The British privacy protection agency (the Information Commissioner’s Office, or ICO) recently announced its intention to impose on international hotels chain Marriott a fine of about GBP 99 million for violating the GDPR, Europe’s new privacy protection legislation. The intended fine relates to a cyber event impacting the systems of the Starwood hotels group, which was acquired by the Marriott in 2016.
What is interesting about this case is that the relevant cyber event occurred in 2014, two years before Marriott completed the transaction to acquire Starwood. In its public announcement, the ICO focused primarily on the fact that Marriott did not conduct sufficient due diligence into the attacked company. This comment poses a strong reminder to companies entering into merger and acquisition transactions to include privacy aspects within their due diligence.
Conducting due diligence into matters of privacy has various purposes:
To ensure the acquired company is complying with the requirements of the privacy and date protection regulations that apply to it – This is important because violations revealed in the future may implicate the acquiring company, as was the case with Marriot. When inconsistencies as to the acquired company’s compliance with privacy protection regulations surface, many times the acquirer will seek to address them through specific provisions in the acquisition agreement.
To review what data the acquired company holds – In the digital age, data constitutes a very important asset. Thus, the findings of such a review may affect the economic value of the transaction. On the other hand, the more plentiful and sensitive the data is, the greater the responsibility in maintaining it. Therefore, identifying the information held by the acquired company or activity enables the acquirer to assess the risks involved in maintaining the data.
To ensure transmission of the data to the acquirer is possible – Merger and acquisition transactions often lead to situations in which ownership of data is transferred from the seller to the acquirer. Many companies prepare for this in advance and include language that addresses issues of mergers and acquisitions in their disclosures to the data subjects. The matter may be more complex when parties to the transaction are located in different countries. In such instances, the acquirer must ensure the seller is permitted to export the data it holds in its origin country to the country where the acquirer is located.
To ensure the acquirer is permitted to realize its plans for the acquired data – It is likely that once the transaction is complete, the acquirer will seek to make additional uses of the data acquired and even share them with its affiliate companies. In some cases, this is one of the acquirer’s primary goals for the transaction. It is possible due diligence will reveal that data subjects’ consent is required to expand the uses of the data about them, a task that is often impracticable. Therefore, this issue affects at times the structure of merger and acquisition transactions as well as their value.
To assess the costs involved in closing the compliance gaps that may come up – It is almost impossible to find a company that meets all the demands of the privacy protection laws to which it is subject. Due diligence will often expose compliance gaps the acquirer is not willing to accept, and it may seek to impose the expenses involved in closing these gaps on the seller.
To present responsible conduct in the case of a regulatory audit – Even if the acquired company or activity lacks privacy compliance, the actual performance of a meticulous due diligence may to some extent satisfy the regulator that the acquirer has conducted itself responsibly. To wit, the ICO’s announcement about Marriott hinted that if Marriott had been able to prove that it conducted satisfactory due diligence at the time of acquisition, the outcome of the investigation may have been less severe.
Although it is rare for privacy matter to cause merger and acquisition transactions to fail, in light of tightening enforcement in this area in Israel and around the world, the impact of privacy on such transactions is growing.