Data is an essential asset for many businesses, and one that is increasingly acquired through M&A transactions. Identifying and assessing the particular legal challenges of data assets is crucial for acquirers to mitigate the risks associated with these assets and unlock their full value. While issues will depend on the particulars of each transaction, the following is a high-level overview of significant considerations.
What rights in the data assets is the acquiring company receiving?
Evaluating a target company’s rights to their data assets is often more complex and uncertain than for more tangible assets. Such rights are often limited by privacy, contractual and intellectual property considerations.
The value of data is closely linked to the manner in which it was collected, transferred, and licensed. Acquirers should conduct thorough due diligence of a target’s actual data collection practices and draft representations, warranties and indemnifications to help mitigate risks from those practices. Privacy legislation requires organizations in Canada that are engaged in commercial activities to obtain an individual’s consent to collect, use, or disclose personal information about that individual. Improper data collection by a target may impair the acquirer’s ability to use that data and could lead to civil liability, regulatory penalties and negative publicity.
Third party contractual and intellectual property rights may also limit an acquirer’s ability to exploit data assets. For example, the ability to transfer data can be limited by confidentiality agreements, and the use of, and ability to process, certain data assets may be limited by licensing agreements and other third party intellectual property rights. Analysis of data-related contracts and their effects on a target’s ability to use or exploit its data assets at all stages of the data’s lifecycle is essential.
Assessment of rights and obligations at each stage of a data asset’s lifecycle
A holistic assessment of a data asset throughout its lifecycle is often necessary to fully assess that data asset’s value and costs. Data moves through many stages, including collection, processing, storage, use, transmission, and/or destruction. An acquirer’s rights, risks and obligations for a data asset at each lifecycle stage depends on several considerations, including but not limited to:
- the target and acquirer’s data collection methodologies, particularly as they relate to privacy obligations;
- the target and acquirer’s data processing methodologies and costs of further processing;
- the acquirer’s ability to transfer the data, incorporate it into existing products and/or use it to develop new products;
- the acquirer’s costs and risks of storing the data, particularly in relation to cybersecurity obligations and liability; and
- the acquirer’s cost and ability to destroy data if or when necessary, which may be limited by contractual or regulatory obligations.
Evaluation of each data asset should consider each of these stages in order to create a full picture of the value and risks of that asset.
The last several years have seen a wide range of “smart” products, ranging from vehicles to thermostats, that connect to the internet, some of which may be remotely updated or controlled based on ever-expanding caches of data. This poses new and complex legal issues with respect to product liability.
Data used in products that have the capacity to change behaviour or otherwise have real-world effects create many avenues of product liability, particularly in the medical device space. Acquirers must conduct a thorough risk assessment of material contracts that provide data for use in such products, particularly for targets that provide or license data to a variety of third parties and have limited control over how that data is used.
As discussed in a recent blog post, assessing a target company’s cybersecurity practices has become an important part of the due diligence process. Where a target company has been the subject of a data breach prior to an M&A transaction, the acquiring organization may be liable for the breach upon the completion of the transaction. Representations and warranties may provide some protection to the acquirer, but significant liability can still result to the extent that resulting damages cannot be fully recovered from the seller. Acquirers should therefore look behind the representations and warranties and assess the possibility that the target company’s cybersecurity has been breached despite assurances to the contrary. The extent of this process will depend on the sensitivity of the data and the cybersecurity mechanisms the target company has in place. Ultimately, however, the acquiring company needs to be fully informed about any risks to the security of the target company’s data so that these risks can be accounted for when assessing the value of the transaction.
These and other legal issues associated with data assets will continue to evolve. It is therefore important that organizations interested in acquiring or developing data assets are aware of and properly advised with respect to these issues.
The author would like to thank Brandon Schupp, articling student, for his assistance in preparing this blog post.
Stay informed on M&A developments and subscribe to our blog today.