Recently, Ideagen agreed to the £1.06 billion takeover by private equity firm Hg Pooled Management. Listed in the London Stock Exchange, Ideagen is a leading British software solutions company in the regulatory and compliance software sector. In this article, we will focus on the legal basis for processing personal data for the preliminary stage of the M&A, exploring whether the UK GDPR applies to the data-centric nature of this M&A transaction’s life-cycle – from the preliminary stage to the post-completion integration. We will explore the lawfulness of the processing and how it is, or is not, permissible under data protection legislation.
Data Protection Analysis at a Glance
In this acquisition, Ideagen (the ‘Seller’) acts as the data controller, while Hg (the ‘Buyer’) is the data processor. Data subjects encompass employees, clients, suppliers and other contracting parties with the Seller. Personal data includes any information relating to these data subjects covering from employment contracts to analytical tables. During the preliminary stage, data will be disclosed from the Seller to Hg via the Virtual Data Room (the ‘VDR’), where documents will be uploaded by the Seller with access granted to the Buyer. This disclosure of data could be categorised as data processing under Article 4(2) of the UK GDPR. Without data being anonymised, the Seller is obliged to satisfy one of six legal bases listed in Article 6 to demonstrate compliance with the principle of lawfulness. The core question here is how to select the most appropriate lawful basis before commencing the disclosure in the M&A context.
Confirmation of Lawful Basis
The six bases in Article 6 are consent, contract, legal obligation, vital interests, public task, and legitimate interests. Given that the Seller is a private organisation and does not perform any task in the public interest, the legal basis of public task could be eliminated. Vital interests, which are particularly relevant for emergency medical care, would not be applicable either. In this share purchase, the Seller is not obliged to disclose data to the Buyer to comply with the law; as a result, the Seller cannot rely on the legal obligation. However, it must be noted that when it comes to the processing of employee data in an asset purchase, the Seller could select the legal obligation as the basis, confirming the disclosure is necessary for compliance with the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). Because the purpose of this disclosure is to ensure the successful deal closing, which is beyond delivering the contractual service to the clients or performing the employment contracts with employees, the lawful basis of the contract will not apply and the Seller should consider the last two options – consent and legitimate interests.
According to Article 4(11), consent must be a (a) freely given, (b) specific and informed, and (c) informed and unambiguous indication by a statement or by a clear affirmative action. The first condition will be challenging to satisfy in the context of a relationship where there is a clear imbalance of power between the Seller and its employees. Could employees be able to refuse consent without detriment? Could they also withdraw consent easily at any time to halt the progress of the acquisition? These uncertainties will make it more difficult for consent to be considered freely given. At the same time, bombarding clients and suppliers with disruptive consent requests may trigger “consent fatigue” and the conflict between confidentiality and disclosure in a sale process at a very early stage.
Therefore, in the absence of any other lawful basis, legitimate interests appear to be most appropriate basis for the M&A to take place under.
The disclosure of data is of a clear benefit to the Seller to facilitate the takeover as well as to the Buyer to expand its software businesses. The data will be mainly utilised by the Buyer to conduct the due diligence, with potential limited privacy impact on data subjects. Concurrently, the “relevant and appropriate relationship” between the Seller and its clients or employees should enable these data subjects to reasonably expect the Seller to use their data in mergers and acquisitions. Under reasonable expectations, legitimate interests are more likely to apply.
Application of Legitimate Interests
To rely on legitimate interests, the Seller is required to conduct a Legitimate Interests Assessment (LIA) to identify whether the Seller’s interests are weighed against those of data subjects. Following the ICO guidance, the LIA is a three-part test, and the Seller must be able to satisfy all three parts before processing. These three parts of the test are:
- Purpose Test: is there a legitimate interest behind the disclosure in the preliminary stage?
- Necessity Test: is the disclosure necessary for that legitimate interest?
- Balancing Test: is the legitimate interest overridden by data subjects’ interests, rights or freedoms?
- Purpose Test: The Recital 47of the UK GDPR indicates that processing employee or client data may constitute a legitimate interest. In this takeover, the Seller may arguably have a legitimate interest in disclosing data to the Buyer to prompt due diligence. Through this takeover, the Seller also intends to accelerate its growth, improve operational efficiency and scale its business further across the globe. It is also in the interest of the Buyer to expand their businesses in the regulatory and compliance software sector. Finally, if the deal could be closed successfully, shareholders at the Seller will obtain a high acquisition premium. In such cases, it should thus not be difficult for the Seller to demonstrate a clear and specific legitimate interest, and lay a good foundation for considering the necessity and the balance of interest.
- Necessity Test: Without data being disclosed, this takeover cannot be progressed into the next due diligence stage. Also, it appears to be no reasonable alternatives for processing to help the Buyer conduct the due diligence. As a result, it could be argued that the disclosure is necessary for the aforementioned purposes.
- Balancing Test: The interests and fundamental rights and freedoms of data subjects, and whether these override the legitimate interests identified in the purpose test, need to be considered. Concerning the first part, the Seller must assess (a) the nature of the personal data, (b) the reasonable expectations of data subjects, and (c) the likely impact of the disclosure on data subjects. When it comes to the nature of the personal data, it is not common for the Seller to disclose any special categories of data, such as employees and clients’ racial origin or political opinions, to the Buyer. On the contrary, the analytical tables or model employment contracts disclosed to the Buyer are not sensitive. Due to the “relevant and appropriate relationship” between the Seller and employees or clients, data subjects are likely to reasonably expect that their data will be disclosed in any transactions. Finally, only the Buyer and potentially the VDR provider will have access to the data and will ensure that these data can only be used in the lifecycle of the acquisition. The impact of disclosing data in this M&A context appears to be minimal. In such cases, the balance seemingly favours the Seller’s legitimate interest in disclosing the data to the Buyer.
To comply with the accountability principle, the Seller must document the decision on how legitimate interest applies to the disclosure in this acquisition. The Seller is also required to send the privacy notice to employees, clients, suppliers and other contracting parties due to their right to be informed. This privacy notice should include the Seller’s lawful basis of legitimate interest for processing, as well as the intended purposes of processing identified in the purpose test.
Selecting the most appropriate lawful basis for the disclosure of data can be challenging, and it can be particularly challenging in the M&A preliminary stage as it is a complicated process. However, with the correct understanding and application of data protection legislation, transactions of this nature can still smoothly go ahead with the appropriate lawful mechanisms. Given the enormity in the value of some M&As, at the outset of an M&A, it is important to fully establish what lawful basis is relied upon so that organisations can ensure that they can lawfully process and disclose the personal data which would be of value within the M&A, which should occur before the M&A begins, and any data is processed. Data protection legislation should not be a barrier to M&A, but it is a tool which much be worked with and not against.