Even before our most recent national election, candidate Joe Biden signaled a tougher regulatory climate on data privacy would be on the way should he prevail. But just as quickly as Biden was elected, hopes for a federal privacy law faded, no doubt in recognition of the daunting task of ushering privacy legislation through Congress. However, in an attempt to revive an initiative already on life support, the administration issued an executive order in July, cleverly linking data privacy with requirements to more closely scrutinize M&A activity.
The executive order implicitly recognizes that, in business, data is the most precious of assets. Corporations rely on consumer data for marketing, sales, and new product development. At the same time, recent European and U.S. state legislation indicate protecting personal information is a topic of widespread concern. Biden’s executive order acknowledges both the inherent value of consumer data and the importance of data privacy compliance requirements during mergers and acquisitions.
Beyond the usual scrutiny for anti-competitive market concentration, the new executive order specifically calls for strict oversight of M&A activity among big tech, expressing concern about“…the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors…[and] the aggregation of data….”
Antitrust Inquiry + Data Privacy = Game Changed
U.S. federal laws still allow companies wide latitude when dealing with consumer data. We don’t address consumer data protection and privacy with the same rigor as many other countries. The EU has taken the lead in data privacy with the General Data Protection Regulation (GDPR), containing specific and wide-ranging protections for all European citizens. Similar protections have been enacted in some individual U.S. states, but federal legislation has stalled and appears to lack the support necessary to move forward any time soon.
The administration’s decision to take the regulatory route in lieu of legislation to address data privacy is a creative and strategic approach that has not been widely appreciated. Federal agencies, operating independently and executing administrative regulations promulgated by the administration, are much more likely to have success enforcing protection of consumer data, and will do so faster and with virtually no judicial oversight—and all without the messy process of federal legislation.
So far, the changes introduced in the executive order have not deterred businesses from forging ahead with M&A activity, albeit with greater scrutiny and increased workload for corporate legal teams and their advisors in pre-merger due diligence. It’s also likely that responding to second requests will become commensurately more demanding and complex.
Even before Biden’s executive order, the production burden for second requests in large M&A cases was massive. Reviews can involve tens of millions of documents from hundreds of custodians. Precise production candidacy guidelines must be strictly followed. Timelines can be aggressive and non-negotiable. Legal teams must ensure compliance with intricate international data transfer and production regulations, and U.S./EU cases must navigate differing requirements from both jurisdictions, simultaneously.
Compliance will now be even more burdensome. Regulators will likely ask for more information on every M&A proposal of substance and there will be significantly more data to be reviewed.
So how can legal teams brace themselves for these new challenges?
Double down on preparation, well before deciding to press “go” on a major transaction. Key areas to consider include:
- First, there’s staffing.: The labor market is tight and demand is particularly high for tech-savvy legal talent. Legal teams must manage staffing levels to retain a deep bench of qualified attorneys and ensure that data experts are ready to meet the increasing demands of M&A scrutiny.
- Next, technology will become even more critical to perform M&A due diligence accurately, on time, and on budget. Advanced analytics tools reduce the need for manual, linear review of documents and help manage increasing data volumes.
- Thirdly, external resources must be assessed at an early stage. Few organizations have the bandwidth to complete the huge amount of pre-M&A activity using in-house resources alone. New regulations will lead to a substantial uptick in demand for outside help. Any outside provider should be equipped to handle higher workloads and greater data volumes. There will be increased competition for the services of better firms. Forge those relationships now.
- Finally, keep abreast of evolving policies. Although organizations planning M&A activity are already bracing for more intense regulatory scrutiny, there remains uncertainty about how exactly that will play out. In the meantime, companies can help themselves by closely monitoring the activity of the Federal Trade Commission and the Department of Justice in new acquisitions. Additionally, organizations should be aware of subtle and evolving differences in data privacy and compliance rules among various regions and states, and be ready to proactively remediate or update their data-handling practices, from management and retention policies to security and compliance.
In summary, we should expect changes to M&A due diligence and enforcement of data privacy compliance to evolve quickly. Rather than waiting for stalled legislation to pass, the administration is relying on regulatory bodies to implement stricter data privacy and consumer rights protection. While this is arguably good news for those interested in preserving consumer data privacy, it will increase the burden on legal teams in advance of any M&A activity. As the situation unfolds, these teams will need skilled specialists to turn around discovery and responses to second requests within regulators’ deadlines.
Companies looking toward a merger or acquisition should be preparing now to update data governance practices and retention policies, assess staffing levels, check technology security capabilities, and determine the right mix of internal and external resources to meet the challenge of intensified regulatory scrutiny.