South African M&A: The impact of data protection laws
Key data-protection takeaways for due diligence:
- Only upload personal data in the virtual data room that is necessary for the purpose of the transaction.
- Where possible, anonymize personal data in a manner that it cannot be re-identified.
- Avoid uploading special personal data unless consent of the data subject is obtained.
- Implement appropriate security safeguards.
- Ensure that individuals who have access to personal data are bound by appropriate confidentiality undertakings.
- Conclude a data-transfer agreement to regulate the trans-border flow of personal data to recipients in foreign countries that do not have adequate data protection laws.
- Consider whether regulatory approval is required before processing personal data.
The EU General Data Protection Regulation (GDPR)1 came into force on May 25, 2018, and regulates the protection of EU data subjects' personal data. South Africa's Protection of Personal Information Act 4 of 2013 (POPIA), expected to be fully in force in the near future, contains similar provisions to GDPR. Prudent South African businesses are, where applicable, ensuring compliance with GDPR – preparation that will ensure a smooth transition to their future obligations under POPIA.
For corporate lawyers, data protection laws are important in M&A, as there are significant risks of data and privacy breaches during due diligence. In this phase of the transaction, the seller will upload documents to the virtual data room relating to the target to be acquired.
These documents usually contain personal data of the natural persons who are shareholders, directors, employees or contractors with whom the target has contact. When due diligence is conducted on an urgent basis, mistakes often occur. This article sets out the impact data protection laws will have on the corporate landscape, with specific reference to due diligence process.
Application of GDPR
The protection of personal data is seen by the EU as a fundamental right and, under GDPR, data subjects have been granted more autonomy over their personal information. GDPR has a wide reach, and non-compliance can result in severe consequences.
Multinational companies established in the EEA, or with dealings or monitoring of the behavior of data subjects located in the EEA, are advised to comply with GDPR to protect against any risks.
GDPR applies not only to EU entities that process personal data within the region, but also to:
- Entities established in the EU that process personal data outside of the region
- Entities established outside of the EU whose processing activities relate to the offering of goods or services to persons in the EU, irrespective of whether a payment to or by those persons is required
- The monitoring of the behavior of persons, insofar as their behavior takes place in the EU
Data processing under GDPR
Under GDPR, "personal data" covers any information relating to an identified or identifiable natural person, who is defined as the data subject. This includes the person's name, identification number, location, or any factor relating to their physical, physiological, genetic, mental, economic or cultural identity.
Sensitive data is any data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; and data concerning health or a natural person's sex life or sexual orientation. The process of sensitive data is generally prohibited in the absence of the explicit consent of the data subject.
"Processing" means any operations that are performed on the personal data, such as collection, recording, organizing, structuring, consultation, use, disclosure, or dissemination, or any form of making available, aligning or destroying the data.
Before disclosure of personal data within a virtual data room takes place, one of the grounds of justification must be met. The first ground is the consent of the data subject, which will permit the disclosure without redaction. The consent may be granted by employees to employers in terms of their contracts of employment, but may be withdrawn at any time at the sole discretion of the data subject.
The second ground is the legitimate interest test, which requires three elements to be satisfied: (1) there needs to be a legitimate interest, (2) it must be necessary to process the personal data in order to achieve the interest, and (3) a balancing exercise must be done, comparing the individual's interests, rights and freedoms and the legitimate interest being sought. The legitimate interests can be interests of the purchaser, third parties, commercial interests, or broader benefits to society.
Regardless of whether consent is obtained, the data subject must be informed in advance of the processing of their data, and the purpose for which it is being processed.
The other grounds of justification are where the disclosure forms part of a legal obligation, either in law or in the performance of a contract; where the disclosure would be in furtherance of a public service mission; or where the disclosure is necessary to protect the vital interests of the data subject or another natural person.
Data processing under South African legislation
South Africa has attempted to bring its data protection law in line with European legislation through POPIA, which seeks to give effect to the right to privacy contained in the country's Bill of Rights, and is widely regarded as being a codification of the common-law position regarding the processing of personal data. Only some provisions of POPIA are in force, but the remainder are expected to come into effect in the near future. Most South African businesses are taking measures now to ensure that they comply with POPIA.
POPIA uses the term "personal information" to refer to the information relating to an identifiable natural person and existing juristic persons. For purposes of this article, the term "personal data" will be used for both POPIA and GDPR.
Currently, the sections of POPIA in force are those relating to establishing the office of the Information Regulator (the regulatory authority), the powers to make regulations to give effect to POPIA, and the definitions sections. The Information Regulator has also published draft regulations to POPIA.
Under POPIA, the processing of personal information is permissible only in circumstances where there is a recognized justification. One of the justifications is the voluntary, informed consent of the data subject. Other justifications are where the processing is necessary for the conclusion or performance of a contract to which the data subject is a party; where the processing complies with an obligation imposed by law; or where it is necessary for the proper performance of a public law duty by a public body.
Personal information may also be processed where it is necessary to protect the legitimate interests of the data subject, or where it is necessary for pursuing the legitimate interests of the responsible party or a third party to whom it is disclosed.
Importantly, data subjects may object on reasonable grounds to the processing of their personal information on the basis that it is necessary for protecting or pursuing legitimate interests.
As regards special personal information (religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, criminal behavior, or biometric information), the consent of the data subject to the processing of such information is generally required, save for certain limited exceptions.
Compliance during due diligence
When undertaking a due diligence process, compliance is crucial at two stages. First, the upload of the documents to the virtual data room may fall within the ambit of processing under POPIA or GDPR. Second, when evaluating the target asset's compliance with POPIA and GDPR in respect of the personal data it holds. When processing personal data, the entity must be seen to have received consent or be relying on another lawful justification.
In the context of due diligence, the seller could probably rely on the justification that the processing of the personal information of its employees, directors or shareholders is necessary for pursuing its legitimate interests or those of the potential purchaser. The data subjects should, however, be informed of this. The consent of the employees, directors or shareholders would generally be required when uploading special personal information under POPIA. Another option would be to de-identify the information in such a manner that it cannot be re-identified.
For the seller to ensure compliance with GDPR, it should enter a data-processing agreement with the operator of the virtual data room, and all persons with access to the virtual data room should be bound by a confidentiality agreement that includes standard data protection obligations and provisions, including the obligation to implement and maintain appropriate security safeguards and notify the seller of any data breaches.
When the seller is uploading documents, it should evaluate the document with reference to:
- Whether the personal data is necessary to achieve the purpose of the due diligence
- Whether the personal data can be redacted from the document before uploading it
- Whether a model template can be used in the circumstances
- Whether consent for the disclosure of personal information has been obtained by the data subject and, if not, whether there will be justification for disclosure without consent
- To whom the personal data relates, and whether they have been informed of the disclosure in the due diligence.
In the spirit of data minimization, the seller should assess all documents containing personal data and ensure that any document being uploaded is absolutely required by the purchaser to evaluate the target assets and operations. It is paramount that no sensitive/special personal data that reveals a person's racial or ethnic origin, political opinions, religious or philosophical beliefs, health or sex life, trade union membership, biometric information or criminal behavior is included in the virtual data room unless consent of the data subject is obtained, and unless such information is necessary for carrying out the due diligence.
In an employment due diligence, it may sometimes be necessary to consider health information in relation to occupational injuries or to consider the number of employees who are members of a trade union. Where possible, the names of the individuals should be redacted, failing which the individuals' consent would be required.
Under GDPR, where the seller establishes appropriate technical and organizational measures (TOMS), the scope for disclosure of personal data increases, as the seller’s legitimate interest test is reinforced and simultaneously data subjects' interests in secrecy are safeguarded. One way of achieving this is through setting up specific teams of people to deal with the personal data, so that if there is a breach, it can be rectified immediately; these are known as "clean teams."
When a purchaser is assessing, in due diligence, the assets and regulatory compliance of the seller, it must include the purchaser's data protection compliance status. Any potential compliance liabilities can be identified, and the purchaser can be advised on how best to amend the seller's practices and operations to comply, post-completion, with data protection laws.
If an entity is GDPR-compliant, it will generally also be compliant with POPIA, which is less rigorous. There are, however, certain distinctions between them. For example, POPIA applies to juristic persons as well as natural persons, and there are certain instances in which prior authorization from the Information Regulator is required before processing personal information.
Transfer of personal data
GDPR restricts the transfer of personal data outside of the EU and EEA, but the data subject may consent to the transfer of their data to a specific country. Further, a transfer outside of the EU/EEA is permitted to certain countries that enjoy the benefit of an "adequacy decision" made by the European Commission, whereby a country's data protections laws are considered to be sufficiently in line with the purpose of GDPR.
The US does not offer similar data protection rights, and so US entities must have assented to the EU-US Privacy Shield regime in order to receive and transfer personal data. Some virtual data rooms are hosted in the US, and so it is important to confirm that such operators have assented to the regime before transferring any personal data.
On July 5, 2018, the European Parliament adopted a resolution on the adequacy of the protection afforded by the EU-US Privacy Shield and decided that, unless the US is fully compliant with GDPR by September 1, 2018, the European Commission must suspend the Privacy Shield until the US authorities comply with its terms.
GDPR states that, in the absence of a determination by the European Commission that a country provides adequate data protection, personal data may be transferred to a third country or an international organization if measures are taken to ensure appropriate safeguards are implemented, and that there are effective legal remedies for data subjects.
South Africa has not been subject to an adequacy decision. Where there is a transfer of personal data to a country that does not have adequate data protection laws, both GDPR and POPIA require one of the following:
- An agreement in place with the group entity that includes standard contract clauses to provide adequate protection
- The entities to subscribe to binding corporate rules that are established to ensure that any transfer of personal data and subsequent processing of the data in that country is carried out with a satisfactory level of protection
The personal data may also be transferred with the consent of the data subject. Under POPIA, special personal information may not be transferred to locations that do not have adequate data protection laws without the prior authorization of the Information Regulator.
Consequences of non-compliance
Non-compliance during a due diligence will occur if personal data is uploaded to the virtual data room without there being a justification for the processing – for example, in the absence of the necessary consents or legitimate interests. Non-compliance may also arise where mass personal data is uploaded without using the principle of minimization. As such, personal data should be uploaded only where it is necessary and relevant.
It is imperative to evaluate a target's data protection status, as there are major risks for the purchaser if the target is found to be in breach of GDPR. Violations of data protection laws within the EU and EEA are subject to fines of up to €20 million or up to 4 percent of total annual worldwide turnover. Under POPIA, non-compliance penalties include administrative fines of up to ZAR10 million and up to ten years in jail.
To the extent that it is not possible to eliminate all data protection risks in the due diligence process, there should be adequate data protection warranties in place in the transaction agreements between the seller and purchaser. Such warranties should be accepted only if a sufficient level of data protection compliance measures are in place within the target, at a level that may be verified in the due diligence process. These measures include the use of appropriate TOMS and confidentiality undertakings, which would reduce the risk of a data protection breach.