In its Schrems II judgement of 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the European Commission’s adequacy decision on the EU-U.S. Privacy Shield. The EU-U.S. Privacy Shield was a data transfer mechanism allowing to transfer personal data from the European Union (EU)/European Economic Area (EEA) to the United States (a so-called third country) in compliance with data protection requirements. The CJEU confirmed that standard contractual clauses (SCCs) remain valid, but subject to certain conditions.
How does Schrems II impact M&A transactions?
Data, including personal data, have become an important asset, but also a risk factor, in M&A transactions. M&A transactions very often entail the cross-border transfer of personal data (whether employee, customer or supplier data). For example, the disclosure to the potential purchaser may be cross-border, or the provider of the data room may be located in a third country. The Schrems II judgement, which affects international data transfers mechanisms also impacts most M&A transactions. Structuring a sell-side auction process and setting up/populating a data room entails various pitfalls that can conflict with data protection laws, possibly triggering liabilities on the side of the parties involved in the transaction. In case of a breach with the GDPR, sanctions and reputational damages could affect the parties of the transaction but also the advisors.
How can such cross-border transfers take place?
SCCs will be often the appropriate transfer tool in the transactional lifecycle. The CJEU concluded that the SCCs remain valid but data exporters may need to supplement the SCCs by additional measures to ensure compliance with the level of protection required under EU law in a particular third country.
As a result of the judgement, data exporters relying on SCCs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the EU/EEA.
The CJEU also set the possibility for exporters to add supplementary measures to the SCCs to ensure effective compliance with that level of protection where this appears required. The nature and scope of such supplementary measures was, however, unclear.
How best to address this (in M&A transactions)?
On November 11, 2020, the The European Data Protection Board (EDPB) published their recommendations on supplementary measures. The EDPB sets out a six-step plan that organizations should follow before transferring personal data from the EU/EEA to a third country.
The recommendations contain a roadmap of the steps data exporters must take to find out if they need to put in place supplementary measures to be able to transfer data outside the EU/EEA, and help them identify those that could be effective. To assist data exporters, the recommendations also contain a non-exhaustive list of examples of supplementary measures and some of the conditions they would require to be effective.
- Technical measures: E.g. encryption, pseudonymisation and split processing.
- Contractual measures: E.g. requiring the importer to use specific technical safeguarding measures, providing transparency reports, enhanced audit rights or commitments to notify the exporter continually that it has not received a government access requests.
- Organisational measures: E.g. governance policies for transfers with clearly defined responsibilities.
In those cases where no supplementary measure appears suitable to bring the level of protection of the data transferred to an essential equivalence as in the EU/EEA, the data exporter must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data.
Parties to a M&A transaction that implies cross-border data transfers will, therefore, have to carefully assess and ensure, as the case may arise, by implementing supplementary measures to the SCCs, that personal data transferred as part of the transaction remain subject to an essentially equivalent level of protection as in the EU/EEA. Unfortunately, the recommendations of the EDPB remain somewhat theoretical. This only demonstrates the high complexity of cross-border transfers, also in M&A context, and that there is no one size-fits-all solution. Solutions on case-by-case assessments are required, which is not always compatible with the the typically high pace environment of M&A transactions.