This article is written by Nikunj Arora pursuing Diploma in M&A, Institutional Finance and Investment Laws from LawSikho.
According to a report by Datasite, Artificial Intelligence (“AI”) will transform the process of mergers and acquisitions (“M&A”) by decreasing the time it takes to perform the due diligence exercise, i.e., from three (03) to six (06) months to less than a month. AI is becoming more and more critical for M&A due to the complexity of trying to unify two separate entities’ technology systems. AI can significantly help in improving the process from start to end and the use of AI in M&A transactions has increased exponentially over the last five (05) years and will continue to increase in the future as technology is improved on and its potential is recognized.
The capabilities of AI and M&A transactions are endless, as it is used to automate frequent and high-volume tasks so that mundane procedures are nearly eliminated for some professionals. AI can provide a deeper analysis of big data to vastly improve the value of the data to organizations because it can be used to make better-informed business decisions and can also increase the accuracy of its vast neural networks by exploring data in much more detail than is humanly possible. AI can continuously adjust using its learning algorithms for optimal performance. Thus, all of these considerations allow this technology to further develop its intellectual capabilities and answer questions that were unanswerable before AI. When discussing AI, it is hard not to talk about the General Data Protection Regulation (“GDPR”) at the same time. This article talks about how and why GDPR compliance is important in AI-driven M&A transactions.
Artificial intelligence and M&A
According to Sashi Narahari, CEO of HighRadius, a Fintech enterprise Software-as-a-Service Company, AI-driven automation plays an escalating and more imperative role on the modern-day entities and the repetitive tasks which are executed by one person or one department, are now increasingly left to machines.
He further added and said that through AI-drive processes, the companies can rely less on undocumented processes and institutional knowledge that is unexpectedly lost sometimes in the staffing disruption that can happen after a merger or an acquisition.
AI has a significant impact on M&A transactions such as the preliminary application of AI assists several entities and financial analysts with gathering and processing information that can be used to make a wide range of M&A-related decisions. While humans do perform the mentioned tasks, AI-supported machines usually carry out such activities much faster than human beings and can have a better recollection of search results.
Benefits of using AI in M&A transactions
The following are the benefits of using AI in M&A transactions:
Impact on M&A transactions
Market & Sector data extraction
Compliance / Due Diligence
Risks of using AI in M&A transactions
Apart from the above-mentioned benefits, there are certainly some risks to consider while using AI and the most significant risk associated with AI is privacy and security.
Privacy and security
Cybersecurity can be threatened by the malicious use of AI as hackers can hack into AI software and then program the use of AI for what is not needed, thereby compromising personal data.
According to the survey conducted by Datasite, data security and privacy are still seen as barriers to getting the M&A deals done. The survey showed that thirty-five per cent (35%) of the dealmakers believed that the due diligence exercise can be accelerated through AI. However, the ability to provide Environmental, Social, and Corporate Governance (“ESG”) data credentials and complying with the data privacy regulations by the target company can affect whether a deal succeeds or not. The following are the key findings of the report:
- Seventy-eight per cent (78%) of the dealmakers said that they have worked on deals where the target company’s ESG credentials hindered the progress of the deal.
- Forty per cent (40%) of the dealmakers said that the data privacy issues while dealing with AI can be a concern to the deal.
- Thirty-six per cent (36%) of the dealmakers said that the data privacy or cybersecurity concerns by the malicious use of AI has been the most common issue in the process of the due diligence, thereby, leading to the withdrawal of the deals.
- More than two-thirds (2/3) of them believed that ESG factors and data privacy regulations can be considered as the most important factors in M&A due diligence by 2025.
In 2016, a UK-based telecom provider acquired a customer database and he was heavily fined when they said that the customer database was hacked. Again, in 2017, the price of the acquisition of Yahoo by Verizon was reduced to three-fifty million dollars ($350 m) after Yahoo disclosed three massive data breaches compromising more than one billion customer accounts.
Impact of GDPR on AI-driven M&A deals
What is GDPR?
The European General Data Protection Regulation (GDPR) was adopted by the European Parliament in April 2016 and came into effect on May 25, 2018, which was intended to harmonize privacy and data protection laws across the European Union (“EU”). Hence, regardless of where the business is located, if the business collects, stores, or utilizes data from citizens of the EU, then such company/business is subject to these legal requirements.
The purpose of this legislation is to create consistent and enforceable requirements to protect the right of any EU citizen to the privacy and security of their data.
GDPR applies to any business located in the EU or outside the EU if the company or anyone has any data on EU citizens or collects the data such as subscriber data, or records organizes or stores any of that data and performs any operations on that data.
AI and GDPR
Though AI is not specifically mentioned in the GDPR, several provisions in the GDPR are relevant to AI. The deployment of AI and big data entails the collection and processing of quantities of data that are related to several individuals and their social relations.
The study conducted by the European Parliamentary Research Service made the following conclusion on AI and the processing of personal data:
- Generally, GDPR provides meaningful indications for data protection concerning AI applications.
- The interpretation and application of the GDPR could be in such a way that it does not hinder the application of AI to personal data. It does not put the European companies in a difficult spot by examination with the non-European competitors.
- Several AI-related data protection issues do not have an explicit answer in the provisions of GDPR, thereby, leading to uncertainties.
- The guidance should be provided to the companies on how AI can be applied to personal data consistently with the provisions of GDPR. Such guidance can lead to the prevention of costs linked with legal uncertainties.
- Guidance should be also provided by the Data protection authorities and the Data Protection Board to the companies on several issues to which precise answers cannot be found in GDPR.
- The content of the obligation of the companies to provide information of an AI system needs to be specified concerning the different technologies with appropriate and relevant examples.
Why does GDPR matter in AI-driven M&A deals?
The GDPR is a framework for the regulation of the data and all the EU companies and non-EU companies (which collect, store data of the EU citizens) have to comply with these new rules. In regards to the M&A transactions/deals are concerned, the GDPR has the most impact on the AI-driven due diligence process. In the M&A process, it is important to consider the data protection requirements as soon as possible and ensure that the relevant documents are in place to exclude the risk of liability.
As seen above, AI can provide a detailed and extensive analysis along with sophisticated models of due diligence for the companies, the acquirer company has to be more alert while performing the due diligence exercise on the target company through AI and vice versa.
Any company, either the acquirer company or the target company, will have to evaluate the other company’s AI system as to how it collects, stores and uses and transfers the personal data of its customers, thereby ensuring that the other company complies with the GDPR rules.
The enforcement directorate has imposed heavy penalties for non-compliance to GDPR to ensure the strict enforcement of the regulation. Article 83 of the GDPR Regulation imposes fines and penalties, hence, if any company violates the data provisions of GDPR, then the penalties for infringement of data protection rules include:
- Up to EUR ten million (10 m) or two per cent (2%) of the company’s global annual turnover of the previous financial year, whichever is higher, and
- Up to EUR twenty million (20 m) or four per cent (4%) of the company’s global annual turnover of the previous financial year, whichever is higher.
Several M&A transactions may be interrupted because of concerns over GDPR compliance. The implementation of GDPR can be processed as a major hurdle for M&A deals and many acquirers believed that the compliance and the data protection employed by the target company was the reason a deal did not progress. The GDPR Regulation has increased and will continue to increase the acquirer’s scrutiny of the data protection policies and processes of the target companies. However, the most important part of an M&A deal where the GDPR affects the most is the ‘due diligence as the due diligence plays a significant role in determining the success of not only AI-driven M&A deals but all the M&A transactions of whatsoever nature.
GDPR and due-diligence
The provisions of the GDPR have added several layers of complexity to the AI-driven due diligence process in M&A transactions. The most common difficulty in the AI-driven due diligence process is that most of the entities believe that they are GDPR compliant when they are not.
Most target companies have triggered the potential GDPR exposure for the acquiring companies under handling information on suppliers, customers or employees. Therefore, data security has become the topmost priority of the due diligence exercise and several experts have predicted that over the next five years (05) years the impact of GDPR on M&A due diligence can cause great scrutiny of data protection policies and processes of target companies by potential acquirers.
A survey of more than five hundred (500) M&A practitioners was conducted across Europe, the Middle East and Africa (“EMEA”) region showed that fifty-five per cent (55%) of respondents had worked on M&A deals that didn’t become successful because of concerns about a target company’s data protection and compliance with GDPR. The same survey was conducted in Germany, the Nordics, and in the UK where seventy (70%), sixty-five per cent (65%), and more than sixty per cent (60%) of the respondents respectively felt the same.
During the due diligence process, the acquirer shall have the opportunity to disclose whether the company is compliant with the provisions of GDPR, including all the details related to any known data breaches.
The traditional due diligence process has always been complex and time-consuming and hence, AI-driven due diligence processes come into play for the companies. However, the companies (EU companies and companies outside the EU storing data of EU citizens) shall perform this exercise keeping in mind all GDPR-related things to avoid negative surprises later on. If there is no appropriate recognition of the risks and sufficient protective measures being put in place associated with the AI due diligence process, then the result would be lengthy deals and expensive exposure and consequent litigation.
This report gives the following recommendations that can be adopted by the companies to comply with GDPR while performing the due diligence:
- Companies can enhance their productivity and speed with technology that supports the digitized (AI-driven) due diligence process.
- Companies can maintain confidentiality and ensure compliance. They can ensure security by redacting sensitive data at the word, phrase and image level.
- Generation of advanced analytics and insights through secure, flexible and algorithm-based reports and dashboards.
- The companies need to make sure that the application which is used for the due diligence is fully compliant with the international and local regulations, as well as the country where the data of such a company is hosted.
The impact of GDPR in an M&A transaction
The following range of areas can have the impact of GDPR in an M&A transaction:
The viability and structuring
Personal data is exploited for a wide range of purposes in M&A transactions. It may be a key enabler for the target company or may offer potential value to the acquirer company. These parties to the transaction consider to what extent data considerations may impact the viability of the proposed transaction or whether such proposed transaction should adopt a particular structure to enable the exploitation of data.
Preparation of sale
From a data protection perspective, the seller gives the most consideration to whether the business is fit for the sale or not. This analysis in some situations leads to the identification of several measures that can be taken in advance to avoid any data-related risks involved.
Non-Disclosure Agreements (NDAs)
In any M&A deal, the NDAs entered by the potential parties include the data protection clauses. In some situations, the sellers may also request the buyers to enter into data transfer agreements which can be used to facilitate international transfers of personal data.
Virtual Data Rooms (VDRs)
The sellers (and to some extent buyers) consider what personal data is shared in data rooms and apply additional control measures so that the personal data is protected.
The purchaser or the acquiring companies are increasingly inquiring questions related to the due diligence process as GDPR has introduced several requirements to implement compliance measures. This can include:
- A written record of processing,
- Data protection impact assessments,
- Record of data breaches,
- Appointment of data protection officer, etc.
The terms of the deal
The terms which form part of the deal include specific warranties regarding data protection compliance and these warranties are requested by the buyers which can become lengthy and specific due to GDPR. The introduction of certain requirements under GDPR allows the buyers to request specific warranties for compliance and non-compliance.
Completion and post-completion
On completion of any M&A transaction, the personal data is transferred leading to a change in the “controller” of such data. In the cases of transfer of marketing databases, a specific pattern of rules may be outlined for any future activities of the purchaser.
Apart from the above-mentioned areas, the following factors should be concerned:
- Companies that acquire or merge with a target company must be in GDPR compliance status.
- There should be a designation of data protection officer if core activities deal with special categories of data.
- Existence of record of processing activities of the target company.
- Data Protection Impact Assessment.
- Obligations of the controller addressed to the data subject.
- Reviewing general terms and conditions in the light of GDPR when assessing the target company.
- The buyer or the acquirer company may negotiate specific indemnity clauses.
“We understand the implications of GDPR, especially when it comes to due diligence. Our tools, like Integrated Redaction for DatasiteOne, help minimize risks and breaches, which is of utmost concern for everyone involved in the M&A process. We are the most trusted and GDPR-compliant application for due diligence for M&A professionals across EMEA.” Merlin Piscitelli, Chief Revenue Officer, EMEA Merrill Corporation.
Regardless of whether to go about as an acquirer or target, organizations ought to know about the sheer volume of individual information dealt with all through an M&A exchange and the applicable data protection issues at each stage. The personal data covers a tremendous scope of information types, from representative CVs put away in a VDR to IP addresses obtained by the target. Even in clear ‘brick and mortar’ exchanges where personal data isn’t central to the seller’s business, data/information caught and prepared is probably going to incorporate employment contracts, information about disputes and key agreements with providers.
Nevertheless, GDPR is having an impact on not only AI-driven M&A deals but also all M&A in general.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: