The EU’s new General Data Protection Regulation imposes substantial obligations on companies to protect the personal data and privacy of EU citizens for transactions occurring within EU member states. The GDPR goes into effect in this month – and U.S. companies with substantial European operations have been gearing up for compliance.
This Davis Polk memo says that given the broad extraterritorial application of the GDPR, U.S. dealmakers need to do the same. The memo says that the implications of the GDPR need to be taken into consideration from diligence through structuring to post-closing integration. This excerpt discusses issues that should be addressed in the purchase agreement:
Prudent purchasers and investors will factor GDPR compliance into their purchase agreement structuring and risk allocation mechanisms. If the transaction is structured as an asset purchase, particular care will be needed to determine whether the transfer of the target’s databases itself may violate the GDPR (e.g., by exceeding the scope of the applicable consent or by transferring data outside of the E.U. to a jurisdiction that has not been deemed adequate by the European Commission).
Covenants may be appropriate to ensure continued compliance (or development of a compliance program) or notification of any new breaches between signing and closing the transaction. Risk allocation provisions should also be thoughtfully negotiated to ensure appropriate excluded liability, representation and indemnity coverage. Representations regarding compliance with law are insufficient to fully address data privacy risks and should be expanded to cover data-privacy related contract provisions, industry standards and practices, and existence and handling of data breaches.
– John Jenkins