Given many entities’ proactive compliance with the provisions of the Protection of Personal Information Act despite it not being enforceable, companies should be considering the impact of POPI (or data privacy laws with wide reach) when they carry out due diligence investigations. Depending on the nature of the transaction, the due diligence process can involve the sharing of large volumes of personal information with a prospective buyer.
To the extent that a target company shares personal information with the prospective buyer which is not necessary to carry out the prospective buyer’s due diligence investigation, the target company risks breaching individual privacy rights should a data breach occur (for example legal actions brought against the company on the basis of the constitutional right to privacy). The target company also risks reputational harm should a data beach occur. Despite POPI not being in force, the Information Regulator has taken a stance on monitoring companies’ compliance with POPI, even though its office has no legal powers to enforce such compliance. In some cases, the Information Regulator has publicly criticised a company for non-compliance with POPI and general data privacy considerations. The Information Regulator also issued guidelines imploring voluntary compliance with POPI during COVID-19.
Although POPI is not yet in full force, target companies should be aware of their risk of non-compliance with all data protection laws applicable to the processing of personal information during a due diligence investigation. For example, the EU General Data Protection Regulation 2018 (GDPR) may be applicable. The GDPR empowers EU data protection regulators to impose hefty fines on companies, even those located outside the EU. Personal information under the POPI definition is any information which relates to or identifies a living individual or juristic person (called a data subject). The inclusion of juristic entities as data subjects distinguishes POPI from many other data protection laws (like the GDPR). If POPI is applied, this is a relevant consideration in the context of a due diligence investigation where personal information relating to both natural and juristic persons may be revealed in the due diligence documents. Examples of data subjects in the due diligence process commonly include employees, clients, customers and suppliers.
Data minimisation is an important principle recognised under privacy laws. This means that personal information can be processed if, given the purpose for which it is processed, it is adequate, relevant and not excessive.
The type of personal information that can be disclosed ultimately depends on the transaction itself. Generally speaking, the target company should be guided by questions like whether the prospective buyer needs to know the full details of each employee (such as their individual income, employment history or trade union affiliations). If the prospective buyer does not need to know the identity of the target company’s employees, clients or customers, the personal information should be anonymised or de-identified in a way that renders it impossible to identify the particular data subject. This will then push all processing activities in respect of the due diligence documents outside the scope of POPI.
Another point to consider is whether every person in the due diligence team needs to have access to all of the personal information, or whether such access can be restricted to those people who actually have to know the information for due diligence purposes.
The following suggestions are examples of practical measures that the target company and the prospective buyer should implement in order to mitigate any reputational or commercial harm or adverse legal consequences that may arise in the event of a data breach or other compromise to personal information shared during the due diligence process:
- Data sharing agreement. The non-disclosure agreement that must be in place between the parties, should also set out the lawful basis for the sharing of any personal information. The agreement should cover the types of personal information to be shared, what personal information is to be shared, the purpose for which the personal information is to be used, and what each party’s responsibilities are under any applicable data protection laws and to each other. It is advisable that the agreement requires a party that causes a data breach to indemnify the other party against any losses caused by a breach (for example regulator fines or third party damages claims). The agreement should also impose an obligation on each party to ensure that access to the documents is limited to only those members in each party’s due diligence team who need to know the information.
- Secure platform. Through what mechanism will the due diligence documents be shared with the prospective buyer? We commonly see due diligence documents being shared via encrypted emails or via a virtual data room (VDR) which gives password controlled access to loaded documents. Should the prospective buyer be responsible for the VDR, the target company must ensure that the data sharing agreement imposes watertight obligations on the prospective buyer to ensure the security and integrity of the VDR to prevent any compromises to personal information contained in the VDR. The target company may also consider other measures to mitigate the risk of a data breach like redaction. This can be a lengthy exercise, depending on the means of redaction. There are currently AI tools on the market that redact personal information, but the reliability of such tools should be interrogated by the target company before and while relying on them.
- Contractual obligations to notify data subjects. There are no specific exemptions in data privacy law relating to processing of personal information for purposes relating to due diligences and corporate transactions, and even those in special circumstances like business rescue transactions. This means that to the extent that personal information is to be disclosed to the prospective buyer which relates to data subjects other than the target company (for example, its employees, clients, suppliers), the target company should consider whether it has contractual obligations to notify particular data subjects. Parties that have chosen to voluntarily comply with POPI should also take care that their privacy policies and employee policies do not restrict disclosure of personal information in these circumstances.