In our last blog article, we discussed the British data protection authority’s (“ICO”) announcement to impose large fines on British Airways and Marriott Hotels for separate large-scale data breaches affecting those businesses. In this article, we will turn our minds to the significance of Commissioner Denham’s statement, referring to the Marriott situation, about the impact of privacy due diligence in M&A activity.
The European Data Protection Regulation (“GDPR”) allows for fines of up to four percent of global annual turnover. The ICO’s decisions to impose the equivalent of a $300M fine on British Airways and a $160M fine on Marriott have sparked much debate about the extent to which these fines should serve as a benchmark, regarding both the amount itself and the underlying analysis of how the ICO arrived at its decision. Commissioner Elizabeth Denham’s brief but clear remarks regarding an organization’s accountability and the importance of due diligence when purchasing another business raise the following issues:
1) The level of due diligence that Data Protection Authorities (“DPAs”) might expect, and
2) The extent to which the absence or presence of appropriate due diligence will factor into the enforcement decision of DPAs when there is a finding of non-compliance that may have been caused by the target’s pre-acquisition conduct.
Another intriguing question might be whether or not DPAs would be willing to apply leniency in cases where a purchaser discovers significant non-compliance or misconduct during the due diligence phase, or immediately after closing, and pro-actively reaches out to the ICO or other relevant DPAs. In the Marriott case, the GDPR violations (in the form of a data breach) occurred in 2014; but Marriott made the acquisition in 2016 and uncovered the violations in 2018, when it quickly self- reported to the ICO. Would fines be less in the future if, for example, a business discovered breaches by the target within months of the acquisition and then immediately notified the DPA?[i]
These questions are currently open, but we will be keeping a close eye on whether upcoming decisions and statements by any European DPAs shed some light on these matters. Whatever the case may be, these decisions could have a significant impact on Canadian businesses’ processes when acquiring target organization that are subject to the GDPR.
When making an acquisition, a purchaser is well advised to:
- conduct an initial privacy risk analysis based on the target’s business, jurisdiction, data sensitivity and data flows, and overall risk profile (for example, whether GDPR applies to the target and to what extent, and whether the target has a privacy program);
- prioritize due diligence efforts based on the findings, asking to-the-point and targeted questions;
- note any potential concerns and red flags arising from diligence;
- consider the extent to which those concerns can or should be addressed as part of contract drafting and negotiations or in the pre-closing phase;
- conduct a post-closing review of compliance matters that may not have been fully addressed during due diligence; and
- close any unaddressed gaps or open questions as swiftly as possible post-closing.
[i] For example, the US Foreign Corrupt Practices Act (“FCPA”) is a prominent example of a regulatory authority taking the nature and depth of a purchaser’s pre-acquisition diligence and post-closing mitigation efforts into account when deliberating on enforcement action. The 2008 Halliburton opinion initially set out the framework for the expectations on the purchaser (where the target was thought to have been non-compliant pre-closing). Since then, the Department of Justice’s 2012 FCPA Guidance document and FCPA Enforcement Policy, released in 2017, have further clarified how the DOJ expects acquiring businesses to ‘partner’ with the authority should it discover misconduct during due diligence or post-merger audits.