21.8.2019

M&A: As Buyer Liabilities Increase, Due Diligence Must Cover New Ground

Data breaches, cartels, money laundering, bribery… In today’s world, there are a number of risks that may go unseen in a traditional due diligence review. This has led to the rise of compliance due diligence, which seeks to address these issues as part of the M&A process. In Germany, law firm Hengeler & Mueller and the Goethe-Universität of Frankfurt recently carried out a survey about compliance due diligence among German investors and corporate executives responsible for M&A. According to the results, 95% of them find that buyers are increasingly aware of compliance risks. Three quarters found that compliance due diligence was a relevant part of the M&A process, and 85% thought that it had become increasingly important in recent years.  The factors that favour carrying out compliance due diligence included previous violations by the target company, business in high-risk countries or a high number of clients in the public sector.

Liability May Arise on Grounds of Stakes Already Sold

The foreword of the survey report cites a case that illustrates the importance of compliance for buyers. The buyer in this case was a large international investment bank that had been a shareholder and the indirect parent company of a cable manufacturer, which was subsequently found to have participated in a cartel. The European Commission fined the cable manufacturer 100 million euros. Roughly a third of the total was jointly and severally payable by the company and the investment bank as its former owner. According to the Commission, the investment bank had exercised decisive influence in the cable company and could therefore be considered liable for the cartel, even though there was no evidence that the bank’s representatives had been aware of the cartel plans or had participated in the cartel’s implementation. This position was confirmed by the Court of Justice of the European Union.

Buyers Cannot Afford to Neglect Data Protection

This July, the British Information Commissioner’s Office issued a notice of its intention to impose a fine of 110 million euros on a major accommodation group for breaches of data protection law. The group had suffered a cyber attack that could be traced back to a corporate acquisition made in 2016: the target company’s information systems had become vulnerable well before the merger. The ICO found that the buyer had not carried out sufficient due diligence upon the acquisition. In a statement, Information Officer Elizabeth Denham said:

‘The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition,  and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.’

‘Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset.  If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.’

The ICO’s decision is not final, but it sends a strong message to companies considering an acquisition. Buyers must carefully inspect how the target has addressed data protection. It is possible that they will no longer be able to fulfil their duty of care with a customary desktop analysis completed with management interviews. Instead, European data protection authorities may require a thorough assessment of the technical security and adequacy of the target’s data systems. The General Data Protection Regulation has been enforceable for a bit over a year now, and authorities have taken the initiative and imposed fines for non-compliant processing of personal data in several dozens of cases.

Look Deep

Neglected compliance risks can be costly for buyers in M&A. Violations may undermine the profitability of a deal and permanently damage the buyer’s reputation. Moreover, authorities are eager to intervene in suspected breaches.

Properly addressing compliance risks in due diligence helps avoid unpleasant surprises. In addition to reviewing documents, we recommend that buyers have a separate compliance session with the compliance officers of the seller or the target. This helps grasp the target’s performance and identify operations that warrant a further review.

Latest references

We advised WithSecure Oyj in the sale of its open source data collection product and business to Patria Oyj. The divested business combining software and services falls outside WithSecure’s current strategy. Through the sale, WithSecure sharpens its focus on the Elements portfolio. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki) with more than 35 years of industry experience. WithSecure offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape. Patria is an international company in the defence and security industry offering defence, security and aviation life cycle support services and technology solutions. As a result of the transaction, Patria will open a new office in Oulu and 10 WithSecure experts currently working in the business area will join Patria. 
Case published 30.9.2024
We are acting as the lead counsel to Fortum in a cross-border transaction in which Fortum is selling its recycling and waste business. The business is sold to thematic impact investing firm Summa Equity through its portfolio company NG Group. The debt-free purchase price is approximately EUR 800 million. The transaction is subject to authority approval and customary closing conditions. Fortum’s recycling and waste business to be sold comprises municipal and industrial waste management and end-to-end plastics, metals, ash, slag and hazardous waste treatment and recycling services. These businesses are located in Finland, Sweden, Denmark and Norway and currently employ approximately 900 employees.
Case published 18.7.2024
We advised Andritz Oy, a part of ANDRITZ group, with their acquisition of all the shares in Procemex Oy. The acquisition further strengthens ANDRITZ’s automation and digitalisation portfolio. Procemex is a global leader in integrated web monitoring and web inspection solutions for the pulp and paper industry. It has a team of more than 100 vision systems experts and has subsidiaries in Germany, Japan and the US. ANDRITZ offers a broad portfolio of innovative plants, equipment, systems, services and digital solutions for a wide range of industries and end markets. ANDRITZ is a global market leader in all four of its business areas – Pulp & Paper, Metals, Hydropower and Environment & Energy. The publicly listed group has around 30,000 employees and over 280 locations in more than 80 countries.
Case published 18.7.2024
We advised Exsitec Holding AB in a transaction whereby it acquired all the shares in M-flow Finland Oy. M-flow Finland Oy is a Finnish company engaged in reselling Medius B2B standard S2P software-as-a-service solutions in Finland. Exsitec Holding AB is a Swedish company part of the Nordic Exsitec group, which has over 20 offices in the Nordics. Exsitec delivers digital solutions to improve its customers’ businesses.
Case published 4.7.2024