In recent years, data privacy issues have become increasingly prominent in M&A deals due to increasing public vigilance on their personal data and new international data privacy regulations. However, such issues are sometimes overlooked, resulting in complications or delays when transactions are underway. Hence, companies would need to pay greater attention to data privacy considerations when conducting M&A deals, ensuring that proper measures are taken to safeguard personal data in compliance with the data privacy regulations to which they are subject.

In this article, we discuss some common data privacy issues in M&A transactions in Hong Kong, and how these issues can be addressed or prevented by buyers and sellers in M&A transactions to minimise legal and transaction risks. 

 

Data user

Under the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO), a person, who either alone or jointly or in common with other persons, controls the collection, holding, processing or use of personal data in or from Hong Kong would be regarded as a data user, regardless of the materiality and volume of the personal data collected, held, processed or used by the data user, and would be subject to the PDPO’s requirements. 

Therefore, a company which collects any personal data from its customers, clients, employees, users or any other natural persons (e.g., their names or residential addresses) should comply with the PDPO and its data protection principles. 

 

Common PDPO-related issues in M&A transactions

Legal due diligence in M&A deals often entails a review of  the use and collection of personal data by the target company so that the buyer can assess whether the target company has complied with the applicable requirements under the PDPO. With the growing concerns on data protection, it becomes more important for a potential buyer to assess the target company’s data privacy compliance at an early stage in the due diligence process.  

Based on our experiences, the following data privacy issues often occur in Hong Kong companies:- 

Inadequate policies or procedures on data protection and failure to inform data subjects

Under section 4 of the PDPO, a data user is required to comply with the data protection principles set out in Schedule 1 to the PDPO. Data protection principle 1 requires a data user to take all practicable steps to inform a data subject (i.e. a person from whom personal data is or to be collected) of the following on or before collection of personal data:- 

(i) the purposes of which a data subject’s personal data is to be used; 
(ii) the classes of persons to whom a data subject’s personal data may be transferred; 
(iii) a data subject’s rights to request access to his or her personal data and to request the correction of his or her personal data; and
(iv) the particulars of the individual responsible for handling the abovementioned data access or data correction requests made by a data subject.  

We have observed that a considerable number of Hong Kong companies were in breach of data protection principle 1. For instance, some companies had no privacy policy or statement at all,  or no steps were taken to inform data subjects of the privacy policy or statement, or the policy or statement did not cover all of the information required under data protection principle 1. 

Therefore, it is advisable for sellers and companies involved in a transaction to review their privacy policy and practice in advance where practicable, and identify and rectify any data privacy issue prior to conducting an M&A transaction. 

Transfer of the collected personal data without consent from a data subject 

Data protection principle 3 restricts the use of personal data for a new purpose unless the prescribed consent of a data subject is obtained. The “prescribed consent” of a data subject means the express consent of a data subject given voluntarily and which has not been withdrawn: section 2(3) of the PDPO. 

We have observed that a number of companies did not implement appropriate mechanisms to ensure that personal data is used in accordance with data protection principle 3. For instance, we encountered a case where a company obtained personal data from another company and subsequently transferred the personal data to a third company without any consent of the data subjects, resulting in the possible breach of data protection principle 3 by all three companies. 

Failure to comply with the requirements under the PDPO may result in a company being liable for civil damages, criminal prosecution, or other enforcement actions by the Privacy Commissioner for Personal Data (PCPD). Whilst a breach of data protection principle per se is not a criminal offence, the PCPD may serve an enforcement notice on a person directing a remedy of the relevant breach if PCPD considers that the person has contravened any data protection principle pursuant to section 50 of the PDPO. Any person who fails to comply with such enforcement notice will be liable to a fine of HK$100,000 and imprisonment for 2 years. 

 

Negotiating a sale and purchase agreement

In drafting a sale and purchase agreement, a buyer may wish to seek warranties relating to the target company’s data privacy practices, such as: 

(i) the target company’s compliance with the PDPO and any other applicable data privacy laws and regulations; 
(ii) no notice or allegation being received by the target company from any competent authority or individuals alleging a target company’s non-compliance with any applicable data protection laws including the PDPO; and 
(iii) the target company’s compliance with applicable data protection guidelines, regulations, industry standards, codes of practice or conduct, recommendations or other documents approved or issued by any government authority in relation to the PDPO. 

In case of any non-compliance or breach, buyers may factor in their due diligence findings in drafting and negotiating the transaction documents. For instance, a buyer may seek an indemnity from the seller in respect to the breach or negotiate an adjustment to the consideration.

 

Post-closing 

An M&A transaction may involve transfer and integration of personal data after completion. A buyer may wish to review and update the privacy policies of the target companies post-closing so that, for instance, suitable policies and measures are put in place to permit transfer of personal data within the relevant group entities and to safeguard personal data. 

Companies could also implement and strengthen security measures for transfer of personal data to ensure that they do not contravene the PDPO’s requirements. In case of cross-border transfer of personal data, it is worth noting that section 33 of the PDPO prohibits the transfer of personal data out of Hong Kong except in specified circumstances, but such provision has yet to come into effect. Nevertheless, PCPD has issued guidance on recommended model contractual clauses for cross-border transfer of personal data. Any data user who intends to transfer personal data out of Hong Kong may consider adopting such model clauses. 

 

Conclusion

In M&A transactions, data privacy compliance should be considered as a material part of legal due diligence. A comprehensive legal due diligence could help buyers ensure that target companies are compliant with the PDPO and other applicable data privacy laws, and understand the risks associated with transfer of personal data. On the other hand, sellers should assess the impact of any potential data privacy issues on an M&A transaction  so that they can conduct and conclude an M&A transaction swiftly. 

In drafting a sale and purchase agreement, warranties clauses relating to target companies’ data privacy practices may be required to allocate and manage risk exposures. After closing, suitable PDPO-compliant policies may be put in place to permit transfer of personal data within relevant group entities as part of post-closing business integration process. Such steps would help buyers and sellers avoid potential data privacy issues that could complicate or derail M&A transactions. 

 

Pan Tsang and Min Sung

 

For specific advice on data privacy laws and related matters in Hong Kong, please contact:-
Pan Tsang | pan_tsang@robertsonshk.com | +852 2861 8487

Disclaimer: This publication is general in nature and is not intended to constitute legal advice. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.