Download the PDF
Data trends 2024
Data trends 2024
Chapter 7: Data deal trends
By Rachael Annear, Richard Bird, Brock Dahl, Theresa Ehlen, Tony Gregory and Annabelle Hamelin
IN BRIEF
Acquiring valuable datasets remains a top priority for businesses worldwide. Long-standing issues relating to data—such as data ownership and compliance with privacy laws—will continue to be important in M&A deals.
However, new challenges have also emerged, such as when a buyer is seeking to acquire artificial intelligence (AI) related assets. Additionally, recent developments in international data transfers often require consideration.
To navigate legal complexities and mitigate unknown risks, buyers must address specific legal issues associated with acquiring AI assets. This involves assessing potential target liabilities and risks, with a focus on AI inputs, the relevant AI system(s), AI outputs and evolving AI regulation.
With the increased public spotlight on AI, we’re also seeing even more AI and data deals and a new focus on data risks. While for many, the GDPR has become part of standard compliance due diligence, AI and data ownership have moved to the forefront of some buyer’s risk and benefit analysis. A lot of our clients are concerned whether they can actually make use of the data and the AI model and how to protect themselves against the risks in this area. Never have regulation, IP and reputation been so closely linked as we’re now experiencing with AI.
Theresa Ehlen
Partner
Below are some examples of the related legal risks buyers should due diligence and address:
AI training often involves data that is protected by copyright and/or database rights, making the navigation of intellectual property (IP) rights a central consideration for buyers. Additionally, compliance with privacy laws—such as the UK or the EU’s General Data Protection Regulation (GDPR) or relevant US state laws, such as California Consumer Privacy Act—is essential when AI applications involve personal data. For example, developing or using AI applications in compliance with the EU’s GDPR may require complying with information obligations towards data subjects.
Privacy compliance in the US and globally is becoming increasingly complex. A dozen US states have now completed legislative processes on comprehensive consumer privacy laws. China's landmark Personal Information Protection Law (PIPL) entered effect in 2021, and India’s parliament also recently passed its long-awaited privacy law.
Determining copyright protection for AI outputs hinges on human intervention. Buyers must assess whether the AI system or the human operator can be considered the ‘author’ of the content. Patentability of AI inventions, including the AI system itself, should also be examined. However, the patentability of software is generally limited, and the debate continues over whether AI systems can be considered inventors under patent law.
Organisations must also ensure the handling of AI outputs, and that decisions or actions taken in reliance on them, comply with other applicable laws such as those relating to privacy, consumer regulation and sector-specific laws (such as in financial services).
We are likely to see certain countries liberalise their existing IP and privacy regimes in order to make their jurisdictions more attractive for AI development and use. For example, the UK government is currently seeking to change existing laws regarding automated decision-making in relation to personal data, which may create new opportunities for businesses to use automated decision-making and AI in the UK.
Businesses are likely to encounter a range of approaches to the regulation of AI in different jurisdictions. For example, the upcoming AI Act in the EU, currently expected to be finalised by the end of 2023, adopts a prescriptive approach to the use of AI including obligations on providers relating to governance, transparency, accountability and fairness. On the other hand, the UK is not currently planning to introduce AI-specific regulations but has proposed a ‘pro-innovation’ framework based on certain overarching principles to govern the development and use of AI, which it is envisaged will be applied by existing regulators. For further details, please see chapter 1.
China has introduced several laws targeting specific types or applications of AI, including its ‘Interim Measures for the Management of Generative AI Services’, which entered into force in August 2023.
There will also be other existing laws that are applicable to AI, for example in relation to privacy, IP and product liability. Buyers will therefore need to consider a patchwork of overlapping legal regimes when assessing a target’s current and planned AI use.
Regarding liability, the EU’s proposed AI Liability Directive would make it easier for individuals to seek redress for AI-related damages if companies fail to provide sufficient documentation of their AI system’s robustness. Therefore, evaluating AI documentation as part of M&A due diligence is crucial to assessing potential litigation risks.
Statutory laws have not yet established comprehensive protection for data rights. Consequently, the target company’s approach to protecting data assets is pivotal. Buyers should identify business-critical data and evaluate its protection through:
Buyers will often want to ensure they can prevent:
In particular, attention should be paid to:
While cross-border data transfers have become increasingly challenging, for transatlantic M&A, 2023 represents something of a turning point. The European Commission’s adequacy decision for the EU-US Data Privacy Framework (the DPF) in July 2023, and the agreement between the US and UK governments on a UK extension to the DPF (the UK Extension), have the potential to better facilitate personal data transfers from the EU and UK to the US. Subject to detailed requirements of the respective regimes, reliance on the DPF and the UK Extension will be possible for M&A deals if the data importer is certified under the DPF or the UK Extension, eliminating the need for additional transfer instruments or measures.
However, because of uncertainty about potential legal challenges, many companies are continuing to rely on existing mechanisms (such as Standard Contract Clauses (SCCs) for the EU, and International Data Transfer Agreements and the UK Addendum to the EU SCCs for the UK) for now. The DPF and UK Extension unfortunately will also not simplify data transfers from the EU/UK to countries other than the US.
On the other hand, China’s strict rules on cross-border data transfer continue to create headaches at all stages of an M&A transaction. These rules require specific notification to be given, and consent obtained, for a cross-border data transfer of personal data—with the notification to include the name and contact information of the overseas recipient; a rule that is incompatible with deal confidentiality during a diligence phase. The same requirement applies on a domestic transfer.
Depending on the volumes of data held by the target and being transferred out of China, a cross-border transfer of personal data will need to be supported by a standard contract (in a mandatory form) or to undergo an onerous and time-consuming government security assessment process, with an uncertain outcome. The standard contract itself needs to be filed with the government, along with a detailed impact assessment report.
These rules are leading to more aspects of diligence processes being conducted solely onshore in China and to very close attention being paid to redaction of personal particulars in disclosed materials. An additional layer of national security-type concerns will also arise when conducting diligence in sensitive sectors of the economy that may involve the new categories of ‘important data’ or ‘core data’ that are regulated by the Data Security Law.
(Source: Link to Allianz Risk Barometer 2023 Allianz Risk
Barometer 2023 - Cyber incidents | AGCSs)
Cybersecurity continues to be a significant issue for businesses. Organisations are processing increasing volumes of data, which elevates the risk of a data breach occurring in the context of a cyber attack. Where such an attack comes to light after an M&A transaction has completed, privacy regulators are increasingly willing to investigate the due diligence and post-closing steps taken by the buyer, and take enforcement action.
Shortcomings in this area can lead to unexpected material financial exposure, including review and remediation costs, regulatory fines, and potentially mass claims, as well as reputational data. Therefore, it is important for buyers to properly identify, assess, and remediate cyber issues during and after M&A transactions.
A first step for buyers is to assess the risk profile associated with the target, in order to properly scope cyber and data due diligence. Enhanced due diligence is more likely to be required where the target:
Buyers should look to align their due diligence with areas of regulatory focus, such as relevant technical and organisational measures identified in regulatory guidance and decisions, which include:
Depending on the findings, a buyer might require the seller to remedy security issues before closing and/or seek indemnities in respect of regulatory fines and compensation claims for disclosed incidents.
The increasing pace of technology adoption and complexity of cybersecurity risks is making cyber diligence a fundamental component of transactional diligence. It is critical for companies to have frameworks for assessing and managing the associated risks.
Brock Dahl
Partner
Regulators are also likely to review what steps were taken post-closing to identify and remediate cyber issues. For example, if in-depth cyber and data due diligence was not possible before signing (eg, where the buyer and seller are competitors), then regulators will generally expect greater due diligence to take place after closing of the transaction.
Buyers will also need to ensure that the target complies with privacy laws post-closing. For example, under the UK and EU GDPRs this may include the data security principle when integrating the target’s IT systems and data, the data minimisation principle when deciding whether to retain all acquired data, and the transparency principle if the buyer wishes to use the target’s data for new purposes.
Companies face extremely varied and complex challenges while carrying out data-related transactions. Despite those challenges, investment and transactional operations relating to data remain very numerous.
Companies should, therefore, continue to prepare as far as possible to be able to tackle all issues likely to arise at every stage. While pursuing the ‘new gold’ of data, organisations should: