Privacy in M&A Transactions: Personal Data Transfer and Post Closing Liabilities

Daniel Ilan is a partner at Cleary Gottlieb Steen & Hamilton LLP. This post is based on a Cleary Gottlieb publication by Mr. Ilan, Jane Rosen, Emmanuel Ronco, and Natascha Gerlach. This post relates to a recent Cleary Gottlieb publication, Privacy in M&A Transactions: Pre Closing Liabilities, available on the Forum on here.

One aspect of mergers and acquisitions that is receiving growing attention is the relevance of privacy issues [1] under U.S. and European Union (“EU”) laws as well as the laws of a growing number of other jurisdictions. [2] This two-part blog post discusses the principal M&A-related privacy risks and highlights certain “traps” that are often overlooked. In Part 1, we discussed risks associated with a target’s pre-closing privacy-related liabilities and considered ways to mitigate these risks through adequate diligence and privacy-related representations in M&A agreements. In this Part 2, we discuss the risks associated with transferring or disclosing personally-identifiable information (“personal data”) of an M&A target (or a seller) to a purchaser (or prospective purchaser) and those associated with the purchaser’s post-acquisition use of such personal data.

Risks Associated with Transferring or Disclosing Target’s (or Seller’s) Personal Data to Purchaser

M&A transactions often involve the disclosure or transfer of personal data from a seller to a purchaser. This normally includes personal data associated with the acquired target (or acquired assets), such as data relating to employees, customers, users, contractors, suppliers and business partners. While most personal data is transferred at closing, some disclosures may also occur between signing and closing.

Risks Associated with Disclosure Between Signing and Closing

M&A lawyers are not always aware of the risks associated with disclosure of personal data between signing and closing (when signing and closing are not simultaneous). In particular, M&A agreements often contain a clause providing for access to books and records between signing and closing, enabling the purchaser to request certain types of data it reasonably needs, including for purposes of integration planning. But it is a mistake to assume that because a deal is signed, personal data relating to the target business may be shared freely between the purchaser and the seller. While some M&A agreements state that the seller need not provide access to information prior to closing if providing such access would be in violation of applicable law, such a carve out is not necessarily applied in practice and, in any case, understanding whether a particular disclosure is in violation of privacy laws may be difficult.

i) Under U.S. law, the pre-closing disclosure of personal data must be in compliance with all relevant state laws, contractual restrictions and any promises made about the treatment of personal data in the target’s published privacy policy. As discussed in Part 1 of our blog post, the Federal Trade Commission (“FTC”) has made clear that it views failure to comply with published privacy policies as a violation of Section 5 of the FTC Act, which bars unfair or deceptive acts or practices. Relevant state laws include the California Online Privacy Protection Act of 2003, which requires all operators of commercial websites and online services that collect California residents’ personal data through a website to identify categories of third-party persons or entities with whom the operator may share the personal data.

Ideally, the target’s privacy policy will contain a clear statement that a transfer or disclosure of personal data may occur in connection with an M&A transaction, including prior to consummation of the transaction (it may not suffice to state that personal data may be shared “upon” or “following” a merger or sale of the company or its businesses, given that prior to closing, the transaction is not consummated). In addition, it will be important to ensure the purchaser safeguards the information to the extent required by applicable law, [3] does not further disclose the personal data and does not use it in any way that violates the applicable privacy policy (including any usage that is not necessary for integration planning or consummation of the M&A transaction). It may therefore be advisable for the seller to enter into a “data protection agreement” with the purchaser with respect to such obligations. A data protection agreement can also include requirements to abide by any restrictions contained in the seller’s/target’s contracts with third parties, to the extent related to the personal data shared prior to closing.

ii) Under EU law, the disclosure of data relating to identified or identifiable individuals (“data subjects”) must comply with the laws implementing EU Directive 95/46/EC of October 24, 1995 (the “Directive”) in each of the EU member states (“Member States”). [4] Generally, for the “processing” of personal data (a broad concept that includes transfer or disclosure) to be permitted it must be based on one of the grounds enumerated in the Directive, among which the most relevant to a pre-closing M&A-related disclosure are:

  • Legitimate interest of the data controller or the data recipient, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject. The so-called “legitimate interest” ground is frequently relied on in M&A transactions since it is open-ended, making it possible to argue that it is in the legitimate interest of the purchaser to receive the data (i.e., to prepare for the acquisition). However, certain data subjects may claim to have an interest in keeping their data confidential, at least until the transaction is close to completion. In practice, it is therefore often advisable to try to wait until all or most of the conditions to closing of the transaction have been satisfied before transferring personal data based on this ground.
  • Consent of the data subject. In an M&A context, it is often impractical to rely on the consent of the data subjects. The “consent” ground is therefore only used in practice when just a few individuals are concerned and such individuals have reason to be aware of the contemplated transaction (e.g., major customers whose approval is required in order to assign the customer contracts to the purchaser). Note that the data subject’s consent to the transfer may be required in certain circumstances, including when “sensitive data” are involved (e.g., where health, religion or union membership appear in, or can be deduced from, employee records). [5]
  • Performance of a contract with the data subject. This ground is typically used in the M&A context when the assets sold include contracts and personal data must be transferred for these contracts to continue to be performed.

In addition to existence of one the foregoing grounds for pre-closing disclosure, compliance with EU law would generally also require that the personal data transferred to the purchaser prior to closing is not inadequate or excessive. In other words, the only data fields that should be transferred before closing are those necessary for the new employer to prepare for completion of the transaction (such as, in the case of data obtained for HR-related purposes, positions and salaries but potentially not home addresses or bank account details).

Finally, certain additional steps may be required in the EU, particularly notice, inclusion of the European Commission’s standard contractual clauses (the “Model Clauses”)and potential Data Protection Authorities (“DPAs”) filings; since these steps are generally similar whether the disclosure/transfer occurs prior to or at closing, we discuss them below under Section B.

  • Trap: It is a mistake to assume that sharing personal data is allowed once an M&A deal is signed and before it is consummated. In the U.S., language in privacy policies may not be broad enough to fully address this situation and purchaser’s use of such data must be strictly circumscribed in light of state law and contractual obligations. In the EU, several steps must be taken before transferring personal data and, as a general rule, because the disclosure of data is considered more legitimate as the deal progresses and closing becomes more certain, access to data should be tailored to what is necessary for each phase of the deal.

Risks Associated with Transfers at Closing

At closing, the purchaser will expect to receive all of the personal data related to the acquired business. Depending on the nature of the transaction (e.g., a spin-off of a stand-alone subsidiary) the transferred personal data may in fact remain hosted on the target’s systems that are sold as part of the transaction.

i) Under U.S. law, it will again be important to consider both state law and the FTC Act, as well as any contractual commitments made by the target/seller in agreements involving collection of personal data. In a sale out of bankruptcy, the Bankruptcy Code will also be implicated. In all cases, a decisive factor in analyzing the legality of a transfer of personal data will be the promises contained in the target’s published privacy policy.

Asset purchases vs. mergers or share purchases. Arguably, whenever a third-party entity gains access to personal data as a result of an M&A transaction, there is a “transfer” of such personal data that could be in violation of privacy laws. In other words, a “transfer” may technically occur even in a share purchase of a target company pursuant to which all of the company’s operations remain unchanged (other than its ultimate control) but following which the purchaser and its affiliates have access to such company’s data. However, enforcement activity thus far has not focused on “transfers” that occur in mergers or share purchases and instead has focused only on the eventual uses of such data by the purchaser (as discussed in Section 2 below). By contrast, in the context of asset sales, even the data transfer itself has been subject to scrutiny by the FTC, state regulators and (as applicable) bankruptcy courts. The fact pattern of notable cases has involved a company’s privacy policy that promised not to sell or transfer personal data to third parties (without any exceptions for sales in a restructuring, asset sale, insolvency or bankruptcy) and a desire by such company to then sell personal data as a stand-alone asset or in the context of a broader asset sale transaction (such as a sale of a business).

FTC vs. state regulators vs. bankruptcy courts. As described below, the FTC, state regulators and bankruptcy courts have taken slightly different approaches to such asset sales.

  • FTC approach—Either (A) opt-in consent to the data transfer or (B) purchaser must be in the same line of business as target, must comply with target’s existing privacy policy and must obtain opt-in consent to any material policy changes. The FTC often cites a settlement it reached with internet retailer Toysmart in 2000 (the “Toysmart Settlement”) which allowed Toysmart, after it ceased operations, to transfer customer personal data to a third party in spite of its privacy policy stating that such personal data would “never be shared with a third party.” The FTC had sued to block Toysmart’s sale of its customer database, alleging a violation of Section 5 of the FTC Act. Under the Toysmart Settlement, Toysmart was able to sell the customer data, but: (i) not as a stand-alone asset; (ii) only to a purchaser engaged in substantially the same lines of business as Toysmart; and (iii) only to a purchaser who agreed to be bound by and adhere to the terms of Toysmart’s privacy policy and to obtain affirmative (opt-in) consent from consumers for any material changes to the policy that affect information collected under the Toysmart policy (hereinafter, the “Toysmart Principles”). [6] As an alternative to the Toysmart Principles, the FTC proposed (in the RadioShack and Borders cases, discussed below) requiring the target to obtain affirmative (opt-in) consent of the data subjects to the transfer of the data to the purchaser and to purge the data of those who did not consent. [7]
  • State regulators approach in RadioShack—Toysmart Principle “iii”, plus notice of the data transfer and right to opt-out. In 2015, Attorneys General in 38 states challenged the bankruptcy sale by RadioShack of its personal data (RadioShack’s privacy policy said: “We will not sell or rent your personally identifiable information to anyone at any time”). The states reached a settlement with RadioShack which limited the type of information to be transferred (e.g., only customer e-mail addresses that were active within the two-year period prior to the petition date; only specific data fields, such as store number, price and SKU number for a transaction collected in the five-year period preceding the petition). In addition, the settlement required the purchaser to (a) accept clause “iii” of the FTC’s Toysmart Principles (being bound by RadioShack’s privacy policies and requiring opt-in consent for any material changes that would affect the transferred data) and (b) provide notice and opt-out opportunities to RadioShack customers to enable them to exclude their personal data from the sale. [8]
  • Bankruptcy court—RadioShack (opt-in to material policy changes) vs. Borders (opt-out of material policy changes). While in 2015 the bankruptcy court for the District of Delaware endorsed the above settlement reached between the states and RadioShack, four years earlier, in 2011, the bankruptcy court for the Southern District of New York reached a somewhat different conclusion in the Borders case. [9] The FTC raised concerns when Borders planned to sell personal data of approximately 45 million customers to Barnes & Noble in a bankruptcy auction. Borders’ privacy policy had changed over time, initially stating “we do not rent or sell your information to third parties….” and later stating that customer information may be transferred if Borders engages in an M&A transaction. The Borders bankruptcy court declined to accept the FTC’s approach described above and instead required Barnes & Noble to (i) adopt a privacy policy similar to the Borders’ policy and provide existing customers an ability to opt out of any material changes to the policy and (ii) provide notice and a data transfer opt-out mechanism as in RadioShack. The court also required Barnes & Noble to honor prior requests by consumers (made to Borders) to opt out of receiving marketing messages (unless such consumers were also Barnes & Noble customers who had not opted out of marketing messages).

In each of the above cases, there was no express provision in the applicable privacy policy allowing for the sale of personal data in the event of a restructuring, asset sale or bankruptcy (or even in the event of a merger or acquisition). The inclusion of such a provision is advisable, not only in privacy policies but also in contracts containing commitments with respect to treatment of personal data.

  • Trap: While “transfers” of personal data in connection with mergers or share purchases have not been criticized by regulators to date, asset sales involving transfer of personal data have been subject to close scrutiny in the U.S. and certain steps may be required when planning such transfers in order to prevent exposure to potential liability.

ii) In the EU, a transfer of personal data at closing as part of an M&A transaction requires showing that at least one of the grounds for transfer discussed in Section A above (“legitimate interest,” consent or necessary for performance of a contract) is found. This should be easier than in the case of a pre-closing disclosure given that once the transaction has been completed, the purchaser should have a “legitimate interest” in processing the acquired personal data. In addition, the following steps should be considered:

  • The data subjects should be informed of the transfer. The seller should give the data subjects certain information about the transfer of their data to a third party no later than at the time of the transfer, unless such disclosure would “involve a disproportionate effort.” Such information does not necessarily need to be given to each data subject individually (a posting on a website may suffice depending on the circumstances). A right to opt out of the transfer may need to be granted. [10]
  • Additional steps may have to be taken in the case of transfers of data outside the European Economic Area (“EEA”). EU law imposes stringent regulatory constraints on the transfer of personal data outside the EEA to a country that is not deemed to have an adequate level of data protection, [11] which includes the United States, unless the transfer is to a company having self-certified under the EU-U.S. Privacy Shield. [12] Consent of the data subjects will render the transfer lawful under EU law, but is often also difficult or very burdensome to obtain. In the absence of Privacy Shield certification or individual consent from the data subjects, an M&A-related transfer should therefore be made only after a personal data transfer agreement, which incorporates the Model Clauses, has been entered into between the parties. The Model Clauses place recipients of personal data under contractual obligations similar to those required in the EU. Note, however, that as discussed below, in certain EU countries (e.g., France) the data transfer agreement (containing the Model Clause) would need to be approved by the local DPA, which could take up to a few months and could render the Model Clause option inappropriate in some cases.
    • Trap: The decisive factor for determining whether a transfer of personal data outside the EEA occurs (which may require usage of Model Clauses or self-certification under the EU-U.S. Privacy Shield) is not whether the seller/target is an EU corporation while the purchaser is not; it is whether personal data stored within the EEA is transferred (physically or electronically) to locations outside the EEA by an entity that is subject to EU jurisdiction.

  • Verify whether filings with Data Protection Authorities must be made. Depending on the national law applicable to the seller, the target or the purchaser, the transfer of personal data may have to be notified to or authorized by one or several DPAs. [13] Filing requirements vary among Member States and should be reviewed on a case-by-case basis. Planning ahead is important, as a DPA approval, if needed, may take a long time. By preparing for this in advance, a purchaser can ensure minimum disruption to the target’s personal data processing activities.

Risks Associated with Post-Acquisition Integration of Personal Data

Immediately after closing, the purchaser must consider how to integrate the target’s personal data and the target’s IT systems into its own data and systems. Problems arise if either the target’s practices do not comply with the purchaser’s privacy policies (or contractual obligations) or if the purchaser’s practices do not comply with the target’s privacy policies (or contractual obligations that survived the sale, including those assumed by the purchaser).

Target’s Practices & Policies More Robust than Purchaser’s

Even where the consummation of an M&A transaction and the correlating “transfer” of personal data to the purchaser does not violate privacy laws, problems arise when the purchaser practices are below the standard the target committed to in its pre-acquisition privacy policy. For example, the target’s policy may state that certain types of information are not collected, or that personal data is used only for certain purposes, shared only with certain third parties, stored only in certain geographic regions or is de-identified or encrypted. However the purchaser may have different privacy policies and practices, which may be in conflict with these statements.

Facebook is currently under scrutiny worldwide as it grapples with the aforementioned risks resulting from its acquisition of WhatsApp in 2014. Although at the time of the acquisition WhatsApp’s privacy policy contained an express provision stating that it reserved the right to transfer users’ personal data to a third party in the event of a merger or acquisition, the FTC took the position that post-acquisition, WhatsApp must continue to abide by its original privacy policy (which promised not to share personal data with third-party companies for commercial or marketing use, except with users’ consent or as part of programs or features to which users would be able to opt in or opt out of). At the time the sale was announced, both Facebook and WhatsApp promised consumers that after the acquisition, WhatsApp would continue to operate autonomously and that nothing would change for its users. However, in August 2016, WhatsApp changed its privacy policy to allow it to share customers’ personal data (including pre-acquisition data) with Facebook, unless customers opt out of such sharing within 30 days. Consumer privacy watchdog groups and other organizations filed a formal complaint with the FTC and urged the FTC to investigate WhatsApp and Facebook.

Guidance on how the FTC views this issue in the context of M&A is found in the FTC’s “business blog” published on March 2015 (the “FTC Blog”), which was prompted at least in part by Facebook’s acquisition of WhatsApp. [14] The FTC Blog set forth several important principles:

  • The target’s pre-acquisition policies continue to govern with respect to personal data collected by the target. As the FTC stated: “One company’s purchase of another doesn’t nullify the privacy promises made when the data was first collected.”
  • With respect to data collected by the target prior to the acquisition, the purchaser may either comply with the target’s pre-existing policies or allow opt-in. The purchaser can simply abide by the target’s pre-acquisition promises, i.e., handle the data as promised when the target collected it from consumers. Alternatively, if it wishes to materially change how the data is processed, it must obtain affirmative (opt-in) consent from the individuals to whom the data pertains.
  • With respect to data collected by the acquired business or target (if it survives) post-acquisition, the purchaser must provide notice & opt-out. If the purchaser desires to change its practices going forward with respect to newly-collected personal data, it will need to provide sufficient notice of the change and an opportunity for users to opt out. Per the FTC Blog: “Simply revising the language in a privacy policy or user agreement isn’t sufficient because existing customers may have viewed the original policy and may reasonably assume it’s still in effect. Although it may not be necessary to provide affirmative express consent, the notice and choice must be sufficiently prominent and robust to ensure that existing customers can see the notice and easily exercise their choices.”
  • With respect to any data of an individual who does not opt in (for pre-acquisition data) or who exercises the right to opt out (for post-acquisition data), the purchaser will have to comply with the applicable pre-acquisition privacy policy of the target.

Thus, where a target’s privacy policy and data privacy practices are more robust than the purchaser’s, if the purchaser wishes to integrate the target’s personal data into its systems or otherwise use the data collected by the target before the acquisition, the purchaser may need to bring its own data privacy practices into compliance with the target’s applicable privacy policy. If updating the purchaser’s practices and systems is not feasible or desirable, the purchaser will need to segregate the data.

Finally, the target may collect certain personal data that is subject to additional regulation (such as health care data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the personal data of children younger than 13 subject to the Children’s Online Privacy Protection Rule). If the purchaser wishes to integrate such personal data and use it, the purchaser will need to ensure compliance with all relevant regulations.

We note that the above discussion relates to U.S. law, where most of the focus is on the target’s and purchaser’s privacy policies and promises. In the EU, the focus in review of post-acquisition practices (assuming the transfer of the data itself is lawful as discussed in Section A above) is on the purposes for which the data was initially collected. The use of the data by the purchaser must be in a manner consistent with the specified (and legitimate) purposes for which it was obtained by the target in the first place. As an illustration, in the case of data obtained for HR-related purposes such as payroll and administrative management, the data should continue being used for these same purposes by the purchaser.

  • Trap: As a purchaser, it is not enough to establish that the target’s practices are compliant with your privacy policies. You may be violating the law if your use of data collected by the target does not comply with the target’s policy (or, in the EU, if your use of such data is in a manner inconsistent with the specified purposes for which it was collected by the target).

Target’s Practices & Policies Less Robust than Purchaser’s

Another set of problems arises if a target’s data privacy practices are less protective of privacy than the purchaser’s and are therefore incompatible with the purchaser’s privacy policies (e.g., the personal data collected by the target may contain credit card information or other data fields that the purchaser promises not to collect or store, or the target may use third-party service providers under terms that are inconsistent with statements in the purchaser’s privacy policy). While the purchaser’s privacy policies may be amended to remove promises that are incompatible with the practices of the target, the amended policy will be effective only for newly-collected personal data (collected after the date the amended policy is made effective) and, consistent with the FTC Blog, customers must receive notice of the change and an opportunity to exercise an opt-out choice. In addition, the purchaser may suffer a reputational hit from lowering the protections in its privacy policy. Furthermore, the purchaser will need opt-in consent for any changes that will affect customers’ previously-collected data.

The most reasonable approach will likely be for the purchaser to either (1) maintain the target as a separate entity/division that does not use purchaser’s data or (2) bring the target’s practices into compliance with purchaser’s previous promises (though this could involve significant costs).

  • Trap: Even where the “transfer” of personal data to the purchaser resulting from an M&A transaction is lawful, post-closing processing of personal data, either by the purchaser (of target’s data) or the surviving target (of purchaser’s data), that conflicts with privacy policies applicable when such data was collected can lead to liability.


In this two-part blog post, we have outlined some of the complex privacy issues that arise at each stage of an M&A transaction. Prior to signing, a purchaser’s due diligence will involve multiple areas of inquiry to determine all potential risks associated with the target’s existing privacy-related liabilities and for greatest protection, privacy-specific representations in M&A agreements may be warranted. Between signing and closing, both sellers and purchasers should remain cautious in the disclosure of personal data and seek counsel both with respect to the content of any disclosures and the disclosure process. After closing of the transaction, the purchaser will need to consider carefully what steps must be taken to enable its use of the acquired data and to ensure such use complies with all applicable laws. Given the rapidly evolving nature of privacy laws, it is advisable to consult with privacy counsel at each stage of a transaction to most effectively mitigate these and other associated risks.


1Throughout this blog post, we use the term “privacy” (or “privacy issues” or “privacy laws”) broadly as including cybersecurity, data protection and data security as related to personal data (and related issues and laws).(go back)

2This post focuses on U.S. and EU law, but we note that several other jurisdictions have passed or are adopting strict privacy laws. Among those are countries recognized by the European Commission as having an “adequate level” of protection for all or certain types of personal data processing (i.e., as of the date of this post, Andorra, Argentina, Switzerland, the Faeroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, and Uruguay—please visit as well as other states such as Brazil, Singapore and South Korea. In any cross-border transaction, the laws of all relevant jurisdictions should be examined.(go back)

3For example, Massachusetts General Law Chapter 93H and its regulations 201 CMR 17.00 impose requirements on all companies who receive, store, maintain, process or otherwise have access to personal data of the state’s residents to develop, implement and maintain a comprehensive information security program that contains administrative, technical and physical safeguards to protect the data.(go back)

4While the Directive provides a harmonized regulatory data protection framework that is applicable throughout the EU, there are a few areas where national law differs in each Member State. Starting on May 25, 2018, the Directive and the national laws implementing it will largely be replaced by the General Data Protection Regulation (the “GDPR”), which will enhance existing legal requirements, create new rules and set out significant fines for organizations failing to comply. For further information on the key changes to be anticipated under the GDPR regime, please refer to our May 13, 2016 Alert Memorandum ( back)

5Sensitive personal data may be transferred only where the data subject has provided his or her explicit and fully informed consent, or where a legal obligation exists in the context of employment which makes the transfer necessary. The advice of local counsel should be sought before relying on the “legal obligation” ground in connection with the transfer of sensitive employee data.(go back)

6For the Stipulation and Order Establishing Conditions on Sale of Customer Information, see back)

7See FTC letter to the court-appointed Consumer Privacy Ombudsman in RadioShack, dated May 16, 2015, available here.(go back)

8See In re RadioShack Corporation, et al., No. 15-10197 (BLS) (Bankr. D. Del.).(go back)

9See In re Borders Group, Inc., et al., No. 11-10614 MG, 2011 WL 5520261 (Bankr. S.D.N.Y. Sept. 27, 2011).(go back)

10In 2001, the French DPA declared (in the context of a merger of three companies) that personal data files may only be assigned or made available to a third party on the condition that data subjects be given advance notice as well as the right to object to such transfer. In Germany, it is necessary to provide notice of the transfer in the context of the transaction with a deadline to object where the transferred data goes beyond so-called “list data” (name and postal address). The Bavaria DPA issued fines to a buyer and target in an asset deal in 2015 where customer data was transferred without the parties providing the customers with a deadline to object to the transfer prior to the transaction.(go back)

11See footnote 2 above.(go back)

12Commission Implementing Decision of 12.07.2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (the “EU-U.S. Privacy Shield”). For further information on the EU-U.S Privacy Shield and the invalidation of its predecessor (the EU-U.S. Safe Harbor), please refer to our August 2, 2016 Alert Memorandum: back)

13The GDPR provides for a “one-stop-shop” mechanism under which data controllers established in the EU will be able to register with one DPA only (in their country of “main establishment”).(go back)

14See back)

Both comments and trackbacks are currently closed.