Increasing GDPR Concerns Cause M&A Transactions to Stall or Collapse Entirely

On May 25, 2018, the European Union (EU) began the enforcement of the General Data Protection Regulation (GDPR) with the aim of protecting all citizens residing within the EU from privacy and data breaches. (GDPR Key Changes, GDPR.org). Approximately 40% of acquiring companies that engage in merger and acquisition transactions discover cybersecurity issues in their newly-acquired entities, and companies are starting to become wearier of acquisition transactions due to the expensive repercussions of non-compliance with GDPR rules. (Harroch, Forbes). Approximately $1.3 trillion of deals have failed with 900 transactions being terminated or withdrawn due to GDPR concerns, despite 2018 being a notable year overall for mergers and acquisitions. (Thomson, Bloomberg Law).

Regulatory Landscape of the GDPR

The GDPR applies to all companies that handle the personal information of data subjects living within the EU, notwithstanding the location of the company’s headquarters. (GDPR Key Changes, GDPR.org). A data subject is any person whose personal data is being collected, held or processed by companies that handle such personal data. (Kersten, KirkpatrickPrice). In order to ensure compliance with the GDPR, companies must satisfy numerous requirements that tend to act as inconvenient and costly hurdles for companies that collect the personal information of their customers. These requirements include: obtaining customer consent; appointing a Data Protection Officer (DPO) as a point person to ensure compliance; performing a Data Protection Impact Assessment (DPIA) for each transaction that involves personal data; notifying local data protection authorities in the event of a breach; and respecting a consumer’s request to have their personal data be forgotten. (Grenacher, Forbes). Non-compliance with GDPR rules incurs penalties of up to $23 million or 4% of annual revenue, whichever is higher, which leads acquiring companies to back out of deals rather than risk purchasing a company that has breached or is in danger of breaching GDPR regulations. (Thomson, Bloomberg Law).

Current Example of GDPR Stalling M&A Transactions

An example of the GDPR affecting a potential acquisition is the almost spoiled acquisition of Yahoo! by Verizon. (Harroch, Forbes). After initially agreeing to execute an acquisition agreement, Verizon discovered a previous data breach, which eventually lead to Yahoo! paying a $35 million penalty for securities fraud violations and $80 million to settle securities lawsuits brought by unhappy Yahoo! investors. (Id.). This previous data breach caused Verizon to question the entire deal due to the underlying worry that the company it was about to purchase was incapable of complying with GDPR rules. (Id.). The acquisition eventually went through, albeit for $350 million less than originally agreed upon. (Id.).

Ultimately, the highest concern for acquiring companies is that the Federal Trade Commission (FTC) as well as EU Data Protection Authorities that enforce the GDPR will hold acquiring companies responsible for the data breaches of target companies once the acquisition is completed. (Jodka, Dickinson Wright). In many cases, target companies have intangible assets that are substantially made up of personal information that is protected by the GDPR. These intangible assets include: customer lists, personal identifying information, private health information of clients and employees, and more. (Id.). The appropriate usage of personal consumer data can be a driving instrument in the ultimate success of a company’s business plan, thus, parties are increasingly considering whether acquiring new companies is a viable option given the new GDPR requirements. (Parker, Lexology).

Future Implications of GDPR Regulations on M&A

While it does seem unlikely that U.S. jurisdictions will adopt anything as broad and unified as the GDPR, American companies that do business with EU citizens are still largely susceptible to GDPR penalties as GDPR penalties can apply to any corporation that handles personal data of citizens that reside within the EU. (Hawkins, Washington Post). Companies will have no choice but to elevate their capabilities to comply with the GDPR, with artificial intelligence and predictive analytics technology being the anticipated path towards effective compliance efforts according to a survey of M&A professionals conducted by Merrill Corporation. (M&A Transactions, Help Net Security). A key benefit of such technology would be limiting the time it takes for effective due diligence when trying to establish that a target company is capable of complying with GDPR standards.(Id.). Hopefully, the implementation of technology that is equipped to understand the intricacies of GDPR rules will help speed up due diligence and provide acquiring companies the peace of mind to follow through with potential deals in the future.