The Technology M&A Review: United Kingdom

Overview

In-keeping with broader trends in UK M&A, following a hiatus in deal activity in Q2 2020 as sponsors and corporates consolidated their portfolio positions following the onset of the covid-19 pandemic, H2 2020 was a story of pronounced activity in the UK market as sponsors in particular drove record-breaking levels of activity. Several factors underpinned this resurgence: (1) a strong sellers' market preceding the pandemic returned after what proved to be a temporary dislocation; (2) the sheer level of capital raised by buy-out funds prompted many sellers to bring assets back to market in Q3 and drove further consolidation across Q4 as managers sought to put capital to work; (3) ultra-low interest rates, continued quantitative easing by central banks and a willingness in the debt markets to fund transactions complemented availability of proprietary capital. The role of credit funds (which were not significant participants in the debt markets during the global financial crisis) cannot be understated in this respect; and (4) a prevailing view that certain sectors would recover swiftly from the effects of the pandemic and therefore represent attractive investment opportunities.

Year in review

Activity in the technology sector kick-started the resurgence in M&A deal count across H2 2020. The sector generally demonstrated resilience to the economic effects of the pandemic and certain subsectors (particularly those connected with e-commerce and healthcare) were in fact primed to take advantage of prevailing conditions.

As a result, competition for assets has been intense and valuation multiples continue to inflate. Review of the data across the year suggests that multiples are at or near record highs. The prevailing view among advisers is that buyers at such valuation levels will need to generate more value to achieve a return that meets their investment thesis. Many market participants have tacitly accepted that multiple expansion is unlikely over the course of their hold period for assets acquired over the last 12 months. Many are therefore looking to how they can leverage revenue expansion, either organically, or through targeting bolt-on M&A. The latter is hardly a new phenomenon and there are several examples of buy-and-build strategies that have been executed successfully. However, many sponsors have taken a more sophisticated approach to execution, identifying bolt-on targets and acquiring them (or at least agreeing to acquire them) before consummating a platform acquisition. Such strategies have been perceived as a key differentiating factor by sell-side management teams at auctions and have also allowed investment committees at financial sponsors on the acquisition side to approve higher valuations on the basis that a concrete strategy for future revenue accretion has already been identified.

In terms of scale, by far the largest acquisitions of 2020 were consummated by strategic buyers, with the 'mega deals' of S&P Global's acquisition of IHS Markit and Nvidia's bid for chipmaker ARM (which is currently subject to an investigation by the Competition and Markets Authority (CMA)) standing out in terms of value. However, 2020 was also punctuated by foreign strategic buyers seeking value by purchasing smaller assets and integrating them with existing products and operations, including: (1) Microsoft's acquisition of Robotic Process Automation; (2) Civica's announced acquisition of Agylia; and (3) Cisco's acquisition of IMImobile. Private equity sponsors also continue to remain very active participants in the market and were particularly prolific in terms of deal volume, including: (1) Montagu's acquisition of Capita; (2) Francisco Partners and Sequoia Capital's sale of Metaswitch Networks to Microsoft; and (3) Levine Leichtman Capital Partners' acquisition of BigHand.

Take-private transactions, in particular, have proved strategically attractive to US dollar-denominated funds or US-based corporates, owing to the comparative weakness of sterling since the UK Brexit referendum in 2016. Devaluation of the British currency has exacerbated a longer-set trend in the market: half of the companies taken private in the UK since 2009 have been technology stocks. One reason is pricing: across all sectors, publicly listed targets in the UK fetched EV2 to EBITDA3 multiples of 9.2×, compared to 14.2× for their private counterparts,4 as public assets are not as prone to having their prices inflated by bidding wars at auction. As 2020 progressed, the number of takeover offers for UK-listed targets began to increase as sponsors perceived greater value in such transactions, including: (1) Clayton, Dubilier & Rice's acquisition of Huntsworth plc; (2) Toscafund Asset Management's bid for TalkTalk Telecom Group plc; and (3) Electronic Art Inc's takeover of Codemasters Group.

As competition for technology assets in the UK remains intense, sellers (especially financial sponsors in the context of a secondary sale) have sought to maximise the value of their portfolio companies by divestment via competitive auction. While such processes were generally put on hold following the impact of covid-19 in Q2 2020, many were reignited in Q3. Bidders at such auctions have been prepared to pay hefty multiples for desirable assets with countercyclical business models, particularly on account of the dearth of availability of quality assets across all asset classes following the impact of the pandemic. In particular, certain sub-sectors within technology have seen increased activity, with certain sponsors seeking to deploy increasingly specialist teams within their organisation. General software and cybersecurity have seen the greatest density of transactions by reference to deal count, increasing their share within the sector (currently at over 60 per cent) from 2019. As such, a seller-friendly market that was widely perceived as 'frothy' has become more so, acknowledging that, in the current conditions, many sellers have not sought to bring assets to market if the sector has been adversely impacted by the pandemic.

Legal and regulatory framework

Merger control

EU merger control

Although the UK formally left the European Union on 31 January 2020, under the UK–EU Withdrawal Agreement, the UK was subject to European Union (EU) law until the end of the transition period on 31 December 2020. From 1 January 2021, major transactions may be subject to review by both the EU Commission and the CMA. This was not possible before that date under the EU's 'one stop shop' principle of merger control jurisdiction (EU jurisdiction excludes Member State jurisdiction).

The EU Commission has taken a progressively more conservative approach to merger regulation over the past five years, an attitude that has also been replicated among certain national regulators across the EU. The direction of antitrust policy at both the EU and national level speaks to a cross-fertilisation of ideas between regulators globally and common approaches to handling market developments.

Rethinking digital markets

Several regulators have commissioned reports into market behaviours in the digital economy as they wrestle with whether long-held tests that underpin their jurisdiction (including market share) remain appropriate as the economy develops. A particular focus is whether merger control needs to be rethought to take account of access to sensitive data. A recent example of such concern was the EU Commission's referral of Google's acquisition of Fitbit to Phase II in-depth investigation. Fitbit collects a significant amount of data on its customers: Google offered remedies to address the EU Commission's concerns, and notably agreed not to use health and wellness data collected by Fitbit for Google Ads, and store Fitbit data in a sepcific 'data silo'.

The EU Commission recently published a report by three academics considering how antitrust policy might change to promote consumer innovation in digital markets.5 Similarly, the CMA commissioned the Furman Review to focus on online platforms and digital advertising.

Focusing on smaller transactions

As well as re-examining market share tests, regulators are also looking at whether existing notification thresholds are appropriate for M&A, specifically within the technology sector. Margarethe Vestager, the EU's Commissioner responsible for competition, highlighted 'killer acquisitions' (involving circumstances where a large digital business may block innovation by purchasing a technology startup to kill off its market offering) as a particular cause for concern, and whether such acquisitions that do not meet merger control thresholds should be reviewed. Certain regulators have already responded to this issue: Austria and Germany have adopted a transaction value threshold test that requires certain transactions to be notified where a target business does not meet the usual thresholds based on worldwide and domestic revenues but still has some business presence in the country concerned and the value of the transaction, worldwide, exceeds a certain threshold. In addition, the EU Commission has announced the introduction of policy changes in 2021 that allow national regulators to refer transactions to the EU Commission where national revenue thresholds are not met but the merger causes concern in the relevant market. This new approach to use legal means to control transactions that do not meet control thresholds has been introduced with particular reference to transactions in the technology and pharma sectors and has been used already, notably to refer the Facebook/Kustomer transaction to the EU Commission (review is ongoing).

The question remains as to whether the EU Commission will introduce new rules to avail itself of more extensive powers to control the behaviour of large technology enterprises (particularly those that may exploit collation of personal data), or reinterpret existing regulations to fit the digital economy. Ms Vestager, in her capacity as Executive Vice-President of the European Commission for a Europe Fit for the Digital Age and responsible for the European Commission's competition portfolio, has indicated that the European Commission will pursue a bolder agenda over the next five years, including with regard to merger control of technology businesses.

UK merger control

The CMA now has jurisdiction to review mergers alongside the EU Commission (as it will not be excluded under the 'one stop shop' principle). The CMA reviewed more than 600 transactions during the period 1 April 2020 to 31 March 2021, taking advantage of the flexibility of the 'share of supply' jurisdictional test (25 per cent of the share of supply of a good or service in the UK or substantial part thereof). Updated guidance by the CMA suggests that it may decide not to investigate transactions where remedies imposed or agreed in other jurisdictions would likely address any UK competition concerns, but it is also clear that the UK authorities envisage the CMA playing a more active role in merger control review (and have expanded its manpower for this purpose).

National security

In 2016, the government proposed a new regime to scrutinise foreign investment into the UK on grounds of national security. In July 2018, the Department for Business, Energy and Industrial Strategy published a white paper setting out proposals for a new national security and investment control regime that will give the government much broader powers to scrutinise M&A transactions on grounds of national security.

Under the proposed legislation, parties to a transaction falling within its scope may be mandatorily required to notify the government of any trigger events, which will capture a broad range of investments into UK companies that might give rise to security concerns. This will allow the government to intervene in a wide range of transactions. At the forefront of the government's concerns are businesses that are involved in the production of military or dual-use technology, artificial intelligence, machine learning, cryptographic technology, nuclear technology or core infrastructure services. Transactions that are not notified to the government may nonetheless be called in for scrutiny if the government has grounds to suspect that they may have an impact on national security.

The National Security and Investment Bill was introduced in November 2020 and confirmed that mandatory notification would be required in certain sensitive sectors, with suspensory effect. However, there were two aspects of the bill that were not anticipated and are arguably more draconian: (1) once passed into law, the new rules would apply retroactively from the date the bill was introduced, meaning that that practitioners were required to assess whether transactions were notifiable before the law (let alone any guidance) was introduced; and (2) the UK government can 'call in' transactions that were not subject to mandatory notification up to five years post-closing and have the authority to declare a transaction void.

Similar to developments in antitrust regulation, the changes proposed by the white paper represent a level of common thinking between regulators, and the central concerns are similar to recent reforms implemented by the Committee on Foreign Investment in the United States in the US and regulators in Germany. An increasingly interventionist approach (albeit under the current regime) was signalled in 2018, when the Secretary of State issued a public interest notification in respect of the take private of Inmarsat plc by a consortium of financial sponsors. The transaction was ultimately cleared on the condition of undertakings offered to the Secretary of State by the consortium.

Key transactional issues

i Company structures

Acquisitions are almost without exception executed by limited companies, regardless of the operational sector of a target business.

ii Deal structures

Private M&A

Acquisitions of non-listed targets are invariably structured by way of a share sale, unless the assets of a target business are not housed within a discrete corporate wrapper. In the latter case, an asset purchase agreement or a share and asset purchase agreement would be used to memorialise the legal terms.

Public M&A

Public takeovers in the UK may be implemented either by way of a contractual offer or a court-sanctioned scheme of arrangement. The key difference is the acceptance criteria to attain control of the target:

  1. for an offer, a bidder must secure acceptances from shareholders holding more than 50 per cent of the voting rights in the target in order for the offer to become unconditional. If the bidder also wishes to acquire shares held by non-accepting shareholders, it must have acquired or unconditionally agreed to acquire 90 per cent of the shares and 90 per cent of the voting rights in the target to which the offer relates (and so excluding any shares a bidder already owns) to take advantage of the squeeze-out regime under the Companies Act 2006; and
  2. in the case of a scheme of arrangement, once the bidder has secured approval of 75 per cent of each class of shares in the target (and a majority by number of shareholders), other shareholders will be compelled to sell their shares under the scheme, provided it is approved by the court.

Approximately 65 per cent of successful takeovers in 2019 were implemented by way of a scheme of arrangement, which represents a continuation of a preference for that structure among bidders over the previous five years.

iii Acquisition agreement terms

Consideration and pricing structure

Private acquisitions in the European market have increasingly been structured by way of a locked box pricing mechanism over the past 10 years, as opposed to the post-completion true-up mechanic that is preferred in the US. The central tenets of a locked box structure are:

  1. pricing is negotiated by reference to a historic (usually unaudited) balance sheet prepared by the seller (the locked box accounts). It is usual for the locked box accounts to pre-date an exchange by a few months (no more than six);
  2. a 'ticker' accrues on the equity value of the target business between the locked box accounts date and completion, which is intended to reflect the cash generation of the business in that period (and could therefore theoretically be positive or negative);
  3. the key buyer protection is an indemnity given by the seller or sellers for any extraction of value from the target business between the locked box accounts date to completion, referred to as a 'leakage' covenant; and
  4. certain items (for example, payment of vendor due diligence costs by the target) will be carved out of the leakage covenant as permitted leakage. It is customary for buyers to quantify such items and deduct them from the enterprise value as debt-like items.

Transaction certainty

Market practice in the UK has developed such that only mandatory regulatory clearances are accepted as conditions to closing. Unlike in the US, the risk of financial deterioration in a target business effectively passes to the buyer at exchange; material adverse change provisions (or similar) are incredibly rare. This norm has not been affected by the advent of covid-19, notwithstanding possible uncertainty around the future performance of targets.

The risk of satisfying any antitrust or foreign direct investment conditions customarily sits with buyers. It is common for buyers to be held to a 'hell or high water' standard for satisfaction of such conditions in a sale contract. This requires buyers to take any and all steps to satisfy any conditions, including offering or accepting any remedies necessary to obtain approval (which, significantly, requires accepting the divestment of other assets in their portfolio).

Break fees, which are triggered by a failure to satisfy conditions to closing, are used more sparingly than in the US market, with UK sellers preferring to satisfy themselves as to execution certainty by conducting due diligence of the buyer's regulatory analysis and incorporating a 'hell or high water' standard in the sale contract. Where they are included, care is required in drafting to ensure that the break fee would not be classified as a penalty clause, which would be unenforceable under English law to the extent that they are not proportionate to protect the legitimate interests of the beneficiary (in this case, the seller).6 It is therefore not uncommon, on private acquisitions, for sellers to prefer an indemnity for deal costs if conditions are not satisfied.

In the context of public M&A, break fees are classified as an offer-related arrangement under the Takeover Code and are prohibited as between a bidder and a target without the consent of the Panel (the regulatory body) on the basis that they may deter other bidders from making an offer. Panel consent, in practice, is rarely (if ever) given.

Warranties

The UK market has developed such that financial sponsors do not provide warranty protection other than in respect of fundamental warranties (capacity and title). Operational warranties and any tax indemnity are usually provided by a target's management team, with recourse fully or partially supported by a warranties and indemnity (W&I) policy. Strategic sellers usually agree to stand behind operational warranties and a tax covenant, although the use of W&I is becoming more prevalent on competitive disposals by corporates.

Operational warranties are usually subject to a host of contractual limitations, most significantly:

  1. time limitations on claims (between 12 and 24 months post completion);
  2. financial limitations on claims, including:
    • an exclusion of any claim below a de minimis amount (often equal to 0.1 per cent EV); and
    • no liability for the warrantor until claims not excluded under the de minimis limitation reach a threshold (often equal to 1 per cent EV), although the buyer is usually entitled to recover from £1 once the threshold is exceeded;
  3. a maximum financial cap for the warrantor; and
  4. the exclusion of any claim to the extent the matters or facts giving rise to the claim are disclosed in a disclosure letter or data room, subject to meeting a fair disclosure standard, which can either be circumscribed contractually or by reference to the common law position.

Fundamental warranties are not subject to such limitations, other than (possibly) a time limitation on claims and a financial cap not exceeding the consideration payable to the warrantor.

The W&I market in the UK has grown over the past 10 years to the extent that operational warranties are almost invariably supported by a buy-side W&I policy on an auction sale. Underwriting is a granular process, with insurers seeking comfort in the quality and scope of diligence conducted by a buyer. As a matter of principle, identified risks are excluded from coverage (unless specialist insurance is sought), and underwriters also customarily exclude certain other baskets of claims (including transfer pricing, secondary tax liabilities, environmental issues and consequential loss). In the context of a target in the technology sector, it is essential that the buyer's due diligence is appropriately focused on issues that customarily arise in respect of such businesses (see Section VII).

iv Financing

Sellers in private M&A transactions across Europe (both in competitive and proprietary transactions) usually require evidence of certain funds at exchange. This requirement originated in public M&A transactions (as a requirement of the Takeover Code) but has since been applied to private transactions as well. In the context of equity financing, financial sponsors structured as funds usually provide an equity commitment letter undertaking to fund the purchaser vehicle on completion. Sellers will either have direct or third-party rights to enforce obligations given by the funds in that letter. To the extent it is using debt financing, a buyer will need to ensure that the financial institutions providing the financing are committed to do so at exchange, with any conditions precedent limited to matters that are within the buyer's control. This has allowed buyers to avoid having to ask for a financing condition in their purchase agreement and means that they can equate their certain funds cash-funding position as being on a par with that of competitive offers that are financed by only equity.

Debt financing providers will typically require security as a condition to the credit facilities and covenants to ensure that the assets material to the target business are not divested. The negotiation of a security package will be deal-specific; however, where the target business is a technology asset that has intellectual property (IP) material to its business, lenders will typically require security over such IP. Over the past few years, as inexpensive credit has become widely available as a result of low interest rates, there have been a series of high-profile examples of borrowers taking advantage of certain flexibilities in their credit agreements to dispose of their valuable intangible assets (such as IP) or to use such assets as collateral for new borrowings, or both. Since the end of 2019, as credit markets tightened and moved away from such borrower-friendly norms, lenders became increasingly focused on including restrictions on the transfer or disposal of material IP outside of the restricted security group.7

v Tax and accounting

The UK's digital services tax (DST) applies to digital services revenue earned by certain businesses from 1 April 2020. Broadly, the DST will impose tax on businesses that exceed the annual thresholds at a rate of 2 per cent in respect of revenue that is attributable to UK users and arises in connection with certain in-scope digital activities.

A group will be liable to DST when its annual worldwide revenue from digital services activities exceeds £500 million and more than £25 million of such revenue is attributable to UK users. Broadly, the in-scope digital activities are social media services, internet search engines and online marketplaces.

The policy intention behind the new legislation is to address changes to the way that businesses are operating. Many of the targeted businesses that operate in the digital economy derive value from their interaction and engagement with a user base, and there is a misalignment between the place where profits are taxed and the place where value is created. The UK government believes that the most sustainable long-term solution is the reform of the international corporate tax rules. The UK government has stated that it intends to repeal the DST once an appropriate global solution is in place. In this regard, we note the recent developments in relation to the Organisation for Economic Co-operation and Development (OECD)'s two-pillar plan (which many jurisdictions have already committed to) to reform international tax rules. As the name suggests, the plan comprises of two 'pillars', broadly: (1) the first pillar seeks to reform tax allocation rights by shifting such rights from a business' jurisdiction of residence to the jurisdictions where a business' activities are carried out; and (2) the second pillar introduces a minimum level of taxation (15 per cent). There are certain thresholds that need to be met before the pillars can apply. Note that pillar one applies to all profits, not just profits derived from digital services revenue. Although the OECD intends for both pillars to be effective in 2023, achieving global consensus in relation to a tax that has been the subject matter of international criticism and debate, especially in the current political and economic climate, will no doubt be a difficult and drawn-out task (note that certain jurisdictions have refrained from signing up to this two-pillar plan). As such, it is critical that businesses become familiar with the DST, as despite its supposed temporary nature, it might be in place for longer than expected.

The DST only applies to revenue that is attributable to UK users. A UK user is defined as any user (an individual or legal person) that it is reasonable to assume is normally located or established in the UK. However, a provider of a digital service activity, any member of the same group as that provider and any employee of that group (provided they are acting in a professional capacity) are excluded from being considered a UK user.

Businesses that are potentially affected by the DST should undertake a review of their activities and determine whether they are within the scope of the DST. In addition, it is up to businesses themselves to make a judgement as to whether a user is a UK user. The legislation does not specify what is an acceptable source of evidence. However, the most commonly collated information comprises the following: a user's IP address, payment details and delivery details. Businesses should also continue to be aware of their GDPR responsibilities. The DST does not require businesses to collect additional personal data from their customers, and the obligation to ensure that personal data is being collected and processed in a lawful manner continues to rest on businesses themselves.

From a compliance perspective, although a DST liability is calculated on a group-wide basis, primary liability falls on the individual members of the group. As such, the group revenue will need to be allocated to each individual group member in relation to their proportion of the UK digital services-generated revenue. A group must designate an entity to be its responsible member, and it is such entity who will, going forward, be responsible for carrying out reporting and other obligations.

vi Management incentivisation

Incentivisation of a management team post-acquisition remains a key issue in M&A, especially in competitive auction processes where a substantial rollover by management is anticipated. Financial sponsors customarily grant senior managers 'sweet equity' in the acquired business, which has limited value on day one (and can therefore be subscribed for at a low valuation) but will participate economically in an exit if the business continues to grow. Participation is usually by reference to a ratchet mechanism or hurdle that is linked to the financial performance of an asset. Corporates tend to offer fewer bespoke schemes that are linked to the performance of an overall business, not just the asset acquired. They are sometimes also able to offer publicly listed equity as part of executive compensation, which is likely to result in a more immediate realisation of value for the participant when compared to illiquid equity in a privately held vehicle.

IP protection

IP is self-evidently a critical area of focus in M&A transactions in the technology sector. UK IP law is formed of national legislation and international conventions and treaties, such as the WIPO Copyright Treaty. Prior to the end of the Brexit transition period, an application could be made to register, for example, an EU trademark whereby the registrant would select Member States (including the UK) for protection. Following the end of the transition period, this no longer covers the UK (as it ceased to be a Member State) and instead, to ensure protection both in the EU and the UK, separate registrations are required. However, the UK Intellectual Property Office (UK IPO) did convert all EU trademarks and designs that were existing at the end of the Brexit transition period to comparable UK rights at the end of the transition period.8

It is common that several forms of IP are relevant to some degree in technology-related transactions. In comparison to targets in other sectors, it is likely that IP rights will be of greater integral value to the business, and it is therefore prudent for buyers to undertake a more thorough due diligence exercise that focuses on whether the relevant rights vest in the target business, or whether it otherwise has valid rights to use such IP. Fundamentally, this involves confirming:

  1. the scope of the target's IP based on its business function;
  2. proprietary ownership of such IP or the right to use the relevant IP for the purpose required; and
  3. an absence of disputes and infringements relating to core IP.

A key distinction in UK IP law is between registrable rights and unregistered rights. While unregistered rights are capable of vesting in their owner absolutely, proving title to such IP rights, for example as part of any enforcement proceeding or a due diligence process, can be more challenging in comparison to registered rights. Significantly, and as discussed in the context of several high-profile transactions in the software subsector, copyright in source code to proprietary software is not registrable. For such businesses, it is crucial that buyers satisfy themselves that such IP is owned by the target and avail themselves of sufficient contractual protections to elicit disclosure of any issues with respect to the creation and ownership of such rights.

Another issue that has become increasingly important in software acquisitions is open source software or open source code (OSS), particularly where the products or services of a target business incorporate OSS. Where the target uses OSS, certain areas of diligence should be considered as a matter of course, namely:

  1. identifying the OSS used, the licences governing the use of the OSS and how the OSS is exploited by the target;
  2. whether the use of the OSS is in accordance with the OSS licence; and
  3. whether the OSS licence and the use of the OSS poses any risks to the operation of the technology, or may do so in the future, with copyleft licence issues being the prime example in this instance.

Without a specialist with expertise in the relevant technology, such an analysis of OSS, particularly with respect to how it is actually used in practice, can prove challenging, so it is essential that appropriate contractual protections with respect to OSS usage and compliance with OSS licences are included in the transaction documents.

Another area that continues to rise to greater prominence is artificial intelligence (AI). Significantly, the nature of the IP rights that arise in respect of AI is heavily debated. For example, it is currently unclear whether AI as a concept is patentable. According to the European Patent Office, and followed by the UK IPO, AI computational models and algorithms are excluded from patentability unless they amount to a computer program having a further technical effect, which is said to be an effect going beyond the normal physical interactions between the program and the computer on which it is run.9 This is arguably a high threshold to meet. IP protection of AI is also debated on the basis AI is in a constant state of evolution, which leads to the question of whether the AI can in fact be protected at all given that it is continually changing. While copyright may subsist in the source code underlying the algorithm used in the AI, the majority of businesses would likely prefer to file for patent protection, if possible, on account of being able to attain public registration of their rights.

Data protection

Until Brexit, the data protection regime in the UK was governed primarily by the European General Data Protection Regulation (GDPR).10 The GDPR was implemented to regulate the now-apparent mass processing of personal data being undertaken globally. While the GDPR applies to all industries, it is commonly regarded as targeting the technology sector, and therefore compliance is usually a key consideration during diligence. Following Brexit, the GDPR ceased to apply in the UK as the GDPR (subject to the extra-territorial effect discussed below). To ensure personal data processed in the UK continues to be subject to the same high standards as provided for under the GDPR, the 'UK GDPR' was enacted. The UK GDPR is an almost identical version of the GDPR, subject to amendments where necessary from a UK perspective, meaning the obligations on businesses operating in the UK from the GDPR largely remained unchanged. The UK GDPR is supplemented by the Data Protection Act 2018, which contains a variety of provisions including exceptions to compliance with the UK GDPR.

The GDPR has extraterritorial effect, applying both to businesses in the EU processing personal data of individuals (located either within or outside the EU), and to businesses outside the EU, including the UK, if they satisfy certain conditions, namely that they either offer goods or services to EU data subjects or they monitor EU data subjects.11 An online retailer selling goods to individuals in the EU is a common example of a business located outside the EU that is subject to the GDPR.

Personal data is information that identifies an individual, such as a name, email address, photo or location. From a transactional perspective, the most common categories of individuals whose data is processed are employees, business-to-consumer (B2C) customers (e.g., a user of a mobile app) and individuals whose data is provided by a business-to-business (B2B) customer to the target business to perform the target business's service (e.g., a B2B customer provides its employee personal data to a cloud storage provider for storage). Neither the GDPR nor the UK GDPR differentiates with respect to volumes of personal data processed or the size of the relevant business, meaning it applies equally to global tech giants processing millions of pieces of data daily and to small to medium-sized enterprises processing only employee data. Therefore, the GDPR and the UK GDPR each capture a broad array of businesses globally, not least the larger US technology corporates.

Generally speaking, more personal data is processed by technology companies, and therefore compliance with data protection laws is of greater concern. This is particularly the case when a business is B2C, such as an app, or if not B2C, where the product or service of a business otherwise involves the processing of high volumes of personal data, such as a data analytics service provider. Several considerations are key to technology-related transactions, including:

  1. the proficiency of data protection impact assessments undertaken by a business with respect to its data processing activities;12
  2. the sufficiency and appropriateness of the lawful grounds relied upon by the business to undertake its processing activities;13
  3. consideration of any personal data breaches suffered (as discussed further below); and
  4. compliance with data protection by design and default principles, particularly with respect to products or services that involve high-risk or high-volume processing of personal data.14

Personal data is processed in the context of almost any transaction, particularly during the due diligence stage where information, including personal data, is shared between a seller and purchaser: the names of employees in senior roles, for example, or the name of an ex-employee currently party to litigation with the target. Since the implementation of the GDPR, whether such personal data should be shared has been debated, with some taking an extremely conservative approach that could result in no personal data being shared, even if it is arguably critical to a transaction. Several provisions of the GDPR are applicable here and, applied pragmatically, allow for the sharing of personal data to the extent required for transactional due diligence; for example, Article 6, which states that to process any personal data, including sharing it, a business must have a lawful basis to do so.15 There are specific lawful bases provided that could be considered on a transaction-to-transaction basis in this respect. This discussion also applies to transactions where the UK GDPR is applicable.

International transfers

An area of data protection that has seen significant changes throughout 2020 and 2021 is international data transfers. The GDPR does not permit transfers of personal data to countries outside the EU (known as third countries) unless the receiving country is subject to an adequacy decision or certain measures are put in place. The GDPR provides an exhaustive list of such measures, which include entry into standard contractual clauses and the approval of binding corporate rules.16 The UK GDPR follows the same approach with all countries outside the EU and the UK being considered 'third countries'. Following a decision of the European Commission in July 2021, the UK has officially been deemed adequate for data transfer purposes, meaning no additional measures need to be implemented to transfer personal data from the EU to the UK. Before this decision was adopted, there were significant concerns from organisations that a lack of adequacy decision would have had a seriously detrimental impact on the flow of data between the EU and the UK.

On 16 July 2020, the Court of Justice of the European Union (CJEU) published a decision17 that has had a significant impact on the transfer of personal data to third countries (known as Schrems II). Note that while this decision did not relate specifically to the UK GDPR, given the nature of the UK GDPR, Schrems II should also be complied with in the UK to the extent applicable. By way of background, following a complaint to the Irish Data Protection Authority which led to litigation at the Irish High Court, a preliminary ruling was referred to the CJEU that, in summary, asked the CJEU to confirm whether each of the EU–US Privacy Shield18 and the standard contractual clauses for the transfer of personal data to processors established in third countries (SCCs) were valid. The CJEU declared the SCCs valid but Privacy Shield invalid. In this first instance, this had a huge impact on businesses and any transfers of personal data to the United States that were relying on the Privacy Shield: since the date of the decision, businesses doing so were no longer compliant with the GDPR with respect to international transfers, and were required to implement one of the prescribed measures as an alternative.

To further complicate the matter, while the SCCs were declared valid, the CJEU stated that to rely on the SCCs, the exporting business must ensure there is an adequate level of protection for personal data in the importing jurisdiction. The CJEU noted that the exporting organisation could implement additional safeguards to ensure the data was subject to an essentially equivalent level of protection as to that provided in the EU but did not detail what the safeguards could be. Therefore, organisations relying on the SCCs, or those wishing to do so, need to undertake an analysis as to whether there is an adequate level of protection for personal data in the importing jurisdiction. The European Data Protection Board released version 2 of its Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Recommendations). The Recommendations were adopted in June 2021 in response to Schrems II (version 1 was adopted in November 2020) and provide for a six-step process that exporters and imports should undertake to ensure the personal data is provided with essentially equivalent protection in the importing country. The Recommendations are clear in confirming that if the personal data cannot be subject to such protection, the personal data should not be transferred. As noted above, tech businesses generally have a substantial global data flow system, meaning many will be affected by this decision. From a transactional perspective, it will be important to analyse steps taken to address Schrems II and the Recommendations. Furthermore, it is also crucial that the guidance from, and regulatory action taken by, any relevant local data protection authorities are considered when undertaking due diligence as certain authorities take a stricter approach than others to international data transfers.

In June 2021, there was a further shift in the international data transfer landscape; the new and long-awaited SCCs were adopted. Unlike the old SCCs (as discussed above and by the court in Schrems II), the new SCCs seek to combine all four possible transfers into one set of SCCs using a 'modular approach'. This means that only specific clauses apply depending on the nature of the transfer; that is, whether it is: (1) controller to controller; (2) controller to processor; (3) processor to processor; or (4) processor to controller. The new SCCs will replace old SCCs; the old SCCs are due to be repealed in September 2021 meaning they cannot be executed after this point. However, the European Commission gave a grace period for replacing those old SCCs currently executed and being relied upon. Such organisations have until the end of 2022 to replace the old SCCs in operation with the new SCCs. While the principles of Schrems II have impacted the drafting of the new SCCs, the requirement to analyse the transfer as mandated in Schrems II must still be complied with, along with the Recommendations. From a transactional perspective, the progress of a company in replacing its old SCCs with the new SCCs and its general approach towards international transfers following such significant changes over recent years will be of much interest and scrutiny.

The most important distinction to note for the UK specifically is that the new SCCs do not apply to the UK at this date, although the Information Commissioner's Office, the UK's data protection authority, has confirmed that it is working on its own set of SCCs that could be used for transfers of data from the UK. These are due to be published for public consultation during summer 2021. Until the new UK SCCs are finalised, the old SCCs can still be utilised for transfers of data from the UK to third countries.

Due diligence

Confirming IP ownership of the relevant technology is arguably one of the most important actions required in the acquisition of a technology business. IP can be registered or unregistered, with the former being simpler to identify and confirm ownership of related rights, in most cases, particularly where the relevant registration is accessible via a public register. Unregistered IP is, however, more difficult to identify and confirm proprietary ownership of. A business can attain ownership of IP through several means, including: creation by an employee or third party developer, or through a merger with or acquisition of an entity which owns the IP. In the context of copyright to source code underlying proprietary software, the default position under English law is that copyright developed by an employee during the course of his or her employment automatically vests in the employer. However, given that this analysis does not apply to all IP rights, it is prudent for employers to include an assignment of all IP developed by the employee to the employer. This is even more essential in the context of a third-party developer, otherwise the IP will not vest in the contractor. The existence and drafting of such assignment provisions are invariably a key point to confirm in due diligence. With respect to acquired IP, the acquisition documents are a key source; for example, the relevant share purchase agreement and any assignment agreements.

In technology-related transactions, IP licensing is a greater concern, and therefore thorough due diligence is required into all third parties, including customers and service providers, that are granted licences or rights, or both, to use the tech IP. A key issue that can arise in IP licensing is when the licence granted is not suitable, whether this be, for example, because it is too wide. The drafting of the scope of a licence should align with the services provided to the end user and should not permit the user to exploit the IP beyond that permission. Another issue that regularly arises in this context is when there is disparity in the licences granted, usually if customer contracts are negotiated, meaning monitoring and regulating customer usage can become extremely difficult.

Dispute resolution

Market practice in the UK has developed such that parties to an M&A transaction submit to the jurisdiction of the English courts rather than arbitration. The English courts generally recognise and permit the enforcement of foreign judgments, but the procedure for enforcement varies depending on whether the source of a judgment is from an EU or European Free Trade Association country, a Commonwealth country or a Hague Convention country, or from a country not included in the foregoing (under the common law regime).

Outlook

Data from across 2020 suggest that technology will remain the most attractive sector for private equity investment in the immediate term: it topped the charts for both deal volume and deal value. Following such a hot streak in H2 2020, valuation inflation has led some sponsors to seek value by originating transactions in sectors that have been less prolific (and that have specifically been adversely affected by the pandemic). It remains to be seen whether such a refocusing of investment thesis has an effect in deal count in the sector. Given the number of sector-specific funds and the appetite for consolidation among highly valued corporates, the editors' view is that such effect is unlikely to be pronounced in the short term.

In terms of the key legal developments:

  1. regulatory scrutiny of technology transactions will intensify as governments pursue more conservative agendas. The scope of transactions that will require notification will only broaden, and bidders will need to factor additional approvals and a greater level of scrutiny into their bid timetable and assessment of execution certainty;
  2. scrutiny will focus intently on technology assets as authorities grapple with how to effectively regulate the digital economy, particularly the processing of valuable data;
  3. as technology businesses retain the spotlight for their economic success, governments will continue to assess whether they are being regulated effectively, particularly with regard to antitrust and corporate taxation;
  4. IP protections will progressively be challenged to move forward in response to the continuously altering nature of rights that require protection (particularly in comparison to other property classes); and
  5. environmental, social and governance (ESG) concerns will become more significant for sponsors and corporates alike, as institutional stakeholders increase pressure on investors to take them into account as part of their acquisitions. Such concerns will progressively become a more material aspect of due diligence.

Footnotes

1 Anu Balasubramanian and Sarah Pearce are partners and Jamie Holdoway and Ashley Webber are associates at Paul Hastings LLP.

2 Enterprise value.

3 Earnings before interest, taxes, depreciation and amortisation.

4 Source: PitchBook.

5 Competition Policy for the Digital Era, a report by Jacques Crémer, Yves-Alexandre de Montjoye and Heike Schweitzer.

6 As most recently determined in Cavendish v. Makdessi; ParkingEye v. Beavis [2015] UKSC 67.

7 See, for example, Covenant Review: Revisiting the Trapdoor: Five Lessons Learned from J Crew, 27 February 2019.

10 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

11 GDPR Article 3(2).

12 GDPR Article 35.

13 GDPR Article 6.

14 GDPR Article 25.

15 GDPR Article 6.

16 GDPR Article 46.

17 Case C-311/18 Data Protection Commissioner v. Facebook Ireland and Maximillian Schrem.

18 The Privacy Shield is a form of adequacy decision whereby personal data can be transferred to organisations in the United States that are certified compliant with the Privacy Shield principles.

The Law Reviews content