In the current market conditions, carve-out transactions are becoming increasingly common as companies look to divest noncore businesses and assets in order to restructure and focus on their core operations. This is due to many factors, including the need to improve profitability, reduce debt and focus on innovation. In these transactions, a portion of a company is sold to a buyer while the remaining portion continues to be held by the seller.
One of the key considerations in carve-out transactions is data sharing. In many cases, the carved-out business will need to continue to have access to data that the seller currently holds. This data could include sensitive customer information, financial data or intellectual property.
The sharing of data in a carve-out transaction can pose a number of risks, including:
- Data security risks: Buyers must ensure that any data received is secure and will not be misused. This includes taking steps to protect the data from unauthorized access, disclosure, modification or destruction.
- Compliance risks: Buyers must ensure compliance with all applicable data privacy and security laws and regulations. This includes laws and regulations in the countries where the data is located as well as laws and regulations in the countries where the buyer and seller are located.¹ This also includes an analysis of the seller’s own data privacy policies, including whether the seller reserved the right to disclose data in the event of the sale or transfer of a business.
- Litigation risks: Buyers may be exposed to liability if the data they receive is used in a way that violates the rights of third parties. This could include using the data to commit fraud, to violate the privacy of individuals or to receive the data in a manner that does not comply with contracts or other licensing agreements.
- Business disruption risks: If the data-sharing process is not properly managed and the data necessary to operate the carved-out business is not transferred or made available, it could disrupt the operations of both the seller and the buyer. This could impact the transaction and lead to lost revenue, increased costs and damage to the reputation of both companies.
In Stradley Ronon’s experience handling carve-out transactions, we have developed a list of factors for parties to carefully consider in order to mitigate risk as a transaction progresses:
- The nature of the data that will be shared, including where it resides, the infrastructure it operates on and how it may be associated with other bundled information (such as user accounts).
- The purpose(s) for which the data will be used.
- The contracts and licensing agreements that apply to the data.
- The security measures that will be put in place to protect the data.
- The applicable data privacy and security laws and regulations.
- The potential risks of litigation.
- The impact on the operations of both the seller and the buyer.
In previous carve-out transactions, we have also found it particularly important to carefully negotiate the terms of the data-sharing agreement, which should include provisions addressing the following issues:
- The scope of the data that will be shared.
- The scope of the data that will no longer be maintained by the seller.
- The purpose(s) for which the data can be used.
- The security measures that must be put in place to protect the data.
- The duration of the data-sharing agreement.
- The termination provisions.
- The dispute resolution process.
The number of carve-out transactions is expected to continue to increase in the near term. As a result, it is important for businesses to be aware of the risks of data sharing in these transactions and to take steps to mitigate those risks.
In addition to the factors mentioned above, there are several other considerations that should be taken into account in carve-out transactions involving data sharing. These include:
- The shared assets, systems and employees that may be used by the carved-out business. In some cases, the carved-out business may need to rely upon assets, systems and employees shared with the seller. This could pose a security risk, as the buyer may not have the same level of control over these aspects of the business, and post-closing transfer of data between buyer and seller may increase the likelihood of an inadvertent data breach. It is important to carefully consider the risks and benefits of such an arrangement before entering into an agreement.
- The tax implications of a data-sharing transaction. The data-sharing transaction could have tax implications for both the seller and the buyer. For example, the buyer may be required to pay taxes on the data it receives, or the seller may be required to withhold taxes on the data it shares. It is important to consult with a tax adviser to understand the tax implications of the transaction.
- The impact of data sharing on the competitive landscape. Data sharing could give the buyer an unfair advantage over its competitors. For example, if the buyer receives customer data from the seller, it could use this data to target its marketing campaigns more effectively. It is important to consider the impact of potential data sharing on the competitive landscape before agreeing to it.
Over and above these points, it is also important to consider the specific circumstances of the transaction. Ultimately, the factors that are most important will vary depending on the nature of the data that is being shared, the purpose for which the data is being shared and the laws and regulations that apply. By approaching each carve-out transaction carefully, considering the risks of data sharing and taking steps to mitigate those risks, parties to a carve-out transaction can protect their interests and ensure a smooth and successful transaction.
¹ Of particular note, the European Union’s (EU) General Data Protection Regulation (GDPR) applies to any entity that processes the personal data of EU citizens or residents or offers services to people who are EU citizens or residents. The GDPR applies even if the entity is not located within the EU and may impose significant fines for noncompliance. In the United States, the California Consumer Privacy Act and California Privacy Rights Act are the most likely to apply; however, there are nine other states with comprehensive privacy laws that are either in effect now or will go into effect over the next few years.
Meet the Authors
Peter Bogdasarian is a partner and Chair of the firm’s E-Discovery Team. He focuses his practice on general litigation matters and is a member of the firm’s securities litigation and enforcement and white-collar defense practice groups.
Evan Poulgrain concentrates his practice on corporate law, advising public and private and private companies in various corporate transactions, including mergers and acquisitions, divestitures, entity formation and corporate governance issues.