The Technology M&A Review: United Kingdom
A review of UK M&A transactions in the technology sector across 2019 elicits a paradox in the market: uncertainty around Brexit, increased regulatory scrutiny and indications that the government may (in keeping with global protectionist tendencies) follow more interventionist policies, have not as yet tempered appetite for dealmaking among private investors. A key driver for this trend is the often-cited deep pools of capital raised by asset managers focused on private markets, although a meaningful volume of strategic M&A shows that this is by no means the only force in play. Perhaps more significant is the capital raising by funds exclusively focused on the technology sector, the successful performance of assets in the sector relative to other sectors and the increased market perception that the technology sector provides some countercyclical ballast to downward trending market dynamics.
Despite widespread expectations of a downturn in the near term, the above trends have bolstered (or at least prolonged) the long run of the sellers' market. This was exacerbated following the first two quarters of 2020 as the impact of the covid-19 pandemic saw many sellers retreat from the market, resulting in a scarcity of desirable assets. Targets with resilient or countercyclical business models have become more prized than ever, and deep-pocketed investors are having to compete harder to acquire them.
Year in review
Technology companies in the UK attracted over £10.1 billion of investment in 2019, up 44 per cent on 2018, more than any other European country.2 Valuations remain buoyant, with eight companies attaining unicorn status (i.e., private companies with a valuation exceeding US$1 billion) in 2019. In terms of volume, just fewer than 300 M&A transactions in the technology sector were exchanged in the UK in 2019.3
One of the key levers for high valuations is the sheer amount of capital allocated to M&A, specifically in the technology sector, of which the UK market is one beneficiary among many. In the private capital sphere, the continued growth of global funds that are exclusively focused on technology has increased competition for assets across Europe. Ten years ago, none of the 10 largest buyout funds (by reference to capital raised) explicitly focused on any particular segment of the market, whereas by 2019, two of the top 10 focus exclusively on the technology sector. There are reasons to believe that this trend will continue: funds focused on technology generated internal rates of return that were 6 percentage points higher than sector agnostic funds in the past decade, and early indications are that assets in the technology sector are more resilient to the impact of covid-19 than those in other sectors.
Many of the most significant transactions concluded by financial sponsors across 2019 in the UK concerned technology assets, including:
- the partial divestment of Advanced from Vista Equity Partners to BC Partners;
- the take private of Sophos plc by Thoma Bravo;
- Summit Partners' sale of UK fleet telematics company, Masternaut, to Michelin; and
- Montagu's acquisition of Jane's Information Group from IHS Markit.
Take-private transactions, in particular, have proved strategically attractive to US dollar-denominated funds, owing to the comparative weakness of sterling since the UK Brexit referendum in 2016. Devaluation of the British currency has exacerbated a longer-set trend in the market: half of the companies taken private in the UK since 2009 have been technology stocks. One reason is pricing: across all sectors, publicly listed targets in the UK fetched EV4 to EBITDA5 multiples of 9.2x, compared to 14.2x for their private counterparts,6 as public assets are not as prone to having their prices inflated by bidding wars at auction. As a result, over the past few years, several assets in the technology sector have been listed by their private equity owners and subsequently taken private by another financial sponsor within a short space of time. Examples include Sophos, Inmarsat, BDA Marketplace, WorldPay and Paysafe (the latter two delisted within 12 months of coming to market).
The above trends have not been driven exclusively by financial investors. Several of the largest global corporates have unprecedented financial firepower to fuel strategic acquisitions. (Microsoft, Alphabet, Apple, Amazon and Facebook currently have aggregated cash reserves amounting to US$471 billion.7) While not as prolific in terms of volume as financial sponsors, transactions involving corporates across 2019 were marked by acquisitions by US buyers, including:
- Microsoft's acquisition of jClarity;
- HP's acquisition of OneFlow Systems;
- Broadcom's acquisition of Argon Design;
- Keysight Technologies, Inc's acquisition of Eggplant from The Carlyle Group;
- Nvidia's acquisition of Arm (yet to close); and
- Amazon's minority investment in Deliveroo.
As competition for technology assets in the UK remains intense, sellers (especially financial sponsors in the context of a secondary sale) have sought to maximise the value of their portfolio companies by divestment via competitive auction. While such processes were generally put on hold following the impact of covid-19 in Q2 2020, many were reignited in Q3. Bidders at such auctions have been prepared to pay hefty multiples for desirable assets with countercyclical business models, particularly on account of the dearth of availability of quality assets across all asset classes following the impact of covid-19. As such, a seller-friendly market that was widely perceived as 'frothy' has become more so as far as desirable assets are concerned, acknowledging that, in the current conditions, many sellers have not sought to bring assets to market if the sector has been adversely impacted by covid-19.
Legal and regulatory framework
i Merger control
EU merger control
Although the UK formally left the European Union on 31 January 2020, under the UK–EU Withdrawal Agreement, the UK will continue to be subject to EU law until the end of the transition period on 31 December 2020. As such, acquisitions involving companies in the UK that meet the merger control thresholds set out in the European Merger Regulation continue to be subject the European Commission's jurisdiction until the end of the transition period. From 1 January 2021, major transactions will be subject to review by both the European Commission and the UK's Competition and Markets Authority (CMA). This was not possible before that date under the EU's one-stop shop principle of merger control jurisdiction (EU jurisdiction excludes Member State jurisdiction).
The European Commission has taken a progressively more conservative approach to merger regulation over the past five years, an attitude that has also been replicated among certain national regulators across the EU. The direction of antitrust policy at both the EU and national level speaks to a cross-fertilisation of ideas between regulators globally and common approaches to handling market developments.
Rethinking digital markets
Several regulators have commissioned reports into market behaviours in the digital economy as they wrestle with whether long-held tests that underpin their jurisdiction (including market share) remain appropriate as the economy develops. A particular focus is whether merger control needs to be rethought to take account of access to sensitive data. A recent example of such nervousness is the European Commission's referral of Google's proposed acquisition of Fitbit to Phase II. Fitbit collects a significant amount of data on its customers: Google would not only acquire the data sets as part of the transaction, but also the technology to develop databases used by Fitbit, which may lead to a strengthening of its position in the digital advertising market (in which the European Commission preliminarily considers it to be dominant or at least to have a strong market position). It will be for Google to offer a remedy that addresses the European Commission's concerns without diminishing the inherent value of the transaction.
The European Commission published a report by three academics considering how antitrust policy might change to promote consumer innovation in digital markets.8 Similarly, the CMA commissioned the Furman Review to focus on online platforms and digital advertising (see further below).
Focusing on smaller transactions
As well as re-examining market share tests, regulators are also looking at whether existing notification thresholds are appropriate for M&A, specifically within the technology sector. Margarethe Vestager, the EU's Commissioner responsible for competition, highlighted 'killer acquisitions' (involving circumstances where a large digital business may block innovation by purchasing a technology startup to kill off its market offering) as a particular cause for concern, and whether such acquisitions that do not meet merger control thresholds should be reviewed. Certain regulators have already responded to this issue: Austria and Germany have adopted a transaction value threshold test that requires certain transactions to be notified where a target business does not meet the usual thresholds based on worldwide and domestic revenues but still has some business presence in the country concerned. On the other side of the Atlantic, the Federal Trade Commission announced that it plans to examine past acquisitions made by the largest technology corporates to re-examine purchases dating back to the beginning of 2010 that did not undergo scrutiny from the federal government under the Hart-Scott-Rodino Act.
The question remains as to whether the European Commission will introduce new rules to avail itself of more extensive powers to control the behaviour of large technology enterprises (particularly, those that may exploit collation of personal data), or reinterpret existing regulations to fit the digital economy. Ms Vestager, in her capacity as Executive Vice-President of the European Commission for a Europe Fit for the Digital Age and responsible for the European Commission's competition portfolio, has indicated that the European Commission will pursue a bolder agenda over the next five years, including with regard to merger control of technology businesses.
UK merger control
As mentioned above, until the end of the transition period, the UK merger control regime will only apply to transactions where the European Commission does not have jurisdiction. It remains to be seen how the CMA and European Commission will manage transactions bridging the transition period. For example, it is unclear whether the CMA would take jurisdiction over a transaction that was notifiable to the European Commission but has not been closed before the end of the transition period on 31 December 2020. As noted above, for new transactions, after 31 December 2020, both the European Commission and the CMA may potentially have concurrent jurisdiction over a transaction, depending on whether their respective thresholds have been met.
In March 2018, the government published a report on a reform of the competition rules and regulation in the digital sector known as the Furman Review, to examine whether the existing antitrust regulations are inadequate for protecting consumers in the UK from the harmful effects that digital mergers may have on future competition.
The report suggested four main reforms, which are yet to be implemented:
- creation of a Digital Markets Unit with powers to more effectively regulate the conduct of powerful digital enterprises;
- adapting merger control rules to give the CMA more expansive powers to prevent digital mergers and killer transactions;
- strengthening of the CMA's enforcement powers; and
- launching a market study into the digital advertising market.
Following the publication of the Furman Review, the CMA conducted a Phase II investigation of Paypal's proposed US$2.2 billion acquisition of iZettle amid concerns that the transaction may have been conceived as a killer transaction. The Phase II review comprised a survey of over 6,000 customers, and a detailed analysis of internal documents relating to PayPal's motives for the acquisition. Although the transaction was ultimately cleared, the referral itself is evidence that reforms proposed by the Furman Review are being seriously considered for the regulation of digital markets.
In 2016, the government proposed a new regime to scrutinise foreign investment into the UK on grounds of national security. In July 2018, the Department for Business, Energy and Industrial Strategy published a white paper setting out proposals for a new national security and investment control regime which will give the government much broader powers to scrutinise M&A transactions on grounds of national security.
Under the proposed legislation, parties to a transaction falling within its scope will be required to notify the government of any trigger events, which will capture a broad range of investments into UK companies that might give rise to security concerns. This will allow the government to intervene in a wide range of transactions. At the forefront of the government's concerns are businesses that are involved in the production of military or dual-use technology, artificial intelligence, machine learning, cryptographic technology, nuclear technology or core infrastructure services. Transactions that are not notified to the government may nonetheless be called in for scrutiny if the government has grounds to suspect that they may have an impact on national security.
The new national security regime is expected to be enacted by Parliament in Q4 2020, following which the government expects to be notified of up to 200 transactions per year, with up to 50 anticipated to require some form of intervention from the CMA.
Similar to developments in antitrust regulation, the changes proposed by the white paper represent a level of common thinking between regulators, and the central concerns are similar to recent reforms implemented by the Committee on Foreign Investment in the United States in the US and regulators in Germany. An increasingly interventionist approach (albeit under the current regime) was signalled in 2018, when the Secretary of State issued a public interest notification in respect of the take private of Inmarsat plc by a consortium of financial sponsors. The transaction was ultimately cleared on the condition of undertakings offered to the Secretary of State by the consortium.
Key transactional issues
i Company structures
Acquisitions are almost without exception executed by limited companies, regardless of the operational sector of a target business.
ii Deal structures
Acquisitions of non-listed targets are invariably structured by way of a share sale, unless the assets of a target business are not housed within a discrete corporate wrapper. In the latter case, an asset purchase agreement or a share and asset purchase agreement would be used to memorialise the legal terms.
Public takeovers in the UK may be implemented either by way of a contractual offer or a court-sanctioned scheme of arrangement. The key difference is the acceptance criteria to attain control of the target:
- for an offer, a bidder must secure acceptances from shareholders holding more than 50 per cent of the voting rights in the target in order for the offer to become unconditional. If the bidder also wishes to acquire shares held by non-accepting shareholders, it must have acquired or unconditionally agreed to acquire 90 per cent of the shares and 90 per cent of the voting rights in the target to which the offer relates (and so excluding any shares a bidder already owns) in order to take advantage of the squeeze-out regime under the Companies Act 2006; and
- in the case of a scheme of arrangement, once the bidder has secured approval of 75 per cent of each class of shares in the target (and a majority by number of shareholders), other shareholders will be compelled to sell their shares under the scheme, provided it is approved by the court.
Approximately 65 per cent of successful takeovers in 2019 were implemented by way of a scheme of arrangement, which represents a continuation of a preference for that structure among bidders over the previous five years.
iii Acquisition agreement terms
Consideration and pricing structure
Private acquisitions in the European market have increasingly been structured by way of a locked box pricing mechanism over the past 10 years, as opposed to the post-completion true-up mechanic that is preferred in the US. The central tenets of a locked box structure are:
- pricing is negotiated by reference to a historic (usually unaudited) balance sheet prepared by the seller (the locked box accounts). It is usual for the locked box accounts to pre-date an exchange by a few months (no more than six);
- a 'ticker' accrues on the equity value of the target business between the locked box accounts date and completion, which is intended to reflect the cash generation of the business in that period (and could therefore theoretically be positive or negative);
- the key buyer protection is an indemnity given by the seller or sellers for any extraction of value from the target business between the locked box accounts date to completion, referred to as a 'leakage' covenant; and
- certain items (for example, payment of vendor due diligence costs by the target) will be carved out of the leakage covenant as permitted leakage. It is customary for buyers to quantify such items and deduct them from the enterprise value as debt-like items.
Market practice in the UK has developed such that only mandatory regulatory clearances are accepted as conditions to closing. Unlike in the US, the risk of financial deterioration in a target business effectively passes to the buyer at exchange; material adverse change provisions (or similar) are incredibly rare. This norm has not been affected by the advent of covid-19, notwithstanding possible uncertainty around the future performance of targets.
The risk of satisfying any antitrust or foreign direct investment conditions customarily sits with buyers. It is common for buyers to be held to a hell or high water standard for satisfaction of such conditions in a sale contract. This requires buyers to take any and all steps to satisfy any conditions, including offering or accepting any remedies necessary to obtain approval (which, significantly, requires accepting the divestment of other assets in their portfolio).
Break fees, which are triggered by a failure to satisfy conditions to closing, are used more sparingly than in the US market, with UK sellers preferring to satisfy themselves as to execution certainty by conducting due diligence of the buyer's regulatory analysis and incorporating a hell or high water standard in the sale contract. Where they are included, care is required in drafting to ensure that the break fee would not be classified as a penalty clause, which would be unenforceable under English law to the extent that they are not proportionate to protect the legitimate interests of the beneficiary (in this case, the seller).9 It is therefore not uncommon, on private acquisitions, for sellers to prefer an indemnity for deal costs if conditions are not satisfied.
In the context of public M&A, break fees are classified as an offer-related arrangement under the Takeover Code and are prohibited as between a bidder and a target without the consent of the Panel (the regulatory body) on the basis that they may deter other bidders from making an offer. Panel consent, in practice, is rarely (if ever) given.
The UK market has developed such that financial sponsors do not provide warranty protection other than in respect of fundamental warranties (capacity and title). Operational warranties and any tax indemnity are usually provided by a target's management team, with recourse fully or partially supported by a warranties and indemnity (W&I) policy. Strategic sellers usually agree to stand behind operational warranties and a tax covenant, although the use of W&I is becoming more prevalent on competitive disposals by corporates.
Operational warranties are usually subject to a host of contractual limitations, most significantly:
- time limitations on claims (between 12 and 24 months post completion);
- financial limitations on claims, including:
- an exclusion of any claim below a de minimis amount (often equal to 0.1 per cent EV); and
- no liability for the warrantor until claims not excluded under the de minimis limitation reach a threshold (often equal to 1 per cent EV), although the buyer is usually entitled to recover from £1 once the threshold is exceeded;
- a maximum financial cap for the warrantor; and
- the exclusion of any claim to the extent the matters or facts giving rise to the claim are disclosed in a disclosure letter or data room, subject to meeting a fair disclosure standard, which can either be circumscribed contractually or by reference to the common law position.
Fundamental warranties are not subject to such limitations, other than (possibly) a time limitation on claims and a financial cap not exceeding the consideration payable to the warrantor.
The W&I market in the UK has grown over the past 10 years to the extent that operational warranties are almost invariably supported by a buy-side W&I policy on an auction sale. Underwriting is a granular process, with insurers seeking comfort in the quality and scope of diligence conducted by a buyer. As a matter of principle, identified risks are excluded from coverage (unless specialist insurance is sought), and underwriters also customarily exclude certain other baskets of claims (including transfer pricing, secondary tax liabilities, environmental issues and consequential loss). In the context of a target in the technology sector, it is essential that the buyer's due diligence is appropriately focused on issues that customarily arise in respect of such businesses (see Section VII).
Sellers in private M&A transactions across Europe (both in competitive and proprietary transactions) usually require evidence of certain funds at exchange. This requirement originated in public M&A transactions (as a requirement of the Takeover Code), but has since been applied to private transactions as well. In the context of equity financing, financial sponsors structured as funds usually provide an equity commitment letter undertaking to fund the purchaser vehicle on completion. Sellers will either have direct or third-party rights to enforce obligations given by the funds in that letter. To the extent it is using debt financing, a buyer will need to ensure that the financial institutions providing the financing are committed to do so at exchange, with any conditions precedent limited to matters that are within the buyer's control. This has allowed buyers to avoid having to ask for a financing condition in their purchase agreement, and means that they can equate their certain funds cash-funding position as being on a par with that of competitive offers that are financed by only equity.
Debt financing providers will typically require security as a condition to the credit facilities and covenants to ensure that the assets material to the target business are not divested. The negotiation of a security package will be deal-specific; however, where the target business is a technology asset that has intellectual property (IP) material to its business, lenders will typically require security over such IP. Over the past few years, as inexpensive credit has become widely available as a result of low interest rates, there have been a series of high-profile examples of borrowers taking advantage of certain flexibilities in their credit agreements to dispose of their valuable intangible assets (such as IP) or to use such assets as collateral for new borrowings, or both. Towards the end of 2019, as credit markets tightened and moved away from such borrower-friendly norms, lenders became increasingly focused on including restrictions on the transfer or disposal of material IP outside of the restricted security group.10
v Tax and accounting
The government has introduced a new digital services tax (DST) that applies to revenue earned from 1 April 2020. Broadly, the DST will impose tax on businesses that exceed the annual thresholds at a rate of 2 per cent in respect of revenue that is attributable to UK users and arises in connection with certain in-scope digital activities.
A group will be liable to DST when its annual worldwide revenue from digital services activities exceeds £500 million and more than £25 million of such revenue is attributable to UK users. Broadly, the in-scope digital activities are social media services, internet search engines and online marketplaces.
The policy intention behind the new legislation is to address changes to the way that businesses are operating. Many of the targeted businesses that operate in the digital economy derive value from their interaction and engagement with a user base, and there is a misalignment between the place where profits are taxed and the place where value is created. The government believes that the most sustainable long-term solution is the reform of the international corporate tax rules. It intends to repeal the DST once an appropriate global solution is in place. However, achieving global consensus in relation to a tax that has been the subject matter of international criticism and debate, especially in the current political and economic climate, will no doubt be a difficult and drawn-out task. As such, it is critical that businesses become familiar with the DST, as despite its supposed temporary nature, it might be in place for longer than expected.
The DST only applies to revenue that is attributable to UK users. A UK user is defined as any user (an individual or legal person) that it is reasonable to assume is normally located or established in the UK. However, a provider of a digital service activity, any member of the same group as that provider and any employee of that group (provided they are acting in a professional capacity) are excluded from being considered a UK user.
Businesses that are potentially affected by the DST should undertake a review of their activities and determine whether they are within the scope of the DST. In addition, it is up to businesses themselves to make a judgement as to whether a user is a UK user. The legislation does not specify what is an acceptable source of evidence. However, the most commonly collated information comprises the following: a user's IP address, payment details and delivery details. Businesses should also continue to be aware of their GDPR responsibilities. The DST does not require businesses to collect additional personal data from their customers, and the obligation to ensure that personal data is being collected and processed in a lawful manner continues to rest on businesses themselves.
From a compliance perspective, although a DST liability is calculated on a group-wide basis, primary liability falls on the individual members of the group. As such, the group revenue will need to be allocated to each individual group member in relation to their proportion of the UK digital services-generated revenue. A group must designate an entity to be its responsible member, and it is such entity who will, going forward, be responsible for carrying out reporting and other obligations.
vi Management incentivisation
Incentivisation of a management team post-acquisition remains a key issue in M&A, especially in competitive auction processes where a substantial rollover by management is anticipated. Financial sponsors customarily grant senior managers 'sweet equity' in the acquired business, which has limited value on day one (and can therefore be subscribed for at a low valuation) but will participate economically in an exit if the business continues to grow. Participation is usually by reference to a ratchet mechanism or hurdle that is linked to the financial performance of an asset. Corporates tend to offer less bespoke schemes that are linked to the performance of an overall business, not just the asset acquired. They are sometimes also able to offer publicly listed equity as part of executive compensation, which is likely to result in a more immediate realisation of value for the participant when compared to illiquid equity in a privately held vehicle.
IP is self-evidently a critical area of focus in M&A transactions in the technology sector. UK IP law is formed of national legislation, European legislation and international conventions and treaties, such as the WIPO Copyright Treaty and, subject to the foregoing, will remain largely unaffected by Brexit. Prior to the end of the transition period, an application could be made to register, for example, an EU trademark whereby the registrant would select Member States (including the UK) for protection. Following the end of the transition period, this will no longer cover the UK (as it ceases to be a Member State) and instead, to ensure protection both in the EU and the UK, separate registrations will be required. However, the UK Intellectual Property Office (UK IPO) has confirmed that it will convert all existing EU trademarks and designs to comparable UK rights at the end of the transition period.11
It is common that several forms of IP are relevant to some degree in technology-related transactions. In comparison to targets in other sectors, it is likely that IP rights will be of greater integral value to the business, and it is therefore prudent for buyers to undertake a more thorough due diligence exercise that focuses on whether the relevant rights vest in the target business, or whether it otherwise has valid rights to use such IP. Fundamentally, this involves confirming:
- the scope of the target's IP based on its business function;
- proprietary ownership of such IP or the right to use the relevant IP for the purpose required; and
- an absence of disputes and infringements relating to core IP.
A key distinction in UK IP law is between registrable rights and unregistered rights. While unregistered rights are capable of vesting in their owner absolutely, proving title to such IP rights, for example as part of any enforcement proceeding or a due diligence process, can be more challenging in comparison to registered rights. Significantly, and as discussed in the context of several high profile transactions in the software subsector, copyright in source code to proprietary software is not registrable. For such businesses, it is crucial that buyers satisfy themselves that such IP is owned by the target and avail themselves of sufficient contractual protections to elicit disclosure of any issues with respect to the creation and ownership of such rights.
Another issue that has become increasingly important in software acquisitions is open source software or open source code (OSS), particularly where the products or services of a target business incorporate OSS. Where the target uses OSS, certain areas of diligence should be considered as a matter of course, namely:
- identifying the OSS used, the licences governing the use of the OSS and how the OSS is exploited by the target;
- whether the use of the OSS is in accordance with the OSS licence; and
- whether the OSS licence and the use of the OSS poses any risks to the operation of the technology, or may do so in the future, with copyleft licence issues being the prime example in this instance.
Without a specialist with expertise in the relevant technology, such an analysis of OSS, particularly with respect to how it is actually used in practice, can prove challenging, so it is essential that appropriate contractual protections with respect to OSS usage and compliance with OSS licences are included in the transaction documents.
Another area that rose to greater prominence during 2019 is artificial intelligence (AI). Significantly, the nature of the IP rights that arise in respect of AI is heavily debated. For example, it is currently unclear whether AI as a concept is patentable. According the European Patent Office, and followed by the UK IPO, AI computational models and algorithms are excluded from patentability unless they amount to a computer program having a further technical effect, which is said to be an effect going beyond the normal physical interactions between the program and the computer on which it is run.12 This is arguably a high threshold to meet. IP protection of AI is also debated on the basis AI is in a constant state of evolution, which leads to the question of whether the AI can in fact be protected at all given that it is continually changing. While copyright may subsist in the source code underlying the algorithm used in the AI, the majority of businesses would likely prefer to file for patent protection, if possible, on account of being able to attain public registration of their rights.
The data protection regime in the UK is governed primarily by the European General Data Protection Regulation (GDPR).13 The GDPR was implemented to regulate the now-apparent mass processing of personal data being undertaken globally. While the GDPR applies to all industries, it is commonly regarded as targeting the technology sector, and therefore compliance is usually a key consideration during diligence. In the UK, the GDPR is supplemented by the Data Protection Act 2018, which operates as the implementing legislation enacting and, where permitted, amending the GDPR to comply with UK national laws.
The GDPR has extraterritorial effect, applying both to businesses in the EU and UK processing personal data of individuals (located either within or outside the EU and UK), and to businesses outside the EU and UK if they satisfy certain conditions, namely that they either offer goods or services to EU or UK data subjects or they monitor EU or UK data subjects.14 An online retailer selling goods to individuals in the EU and UK is a common example of a business located outside the EU and UK that is subject to the GDPR.
Personal data is information that identifies an individual, such as a name, email address, photo or location. From a transactional perspective, the most common categories of individuals whose data is processed are employees, business-to-consumer (B2C) customers (e.g., a user of a mobile app) and individuals whose data is provided by a business-to-business (B2B) customer to the target business to perform the target business's service (e.g. a B2B customer provides its employee personal data to a cloud storage provider for storage). The GDPR does not differentiate with respect to volumes of personal data processed or the size of the relevant business, meaning it applies equally to global tech giants processing millions of pieces of data daily and to small to medium-sized enterprises processing only employee data. Therefore, the GDPR captures a broad array of businesses globally, not least the larger US technology corporates.
The GDPR is an EU regulation, meaning it has direct effect in all EU Member States; therefore, following the end of the transition period, the GDPR will no longer be applicable in the UK. The UK's data protection regulator, the Information Commissioner's Office, has confirmed however that an almost identical version of the GDPR will be enacted in the UK, meaning the existing obligations on businesses operating in the UK with respect to personal data will largely remain unchanged.15 However, any business operating both within the EU and UK, or otherwise processing data in both the EU and UK (for example, an EU-based entity using a service provider in the UK) will be affected by Brexit, and therefore the implementation of Brexit planning has been a key consideration in transactions over recent years.
The most significant effect of Brexit from a data protection perspective is in respect of international data transfers (discussed further below). In short, the GDPR does not permit transfers of personal data to countries outside the EU (known as third countries) unless the receiving country is subject to an adequacy decision or certain measures are put in place. Following Brexit, the UK will be considered a third country, meaning personal data cannot be transferred from the EU to the UK without complying with the international transfer obligations of the GDPR. By their very nature, technology businesses are known for having substantial global data flows, and therefore must take into account the effects of Brexit on international data transfers. Other areas of the GDPR affected by Brexit include the UK currently being the lead supervisory authority, the group data protection officer being appointed in UK, and for those businesses based in the UK but operating in the EU, the EU representative requirements. As noted above, the effects of Brexit on the application of the GDPR, and particularly how any mitigating actions have been implemented, has been a key consideration in tech transactions in recent years.
Generally speaking, more personal data is processed by technology companies, and therefore compliance with data protection laws is of greater concern. This is particularly the case when a business is B2C, such as an app, or if not B2C, where the product or service of a business otherwise involves the processing of high volumes of personal data, such as a data analytics service provider. Several considerations are key to technology-related transactions, including:
- the proficiency of data protection impact assessments undertaken by a business with respect to its data processing activities;16
- the sufficiency and appropriateness of the lawful grounds relied upon by the business to undertake its processing activities;17
- consideration of any personal data breaches suffered (as discussed further below); and
- compliance with data protection by design and default principles, particularly with respect to products or services that involve high-risk or high-volume processing of personal data.18
Personal data is processed in the context of almost any transaction, particularly during the due diligence stage where information, including personal data, is shared between a seller and purchaser: the names of employees in senior roles, for example, or the name of an ex-employee currently party to litigation with the target. Since the implementation of the GDPR, whether such personal data should be shared has been debated, with some taking an extremely conservative approach that could result in no personal data being shared, even if it is arguably critical to a transaction. Several provisions of the GDPR are applicable here and, applied pragmatically, allow for the sharing of personal data to the extent required for transactional due diligence, for example Article 6, which states that to process any personal data, including sharing it, a business must have a lawful basis to do so.19 There are specific lawful bases provided that could be considered on a transaction-to-transaction basis in this respect.
i International transfers
As noted above, transfers of personal data to third countries are not permitted unless the receiving country is subject to an adequacy decision by the European Commission or certain measures are put in place. The GDPR provides an exhaustive list of such measures, which include entry into standard contractual clauses and the approval of binding corporate rules.20 On 16 July 2020, the Court of Justice of the European Union (CJEU) published a decision21 that has had a significant impact on the transfer of personal data to third countries. Following a complaint to the Irish Data Protection Authority which led to litigation at the Irish High Court, a preliminary ruling was referred to the CJEU that, in summary, asked the CJEU to confirm whether each of the EU–US Privacy Shield22 and the standard contractual clauses for the transfer of personal data to processors established in third countries (SCCs) were valid. The CJEU declared the SCCs valid but Privacy Shield invalid. In this first instance, this has a huge impact on businesses and any transfers of personal data to the US that were relying on the Privacy Shield: since the date of the decision, businesses doing so were no longer compliant with the GDPR with respect to international transfers, and were required to implement one of the prescribed measures as an alternative.
To further complicate the matter, while the SCCs were declared valid, the CJEU stated that to rely on the SCCs, the exporting business must ensure there is an adequate level of protection for personal data in the importing jurisdiction. The CJEU noted that the exporting organisation could implement additional safeguards to ensure this level of protection, but did not detail what the safeguards could be. Therefore, organisations relying on the SCCs, or those wishing to do so, need to undertake an analysis as to whether there is an adequate level of protection for personal data in the importing jurisdiction.
Currently, there are significant outstanding questions with respect to applying the decision. Regulators and relevant bodies such as the European Data Protection Board and the Department of Commerce are in the process of considering the decision in order to guide and advise companies on how to transfer personal data lawfully. It is expected that new SCCs will be released during the course of 2020: the preparation of such has been known for some time, as the existing SCCs pre-date the GDPR. There is also discussion of potentially a new form of Privacy Shield being agreed, but this has not been confirmed.
As noted above, tech businesses generally have a substantial global data flow system, meaning many will be affected by this decision. From a transactional perspective, it will be important to analyse steps taken to address the decision.
Confirming IP ownership of the relevant technology is arguably one of the most important actions required in the acquisition of a technology business. IP can be registered or unregistered, with the former being simpler to identify and confirm ownership of related rights, in most cases, particularly where the relevant registration is accessible via a public register. Unregistered IP is however more difficult to identify and confirm proprietary ownership of. A business can attain ownership of IP through several means, including: creation by an employee or third party developer, or through a merger with or acquisition of an entity which owns the IP. In the context of copyright to source code underlying proprietary software, the default position under English law is that copyright developed by an employee during the course of his or her employment automatically vests in the employer. However, given that this analysis does not apply to all IP rights, it is prudent for employers to include an assignment of all IP developed by the employee to the employer. This is even more essential in the context of a third party developer, otherwise the IP will not vest in the contractor. The existence and drafting of such assignment provisions are invariably a key point to confirm in due diligence. With respect to acquired IP, the acquisition documents are a key source, for example the relevant share purchase agreement and any assignment agreements.
In technology-related transactions, IP licensing is a greater concern, and therefore thorough due diligence is required into all third parties, including customers and service providers, that are granted licences or rights, or both, to use the tech IP. A key issue that can arise in IP licensing is when the licence granted is not suitable, whether this be, for example, because it is too wide. The drafting of the scope of a licence should align with the services provided to the end user, and should not permit the user to exploit the IP beyond that permission. Another issue that regularly arises in this context is when there is disparity in the licences granted, usually if customer contracts are negotiated, meaning monitoring and regulating customer usage can become extremely difficult.
Market practice in the UK has developed such that parties to an M&A transaction submit to the jurisdiction of the English courts rather than arbitration. The English courts generally recognise and permit the enforcement of foreign judgments, but the procedure for enforcement varies depending on whether the source of a judgment is from an EU or European Free Trade Association country, a Commonwealth country or a Hague Convention country, or from a country not included in the foregoing (under the common law regime).
As noted above, the onset of covid-19 in 2020 led to many sellers retreating from the M&A market, especially in sectors that have been adversely affected by the pandemic. Technology remains an attractive sector for investors as it is widely perceived as countercyclical and resilient to the market turmoil caused by covid-19. For this reason, competition for technology assets will remain intense for the foreseeable future, and valuations for desirable assets will remain high. In terms of the key legal developments:
- regulatory scrutiny of technology transactions will intensify as conservative governments pursue more conservative agendas. The scope of transactions that will require notification will only broaden, and bidders will need to factor further approvals into their bid timetable and assessment of execution certainty;
- scrutiny will focus intently on technology assets as authorities grapple with how to effectively regulate the digital economy, particularly the processing of valuable data;
- as technology businesses retain the spotlight for their economic success, governments will continue to assess whether they are being regulated effectively, particularly with regard to corporate taxation; and
- IP protections will progressively be challenged to move forward in response to the continuously altering nature of rights that require protection (particularly in comparison to other property classes).
1 Anu Balasubramanian and Sarah Pearce are partners and Jamie Holdoway and Ashley Webber are associates at Paul Hastings LLP.
2 Tech Nation Report 2020.
3 According to data provided by The Deal LLC.
4 Enterprise value.
5 Earnings before interest, taxes, depreciation and amortisation.
6 Source: PitchBook.
7 S&P Capital IQ, May 2020.
8 Competition Policy for the Digital Era, a report by Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer.
9 As most recently determined in Cavendish v. Makdessi; ParkingEye v. Beavis  UKSC 67.
10 See, for example, Covenant Review: Revisiting the Trapdoor: Five Lessons Learned from J Crew, 27 February 2019.
13 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
14 GDPR Article 3(2).
16 GDPR Article 35.
17 GDPR Article 6.
18 GDPR Article 25.
19 GDPR Article 6.
20 GDPR Article 46.
21 Case C-311/18 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrem.
22 The Privacy Shield is a form of adequacy decision whereby personal data can be transferred to organisations in the US that are certified compliant with the Privacy Shield principles.