By, Alec Christie, ESQ., Partner and Digital and Global Law Leader at EY.
M&A transactions in the telecommunications (telco) sector, regardless of the countries impacted, will likely be subject to data privacy laws, requirements, and obligations. Most M&A transactions in the telco sector require parties to exchange some personally identifiable information or personal information (PI).
Addressing data privacy at the early stage of an M&A transaction will allow sufficient time for any necessary remedial steps.
Telco companies should remember that the data privacy laws of most countries usually cover and regulate the collection, use, and disclosure of PI. PI is usually defined to include any data or information relating to an identified or reasonably identifiable individual.
A party to a telco M&A transaction that is obtaining or using PI should, among other steps, designate a person or team responsible for data privacy compliance, limit distribution of PI on a “need-to-know” basis, and verify that PI is deleted or de-identified when it is no longer needed.
Often overlooked, a potential buyer’s receipt of PI from a seller as part of due diligence is often considered to be a collection of PI by the potential buyer for data privacy law purposes; therefore, the potential buyer must comply with all relevant data privacy laws.
With regard to the collection of the PI as part of due diligence, buyers should consider what warranties or guarantees are provided by the seller that it is able to provide such PI, what its obligations are with respect to the PI if the transaction does not proceed, and, in the event sensitive information is collected, what obligations are there with respect to obtaining consent.
Generally, applicable best practices for buyers in a transaction include executing appropriate information processing agreements with third-party due diligence providers, assessing a target’s data privacy compliance, and confirming the ability of a target to lawfully use the relevant PI.
Buyers should not assume that a seller is compliant with its data privacy obligations or that a seller will provide all the necessary information in order to make such a determination.
To enable a smooth transaction, sellers should confirm their compliance from a data privacy perspective before a sale is even contemplated. This can include ensuring the appropriate security measures are in place to prevent unauthorized access to the PI and that the appropriate consents and disclosures were made at the time of the original collection of PI.