Data issues to consider in M&A transactions

November 17, 2021
4 minutes

A panel of Ropes & Gray lawyers - Ed Black (Partner in Technology, Media & Telecommunications), Kate Withers (Partner in Private Equity) and Robert Lister (Senior Associate in Data, Privacy & Cybersecurity) - discussed “The Consideration of Data Issues in Transactions” at Ropes & Gray’s recent digital conference, “The Future of Global Data Protection”.  

The panel covered seven critical issues, summarised below:

Migration of data from a liability to asset class

Traditionally considered a potential liability on the balance sheet, data is now a recognised separate asset class on the asset side of the balance sheet due to:

  • the massive uptick of computational power and Artificial Intelligence, which has made data more valuable;
  • the increased availability of data, as everything we do in life has transitioned to digital platforms;
  • the existence of standalone data licensing transactions that can produce discrete revenue streams; and
  • the ability of specialists to make standalone valuations attributable to data.

The separate valuation of data

If standalone valuations on data can be made, data can (i) increase the enterprise value reflected in the equity of a company, (ii) be used as collateral, or (iii) be bought and sold. The importance of data in transactions is evidenced by the increase in the number of:

  • data licensing transactions;
  • collateralisation of debt transactions;
  • entity formation and business plans devoted specifically to data; and
  • data reorganisations.

When investing in data-heavy businesses, key client concerns revolve around the data rights, the type of data involved and the manner of data collection.

In situations where valuable data is buried in subsidiaries within the group structure, companies must now consider the impact on credit agreements under which the data is collateralised, the existence of minority investors that may claim breach of fiduciary duties for unlawful transfers out of the entity controlling the data or the procurement of sufficient rights to transfer the data out of such entity.

Tax issues

Most taxable events are triggered by an actual event of transfer. In order to minimise such tax liabilities, the focus should be on providing access to the data, rather than transferring it. As a result, there has been a noticeable growth rate of data tax regulation, such as in California or France.

Is privacy solely an issue for the seller in an M&A transaction?

No, both the seller and prospective purchasers would need to take steps to comply with GDPR. The parties to the transaction should keep this in mind at all times throughout each stage of the transaction: from entering into an NDA; through due diligence; up to and from completion.

Share sale v asset sale

Different considerations apply depending on whether the transaction is a share or asset sale. Although due diligence is undoubtedly a critical phase, the parties need to ensure that the actual deal process itself doesn’t breach the GDPR. Otherwise in the share purchase scenario, a purchaser could end up with latent breaches in the target; or in an asset purchase scenario, the purchaser could end up with large volumes of personal data that it can’t process lawfully.

Disclosing personal data…

In a transaction process, the seller will have to ensure that the sharing of personal data with prospective purchasers – e.g. personal data relating to its employees, its customers and other third parties – is carried out lawfully in compliance with the GDPR. In practice, this means sellers should establish a legal basis for the sharing of personal data (typically their legitimate interests) and minimise the volume personal data disclosed as much as possible, possibly involving the redaction of documents and staggering the disclosure of personal data. 

In an auction process, this could mean limiting the amount of personal data disclosed about senior management and providing a higher volume of personal data as the transaction continues, with the highest volume and sensitivity of data not being disclosed until final bidder is chosen or exclusivity arrangements are entered into.


The post-completion changes need careful consideration well in advance. In a stock purchase scenario, the issue is slightly more straightforward as the identity of the ultimate controller doesn’t change. This means there is generally no need to update privacy notices or other public-facing documents unless, for example, the purchaser intends to implement changes within the target, involving the use of personal data for new or different purposes.

In those circumstances, this issue should be considered well in advance, as significant changes to processing activities may require updated privacy notices, as well as affirmative opt-in consents – this may be the case regarding any changes that data subjects wouldn’t reasonably expect or that are otherwise inconsistent with what they’ve been told previously. Requirements under the GDPR mean that consents have to be freely given and must also be revocable – this means that data subjects could easily withhold or later revoke their consents, which may potentially reduce the value in their data if the new activities were a key part of planned changes and forecasted revenue streams.

If you would like to access a  recording of the session, please visit our blog, RopesDataPhiles.