At the European level, the European Data Protection Board (EDPB) has released a statement on the processing of personal data in the context of the COVID-19 outbreak and the European Commission has issued guidance on apps supporting the fight against the COVID 19 pandemic, to which the EDPB published a letter in response. More guidance is expected in the near future. A number of takeaways from the guidance issued by these authorities are relevant to data protection due diligence in the context of M&A projects:
- Processing of health data
The GDPR provides for restrictions on the processing of health data. For example, a Dutch company may not, as a general rule, keep internal records of infected employees or perform medical checks on its employees or other persons and should follow the guidelines of the National Institute for Public Health and Environmental Protection (RIVM).
- Working from home: information security requirements
It should be determined whether the target’s teleworking arrangements ensure an appropriate level of security, as required by the GDPR. In addition, the target should perform sufficient diligence of external IT suppliers and ensure that adequate data processing agreements are in place as well as an international data transfer instrument if the supplier is located outside the European Economic Area. Furthermore, it is advisable to determine if the target company has taken sufficient measures to prevent personal data breaches and detect and notify any such breaches to the supervisory authority and, if applicable, data subjects (the persons whose personal data are involved) in a timely manner. The DDPA’s overview of the privacy aspects of popular apps for video calls could be useful if the target company uses one of these apps.
- Coronavirus apps
The Dutch government is currently looking into the possibility of launching two coronavirus apps to help combat the spread of COVID-19. Such apps must comply with privacy requirements including with respect to transparency, voluntary use (if not prescribed by law) and adequate security. The importance and necessity of these requirements are emphasised in the guidance published by the DDPA, the European Commission and the EDPB (as well as the European Data Protection Supervisor, which pleads for a pan-European approach to the COVID-19 pandemic). The DDPA will assess the privacy and security aspects of any apps proposed by the Dutch government. With respect to the seven apps included on the government’s shortlist, the DDPA has issued a report stating that it did not yet receive enough information to adequately determine whether the data protection safeguards were adequate. Further guidance from the authorities is expected and developments should be followed closely. This issue could be particularly relevant in the case of an M&A project that relates, for example, to a telecommunications company or an app developer or if there are any indications that the target company is involved with coronavirus apps (e.g. in the testing or distribution phase).
- Ongoing investigations
It is also important to determine whether the DDPA has requested information from the target company or asked questions, e.g. in the course of an investigation, and if a deadline is approaching. This last point may not be a major issue, however, as the DDPA has announced that it will extend deadlines due to the coronavirus crisis, where appropriate.
If a company is not (fully) compliant with the applicable data protection legislation (such as the GDPR), it runs the risk of enforcement measures by the competent supervisory authorities. The DDPA can impose administrative fines of up to (i) EUR 20,000,000 or (ii) 4% of the total annual worldwide turnover (of the company’s group), whichever is greater, but according to its current policy rules on fines (boetebeleidsregels), these amounts will generally be lower. For instance, the unlawful processing of health data qualifies as a category IV breach of the GDPR pursuant to the policy rules. Category IV covers the most intrusive breaches, punishable by a fine ranging from EUR 450,000 to EUR 1,000,000, with the base fine set at EUR 725,000. Depending on the circumstances, a higher fine may be imposed. Other risks relating to noncompliance with data protection laws include negative publicity, administrative measures of constraint, the imposition of an order and civil claims relating to data protection. These risks should be taken into account when drafting an SPA, in particular the warranties and indemnities sections.
The importance of proper data protection due diligence is emphasised in a statement issued by the UK data protection authority (the Information Commissioner’s Office) announcing its intention to impose an administrative fine of GBP 99 million on Marriott International, Inc. further to its investigation which revealed a failure to carry out sufficient data protection due diligence. The likelihood of the abovementioned risks materialising in the Netherlands could be limited given the more lenient approach adopted by the DDPA during the present crisis. At the same time, the DDPA has indicated that the coronavirus crisis should not be used as an excuse to throw privacy completely overboard and should not lead to a ‘big brother society’, its chairman, Aleid Wolfsen, has expressed the view that ‘Privacy is very important. But during this crisis, fighting the virus and saving lives is the top priority’.