Data Protection and Mergers & Acquisitions: Legal issues

The due diligence period of any merger and acquisition includes an analysis of risks of a potential merger or acquisition for both parties. The analysis focuses on legal, business and other issues that the acquiring party would have to deal with.

This article gives an overview of data protection legal issues arising in the due diligence.


1.    The cross-border transfer of data

Would the merger or acquisition lead to the cross-border transfer of personal data? Would data cross the border of European union or would it be only within European union? Since the majority of non-EU legislation is less strict about the transfer of data, the crucial issue is the processing of personal data of EU nationals and resulting obligations in case of their transfer outside of EU.


2.    The terms of use and privacy policy

Another part of the due diligence process is an analysis of existing terms of use and privacy policy of the other party. The acquiring party must understand, what are its goals with personal data of the users of the other party. Accordingly, it would have to determine the best strategy how to meet them. It might lead to serious problems (see No. 3).


3.    The analysis of other party´s customers

The analysis of terms of use or privacy policy of the other party should not cover only legal issues, but also an analysis of a customer. In her brilliant study Privacy in the Age of Social Media Mergers and Acquisitions, Amy A. Hinkler analyzed the acquisition of Instagram by Facebook. She described Instagram as having „a vast and faithful member base and an untainted privacy reputation (…) Instagrammers were on high alert for any changes to their terms, given Facebook’s track record for privacy violations.

Some time after the acquisition, Facebook revised privacy policy. It included provisions, declaring that photos uploaded by users could be used by Facebook/Instagram, allowing sharing user information with third parties, granting licensing rights or changes in paid advertising. The only way how to opt out of these terms was to delete the account. The users of Instagram were furious about the revisions.

Although many of these changes were not introduced, the example shows that the lack of an analysis of potential customers and their attitude towards data protection can have significant business consequences. That’s why, it should also be a part of proper due diligence.


4.    Finding a best solution

According to Hinkler, if there is a term in privacy policy that is critical to acquiring firm’s ability to operate according to its business model, the firm should negotiate the term with users. If the term is not necessary, it can be discarded or altered accordingly.

However, it does not mean that the firm changes the language of the privacy policy. The firm should try to find a compromise, which enables the firm to develop its business plan, but leaves certain level of control to a user (the possibility to delete, asking for consent, etc.).

Moreover, as a best practice, Hinkler suggests to create a pro-user oriented terms of use. The users are often confused by the number of privacy policies and their length. For some users, big complexity of terms represents a red flag. Therefore, if the customer base of the other party is sensitive towards a certain level of privacy, the acquiring party might benefit from modifying the length of the terms of use.


5.    The time period of a due diligence

In the same article, Hinkler focuses on another typical characteristic of mergers & acquisitions, especially in the area of technology. These mergers are usually very quick. According to Hinkler, the Facebook-Instagram deal took 2-3 days to complete. However, there is a reason why due diligence should last longer. Quick due diligence might result in problems similar to those described earlier. Otherwise, the word „due“ has no real meaning.


6.    Notification of the changes in Terms of use

The firms should notify users about the changes in the Terms of use. Hinkler argues that it must be absolutely clear to third parties, in particular the courts, that users were notified of any terms and changes to terms.



The article gave an overview of issues, specific to the personal data protection. Many of these issues are significant for mergers and acquisitions in the technology industry. However, the expectations are that the user awareness of personal data protection will rise. Therefore, personal data issues would become even more important in due diligence process.

What kind of problems have you experienced with personal data in mergers and acquisitions? Do you have any comments? Feel free to contact us and share your experience or comments.


Note: This article is intended as a summary of issues. Its purpose is not to provide legal advice or create an attorney-client relationship between you and the author of this article.


Leave a Reply

Your email address will not be published. Required fields are marked *