Imagined or real? Privacy issues in artificial intelligence M&A

Corporate giants are racing to acquire private artificial intelligence (AI) companies. Since 2012, over 200 private AI companies have been acquired, with over 30 acquisitions taking place in the first quarter of 2017. Big data analytics is generally at the center of these transactions, where privacy and data protection concerns should be at the forefront of the deal process. Yet these issues are often neglected by deal parties and key compliance considerations are not identified until well into the transaction.

Last year, a major tech merger made headlines when the target company disclosed months after their initial agreement that it had suffered data breaches affecting more than 1 billion customer accounts. The news resulted in every dealmaker's worst nightmare -- delays in closing, investigations and a reduced price.

So if you are a buyer, seller or fund looking to acquire an AI startup, what are the privacy and data protection issues you should be thinking about?

Pre-Closing

The first step in privacy diligence is determining which laws apply to the target company. The U.S. framework for privacy and data protection is fragmented and sectoral. The Federal Trade Commission Act has been enforced against companies with misleading privacy policies and federal laws like the Health Insurance Portability and Accountability Act, which protects health information, applies to select industries handling special types of data (other laws regulate financial data or children's data, for example). State laws and industry standards should also be reviewed.

For companies that handle non-U.S. data, over 100 jurisdictions across the globe have enacted privacy and data protection laws. Acquirers must identify which laws may be applicable in assessing the data-related risks with the target company. For example, the EU General Data Protection Regulation (GDPR) goes into effect next year for any company handling EU resident data. Depending on the sensitivity of the data involved and how the acquirer intends to use it, strict obligations relating to data protection or restrictions on data use should be considered.

In addition, populating the data room with personal information may trigger privacy and data protection issues. Because many foreign jurisdictions have enacted data localization laws and other transfer restrictions, the parties contemplating data sharing as part of the due diligence process should consider whether any of the privacy issues come into play and put the right mechanisms in place before starting the data transfer pre-merger. Personal data should be redacted or anonymized whenever possible, model contracts rather than original documents should be provided, and all persons accessing personal data should be bound by confidentiality, including any service providers such as data room hosting companies or deal advisors.

The buyer should also determine whether the target company has and is in full compliance with its own privacy policies and review the target's contractual obligations with third parties. Even if the various laws and regulations do not restrict data transfers, far too often buyers are surprised to find out only after the deal has closed that they are not permitted to use the target company's data (including customer lists) because of the restrictions in the acquired company's policies or third-party contracts.

Thus, an examination of the target's internal policies as well as third-party contracts is essential. With the rise of big data and cyber threats, many companies are going one step further and performing "cyber" diligence to examine the target's IT and data security policies. Once material liabilities are identified, privacy- and cybersecurity-related representations and warranties in the transaction documents should be negotiated carefully. For companies where the data to be acquired is part of the asset value, this emphasis in pre-merger privacy and cyber due diligence becomes even more critical.

Risks between Signing and Closing

It can be a costly mistake to assume that once the deal is signed, personal data may be shared freely. Pre-closing transfers of personal data may occur between the buyer and seller to develop data integration plans. In this instance, the buyer is still a third party to the seller, so the parties should determine what, if any, requirements must be met before any such data transfers occur. In certain jurisdictions, a notification to the data protection authorities may be required, for example. In addition, as a general rule, the seller must be able to justify the data transfer under one of the following conditions: consent of the data subject; legitimate interest of the seller; or performance of a contract.

For complex integration projects, the parties may consider a governance framework agreement to ensure that data protection concerns are reflected throughout the M&A process. Since transactions with AI companies could involve large amounts of personal data, antitrust authorities may also request additional information to ensure that the data sets do not create a significant barrier to entry that could harm competition.

Post-Closing

Buyers should continue to be vigilant about assessing compliance during the post-acquisition integration of personal data. A buyer should determine the scope of the data use, and is responsible for honoring the seller's public privacy policies and any existing third-party contracts. Therefore, a buyer cannot expand its use of personal data without necessary justifications under applicable U.S. and non-U.S. laws.

In 2014, the Federal Trade Commission made this point clear when it warned a social media giant that privacy policies that were in place with the customers by a communications and messaging app company should remain in place even post-acquisition. If the limitations on data collection and use in the app's privacy policies are not honored, it would constitute a deceptive act under the FTC Act.

To withstand the regulator scrutiny and allow for these types of privacy issues to be resolved, the buyer may have the seller continue to process data for buyer in the immediate aftermath of the closing. Such data processing operations should be included in the Transitional Services Agreement, which serves as a processing agreement between the buyer (data controller) and the seller (data processor).

Potential Impact of GDPR

Although all companies with employee or customer data need to consider privacy and cyber issues within an M&A transaction, assessing risks related to automated decision making with predictive applications adds a layer of complexity. How artificial intelligence and machine learning activities can or should be regulated has been a subject of heated debate. With the GDPR's enhanced enforcement powers and emphasis on individual rights and accountability, the GDPR presents new considerations for investors considering cross-border M&A transactions.

First, the expanded territorial scope of the GDPR means any company, even those based outside of the EU, will be subjected to the new law if it processes data belonging to EU residents. The definition of personal data is also broad under the EU definition and the same data protections will apply to data categories that previously would not have been treated as personal data, such as mobile device identifiers and IP addresses.

To assess the risks related to GDPR requirements, investors will need to be able to evaluate not only what laws and regulations apply, but also how to evaluate the privacy impact assessments that would be prepared to describe how data is collected, used and transferred overseas. For AI companies and other high tech companies, it will be important to have a team of advisors who can not only spot legal issues but understand the technology that is behind the company's value proposition.

With the GDPR's enforcement powers that allow fines of up to €20 million or 4 percent of total gross revenue (whichever is greater), these privacy and data protection matters are quite real. Companies looking to invest in data-heavy technologies, like AI, would benefit from recognizing the privacy and cyber pitfalls as early as possible but certainly during all stages of the M&A process.