UK ICO issues major fines and criticises lack of data protection due diligence in corporate acquisitions

The UK Information Commissioner's Office announced more than £280 million of fines last week, in connection with data protection breaches. It singled out the perceived failure of buyers to conduct proper data protection due diligence in corporate acquisitions as a major factor in enforcement proceedings.

Enforcement of the General Data Protection Regulation ("GDPR") began more than a year ago, and Data Protection Authorities ("DPAs") across the EU are now beginning to issue significant fines for non-compliance. Failure to comply with the GDPR can result in regulatory investigations, fines, and damages claims, all of which could undermine trust and confidence among consumers and investors. DPAs have the power to issue fines of up to €20million or 4% of annual global turnover (whichever is greater) for each breach of the GDPR. It is now clear that European DPAs are willing to make use of this power to impose significant financial penalties.

The UK DPA, the Information Commissioner's Office ("ICO") issued two notices last week, setting out its intention to issue fines of £99 million, and £183 million, to companies in the leisure and transport industries, for alleged GDPR non-compliance. The ICO's enforcement actions come a few months after the French DPA issued a similarly significant €50 million fine against a technology company, also for alleged breaches of the GDPR.

The ICO has singled out data protection due diligence as a core area in which companies need to take greater responsibility. In its most recent statement relating to these fines, the ICO said:

"The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition... Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn't happen, we will not hesitate to take strong action when necessary to protect the rights of the public."

In any corporate acquisition, the buyer almost always inherits any unlawful data processing activities in which the target is engaged – irrespective of whether the acquisition is a share purchase or an asset purchase. This is because unlawful data processing activities (e.g., processing personal data without the proper security; transferring personal data without valid transfer mechanisms; etc.) are almost always part of the business activities of the target. While the transaction structure may protect the buyer against unlawful processing that took place prior to closing, it is unlikely to protect the buyer against unlawful processing that continues after the buyer takes ownership of the target. If the target is processing personal data unlawfully, then the buyer needs to identify that unlawful processing in due diligence, and ensure that it is rectified – ideally by the seller before completion or, if that is not possible, as part of the buyer's post-completion work. Since almost every target processes personal data of one sort or another (even if only in relation to its own employees) buyers need to at least consider this issue in almost every corporate acquisition.

If proper data protection due diligence is not carried out, and unlawful processing goes undetected as a result, then both the target and the buyer are at risk of enforcement. Importantly, Article 83 of the GDPR is open-ended as to exactly which entities can receive a fine in the event of unlawful processing. However, Article 83 allows the court to calculate the quantum of any such fine on the basis of the turnover of the relevant "undertaking" – a term that has its roots in EU competition law, and can potentially include an entire corporate group. As a result, it is more important than ever for buyers to be aware of the risk of inheriting the unlawful data processing activities of targets in corporate acquisitions, and ensure that thorough data protection due diligence is conducted, in order to avoid the financial and reputational damage that can result from GDPR enforcement actions.

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP