In the past several years, consumer data privacy laws have increasingly taken center stage. With the European Union (“EU”) having passed the General Data Protection Regulation (“GDPR”) and now with at least five U.S. states having comprehensive state privacy laws on the books, data privacy considerations have become more important than ever before for businesses looking to strike a mergers & acquisitions (“M&A”) deal. M&A transactions consist of multiple steps, and the disclosure or transfer of personal data between the seller and the buyer oftentimes becomes part of the process. Specifically, disclosure of personal data associated with an acquired target (or acquired assets) typically consists of a whole host of information regarding employees, customers, and third parties. While most disclosures of personal data occur at closing, businesses should take care to conduct adequate diligence and leverage experienced privacy law professionals to mitigate pre-closing, privacy-related risks and liabilities.
This blog post summarizes the key privacy law and contractual considerations that businesses should be mindful of with respect to the disclosure of employee data during an M&A transaction.
Employee or personnel data can provide insight into a business’s inner workings. Aside from revealing personal information about employees, employee data can also expose key performance indicators through benefits and salary information as well as productivity levels. As a result, disclosure of a variety of categories of data throughout the due diligence period of a M&A transaction typically occurs. However, businesses should carefully evaluate the privacy risks associated with the sharing of employee data, especially during these early phases of negotiations. Moreover, businesses should assess the target’s pre-closing, privacy-related liabilities and consider ways to mitigate these risks through adequate due diligence and privacy-related representations. The disclosure of such employee data may present legal and confidentiality implications, and in light of that, businesses should be aware of any legal or contractual risks related to the sharing of employee data.
Employee Data Transfers - Legal Obligations in the U.S. and EU
There are various U.S. labor and privacy laws governing the use of employee data at both the federal and state level.
For example, the California Privacy Rights Act (“CPRA”) includes protections for the personal information of employees in California. While employee data has been previously exempted from California’s privacy obligations, Octillo is closely monitoring the status of that exemption. As it currently stands, this exemption may end when CPRA becomes fully effective on January 1, 2023. Octillo recently published a detailed analysis of the CPRA employee data requirements, for more information please read our blog here.
Furthermore, personal information of EU residents is governed by the GDPR. The GDPR applies specifically to any information that can be directly or indirectly linked to an individual. GDPR Art. 4(i). This includes employee data. If your business operates in the EU, it may have certain obligations under the GDPR that govern the disclosure of employee data.
Additionally, employers may have confidentiality obligations to their employees when the employer provides contracts or policies indicating how the employer will use or disclose the employee’s data through, for example, an Employee Privacy Notice.
Some considerations to keep in mind include:
- Examine your business’ Employee Privacy Notice as well as the circumstances under which employees have consented to share with third parties (notably, whether employee data may be shared in the context of a business transfer or M&A transaction);
- Check if your business has a corporate confidentiality agreement (if so, the key question is whether the agreement only governs the data collection practices of your clients or whether employees are included);
- Review your business’ policies and procedures, including the employee handbook and data protection policy, as applicable (such as reviewing for any language-limiting situations in which data could be shared, types of data that could be disclosed, purposes for which data could be shared, and third parties with which data could be revealed.
Conclusion and Key Takeaways
Data is now a crucial business asset that should be afforded considerable attention throughout the course of the M&A process. There have been instances in which companies have faced significant hurdles in M&A transactions when unknown or undisclosed privacy or cybersecurity issues later came to light. Regulators are also paying attention to what happens to data privacy and cybersecurity protections as businesses undergo M&A transactions.
This is also true for employee data. It is likely that businesses have internal employment policies and procedures that could give rise to confidentiality obligations and impact how a buyer or a seller would disclose data during an M&A transaction. Businesses should also be aware of the applicable laws and regulations that provide protections for employee data.
Octillo’s experienced team of privacy professionals routinely works with companies on both sides of M&A transactions evaluating data privacy concerns that may emerge as part of the due diligence phase or as part of the transaction. If you have any questions or concerns regarding the privacy implications of various disclosures in M&A transactions, please contact a member of our team.