The Effects of the Invalidation of the EU-U.S. Privacy Shield Framework on ongoing M&A Transactions

Dato 5 aug. 2020
Download PDF version PDF

16 July 2020, the European Court of Justice declared the EU-U.S. Privacy Shield framework invalid in the Schrems II decision. This means that companies that have been using the Privacy Shield framework as the legal basis for the transfer of personal data from the EU to the US until now must as soon as possible find another legal basis for making such transfers in compliance with the General Data Protection Regulation (“GDPR”).


The decision will impact ongoing M&A transactions as companies may have followed certain practice and declared compliance in good faith, which has now been found to be incorrect. Some of the issues to which the decision has given rise from an M&A perspective are explained below.


What was the EU-U.S. Privacy Shield Framework?

The Privacy Shield framework was a legal basis for the transfer of personal data from companies in the EU to companies in the US in compliance with the requirements for processing of personal data under the GDPR. According to this framework, US companies could until recently become certified under the Privacy Shield framework by declaring that the company followed certain specific data protection requirements. The EU Commission had assessed that the framework followed the requirements set out in the GDPR. Thereby transfer of personal data from companies in the EU to companies certified under the Privacy Shield framework in the US could be done safely and without violating the regulation on transfer of data under the GDPR.


With the Schrems II-decision the European Court of Justice has invalidated the Privacy Shield framework without implementing any period of grace. Therefore, the decision requires prompt action from Companies transferring data from the EU to the US or Companies in the US importing data from Companies in the EU if such transfer is based on the Privacy Shield framework.


During Due Diligence Process

If an M&A transaction is still in the due diligence process, it must be confirmed, which legal basis transfer of personal data is based on. As a consequence of the decision, transfer of personal data from the EU to the US is only legal, if the transfer is legally based on either (i) consent from registered persons, or (ii) an agreement on transfer of personal data based on the standard contractual clauses of the EU Commission (“SCC”).


If the company subject to the M&A transaction (“Target”) is transferring or has been transferring personal data to the US based on the EU-U.S. Privacy scheme, it is necessary to examine whether the Target has taken any measures to change the legal basis of any such transfer of data to the US.


If the Target has previously transferred personal data to the US based on the Privacy Shield framework, this would in principle be a breach of the GDPR. However, as the Privacy Shield framework was implemented by the European Commission, we expect that the risk of fines being imposed by the data protection agencies in this regard will be low, considering that the companies have been in good faith.


If the Target is still transferring personal data based on the Privacy Shield framework, this should be duly handled either before closing or through the representations and warranties, as such transfer constitutes a breach of the GDPR. Contrary to the above, we expect that the risk of fines being imposed on the company is significantly higher considering the lack of any grace period implemented in the decision made by the European Court of Justice.


If the Target transfers data to the US based on the European Commission’s SCC’s, it should be examined further whether the Target has implemented sufficient security measures in addition to the SCC’s in order to secure compliance with the GDPR, as this requirement was another conclusion from the Schrems II decision.


Deals that have already been signed

The Schrems II decision will also affect transactions that have been signed.


In most transactions the Target warrants that it has not been and is not processing personal data in violation of the GDPR.


Based on the Schrems II decision, the Target transferring data based on the Privacy Shield framework cannot guarantee or warrant that it is only processing data in compliance with the GDPR.


As regards guarantees already given by the Target, this means that these guarantees cannot be reconfirmed or verified. This must be handled by the parties as part of the transaction.


Where W&I insurances have been taken out, and where signing has been completed, but closing remains to be completed, the W&I insurance will not cover breach of guarantees which occur between signing and closing – unless a separate insurance for “New Breach Cover” has been taken out.


In transactions where closing has been completed, we expect for insurance coverage to be unchanged, as the insurance coverage will only lapse if the breach is has occurred due to a change in the law.



If you have questions or require further information about the above, please contact Partner Pernille Nørkær (pno@mwblaw.dk), Partner Tobias Bonde Frost (tbf@mwblaw.dk),  or Junior Associate Sarah Veje Rasmussen (svr@mwblaw.dk). 

 

The above does not constitute legal counselling and Moalem Weitemeyer Bendtsen does not warrant the accuracy of the information. With the above text, Moalem Weitemeyer Bendtsen has not assumed responsibility of any kind as a consequence of any reader’s use of the above as a basis for decision or considerations.