Image source:

This article has been written by Riya Dubey, pursuing the Diploma in M&A, Institutional Finance, and Investment Laws (PE and VC transactions) from LawSikho.


Due to covid-19, the trend of digitalization of businesses and investment has expedited in the technology sector. As per the report of Mergermarket statistics, the increase of 56.8% can be seen in the TMT sector at global M&A transactions. It is expected that by 2025, the data universe will reach over 175 zeta bytes. And with an increase in data, the responsibility of securing the risk related to M&A activities also increases. The problem comes when any merger or acquisition takes place with any data-specific technology. So here in this article, we are going to discuss what legal challenges there are in a data-specific technology M&A and how they can be overcome.

Is it all about the data?

Data has now become a core sector in an M&A valuation and along with data, the platforms and tools that process it also play a vital role in a data specific technology M&A. Together with it there come to some risks that can have an impact on the core sector of the acquiring company.

Download Now

Issues related to the security of data, regulatory compliance, intellectual property right, liability for a product, and cyber-security are preeminent in a tech-specific M&A. Many times while acquiring a company the acquiring company assumes that it has also acquired all the rights related to the data. Thus, understanding the data that the company processes and where it is shared, and how it is used is of foremost importance while conducting due diligence in M&A transactions. Practically, banishing all the risks is often not possible, and hence is managed by the experts. 

What is due diligence in M&A?

Due diligence is an important part of an M&A transaction. It works as “why we should buy and if so, what should be the structure of the transaction and what amount should we pay?” Due diligence can be conducted both from the buyer as well as seller side. If the transaction goes through due diligence then there is a higher ratio of success. 

Few reasons for conducting due diligence are as follows:

  • To get surety of the information that was informed during the deal;
  • To identify defects that may have adverse effects on the deal;
  • To collect  information that can be valuable to a deal; and
  • To ensure that the investment complies with the deal criteria.

Several challenges that the acquiring company faces 

The most common challenge is defining the business objectives and understanding how data will be used for completing the purpose of the deal, what will be the range of potential exposures? What authorities will be required to approve the deal? Will the acquiring company be having rights on the core data assets?

Due diligence is done to know whether the company has the right of collecting, processing, and sharing the data that is being used by it. One should know what’s the valuation of the core data of the company, what regulations are going to be applied to the data? Whether the target company has taken adequate measures to secure and protect the value and to deal with the risk associated? Finally, one should look at whether the risk associated with the core sector of the target company is having an impact on the acquiring company. 

If the business of the target company relies on the processing of the personal data and it acts as its core sector then due diligence should focus on whether all the applicable laws are being followed by the target company? Whether the consent of an individual whose data is being used is taken or not?

Provisions in this regard are given in IT Act, 2000 read with IT [Reasonable Security Practices and Procedure and Sensitive Personal Data or Information] Rule, 2011.

For example, data collected by the company might be its trade secret or confidential information under its confidentiality and non-disclosure clauses. A dispute can arise when the data has been collected in an unauthorized manner.

Recently Google removed nine applications from its Playstore for stealing the user’s Facebook password. These apps were PIP Photo, App Lock manager, Processing Photo, Horoscope Pi, Lockit Master, Rubbish Cleaner, App Lock Keep, In well Fitness, and Horoscope Daily.

The structure of an M&A transaction can have an impact on the rights in data if personal data gets involved in the transaction. Thus, while conducting the due diligence statements and policies should be reviewed to confirm whether rights with respect to the data can be transferred or not.


1. Risks associated with the intellectual property of the target company-

Most companies with data-specific technology focus on making data analytics platforms and developing tools that are based on algorithms. And when the data of the third party is used in this then acquiring company should make sure that the target company has all rights to use this data. Acquiring companies should ensure that these rights were available to the target company in the past and will be available in the future. 

Acquiring the company should be sure about the patent rights of the target company. The most common issue with intellectual rights in M&A transactions is with the involvement in open source projects. 

The following questions should be considered:

  • Does any claim have been made for infringing on intellectual property rights or any other rights of a third party?
  • What steps has the company taken to deal with the risk of intellectual property rights?
  • Does any claim for infringing the patent of a third party?
  • On which open-source software the target company has worked and if it is working at present?

2. Risk related to the cyber-security of the target company-

The target company data is the core sector of the business then the acquiring company should focus on whether the company has faced any cyber-security threats resulting in the risk of exposure of personal and confidential information in the past and if it has what steps the company took to deal with cyber-security threats.

3. To determine if the company has any current product liability and if there is any such risk how it is going to deal with it?

Concern for product liability generally arises out of autonomous vehicles and other systems like this, digital health, wearable, fintech, etc. So, to mitigate the risk of product liability the acquiring company should perform due diligence in the following areas:

  • Whether the target company has been sued in the past for bodily injury or property damage?
  • Is there any claim related to bodily injury or property damages that occurred due to a breach of privacy or security?
  • What will the target company do to track safety-related issues of the product?
  • Does the target company have obtained indemnity against a third party for risk beyond the reasonable control of the company?
  • Does the target company have properly informed its consumers of their duty towards maximizing cyber-security?
  • Review the insurance policies, general contracts that the target company has entered into for product liability?

4. What are issues related to the life cycle and risks associated with data-specific tech M&A transactions?

Before performing M&A, the acquiring company should have an understanding of how the target company manages the “life cycle” of transfer of ownership. There are various networks connected with the Internet of Things (IoT) for collecting, processing, and transmitting data to and from several devices. These networks once installed and turned on are difficult to deactivate without having an adverse impact on the consumer.


  1. Ensure that the target company has the right to process the data.
  2. Review the agreements entered by the target company with the third party which can restrict the transfer.
  3. Determine whether the target company is following the regulatory compliances applicable to the company for collecting, processing, and sharing data.
  4. Ensure that the data that is being transferred to the acquiring company by the target company is not subject to any extra-contractual limitations.
  5. Ensure that due diligence has been performed by the experts on the key system and process of the target company to see if any security-related issues exist with data, network security, and other safety issues.
  6. Ensure to review if there have been any data breaches or cyber-security threats or if anything has been compromised and what steps the target company took to deal with this.
  7. Ensure that the target company is compiling all laws and regulations applicable to it.
  8. Make sure to draft the representation and warranty clause and indemnity clause if there are any past incidents related to the above-mentioned risk.
  9. Review the future plans of the target company for dealing with any cyber-security threat, if any arises.
  10.  Draft “Representation and warranty clause” and “Indemnification clause” for privacy and data security.

Checklist for conducting due diligence

  1. Organizational chart
  2. Joint Venture (if any)
  3. Governing documents
  4. Authorized Jurisdiction
  5. Past transactions
  6. Related party transaction
  7. Management Bios
  8. Board Bios
  9. Capitalization table
  10.  Equity issuances
  11. Options and convertible instruments
  12. Outstanding debt
  13. Pending litigation
  14. Encumbrances 
  15. All material contracts
  16. Sanctions
  17. Material regulations
  18. Compliance program
  19. Export control
  20. Regulatory violations
  21. Deeds
  22. Leases
  23. Purchase and sale agreement


The M&A transactions involving data-specific technologies are increasing at a fast pace and are developing the realm of economic activities. The chances for success of an M&A deal are when proper due diligence is done and protections while negotiating are done before entering into the transaction. The risk associated can be mitigated by taking advice from the experts in the field. The foremost important clauses that can save an acquiring company from future compensations are the indemnification clause and the representation and warranty clause to deal with any issues not disclosed to the acquiring company by the target company. 



Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.



Please enter your comment!
Please enter your name here