersecurity risks 

The post-closing strategy should include a more detailed gap analysis to identify the data protection, AI and cybersecurity issues that require immediate remediation (e.g., update privacy notices and consent mechanisms and implement risk-mitigation measures for high-risk data processing activities).  In addition, a compliance strategy should be developed and implemented as necessary to address data protection and cybersecurity issues associated with the integration of the target. It may, for example, be necessary to restructure the company’s internal governance, privacy notices, policies and procedures to integrate the newly acquired personal data.  From a cybersecurity perspective, additional information security measures or processes may need to be implemented to protect new data sets acquired in the context of the merger or acquisition.

Under the GDPR, data protection authorities may impose administrative fines of up to 20 million euros or up to 4% of a company’s total worldwide annual turnover, whichever is greater.  In addition, data protection authorities have the power to issue orders, warnings, and reprimands or impose bans or restrictions on the processing of personal data if such processing violates the GDPR.  If severe violations of the GDPR or significant data breaches have occurred at the target, these can be a real threat to the brand and reputation of the acquiring party and undermine the acquiring party’s business objectives, future plans and growth.  In some cases, regulators may impose restrictions on what the acquiring party can do with the data to protect the reasonable expectations of customers. There can be significant liability in connection with acquiring a company when fines, orders or restrictions are imposed on the acquiring party for GDPR violations and cybersecurity shortcomings, in the context of a post-deal enforcement action.  There have, for example, been enforcement cases in the past where data protection regulators impose significant fines on an acquiring company for cybersecurity issues that have occurred before the acquisition of a company.

Conclusion

Data protection, AI and cybersecurity risks can result in unanticipated liability, costs and financial harm following M&A transactions if the risks are not identified pre-closing.  The acquiring party should carefully evaluate these issues and devise a strategy to mitigate potential risks.

Jesse Pitts has been with the Global Banking & Finance Review since 2016, serving in various capacities, including Graphic Designer, Content Publisher, and Editorial Assistant. As the sole graphic designer for the company, Jesse plays a crucial role in shaping the visual identity of Global Banking & Finance Review. Additionally, Jesse manages the publishing of content across multiple platforms, including Global Banking & Finance Review, Asset Digest, Biz Dispatch, Blockchain Tribune, Business Express, Brands Journal, Companies Digest, Economy Standard, Entrepreneur Tribune, Finance Digest, Fintech Herald, Global Islamic Finance Magazine, International Releases, Online World News, Luxury Adviser, Palmbay Herald, Startup Observer, Technology Dispatch, Trading Herald, and Wealth Tribune.

Global Banking & Finance Review

 

Why waste money on news and opinions when you can access them for free?

Take advantage of our newsletter subscription and stay informed on the go!


By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Post