Microsoft’s blockbuster acquisition of LinkedIn earlier this month—a deal where concerns for privacy and data security loomed large—provides a glimpse into the growing trend of including separate privacy and data security representations in merger and acquisition agreements.  Because the trend is so recent, there is no consensus or standard practice at this point for drafting these representations.  The LinkedIn privacy and data security representation is a good example of the evolving nature of these representations.

The publicly released merger agreement from the Microsoft-LinkedIn deal includes the following representation:

Privacy and Data Security.  [LinkedIn Corp. (the “Company”)] (i) has adopted and published from time to time privacy policies (each, the “Company Privacy Policy”); and (ii)  is in compliance in all material respects with (A) each Company Privacy Policy and (B) all applicable Laws and regulations and material contractual requirements pertaining to personally identifiable information of its customers and users of its products and services (“User PII”). The Company and its Subsidiaries have taken commercially reasonable steps to protect the User PII from unauthorized access and use.  Neither the Company nor its Subsidiaries have suffered any security breach with respect to any User PII that would reasonably be expected to result in a material liability to the Company or its Subsidiaries, taken as a whole.

The LinkedIn representation is fairly simple, but covers the same general ground as most public and private M&A agreements that include seller privacy and data security representations.  In general, this includes:  (i) compliance with internal privacy policies; (ii) compliance with privacy, data security and data protection laws and regulations; (iii) compliance with the sellers’ contractual requirements; (iv) reasonable privacy and data security practices; and (iv) the absence of data breach incidents or privacy violations. In any deal, these representations are subject to a range of knowledge and materiality qualifiers that vary based on the circumstances of the transaction, including any industry-specific or country-specific considerations.

LinkedIn’s representation has no knowledge qualifier (that is, it is not limited to information known to LinkedIn).  The compliance and breach provisions are subject to a basic materiality standard, rather than being triggered only, for example, by a material adverse condition (or “MAC”).  That LinkedIn and Microsoft settled on these particular knowledge and materiality qualifiers may be indicative of the context of the deal—a prospective $26.2 billion public company merger with a significant premium over the target company’s share price—although the details of the parties’ negotiations are not public.

The trend to include separate privacy and data security representations in M&A agreements reflects increased scrutiny of these issues not only by the parties to transactions, but also by regulators overseeing the privacy landscape.  For example, when Facebook acquired WhatsApp in 2014, the Federal Trade Commission specifically notified both parties that any failure to abide by WhatsApp’s privacy obligations would be deemed a “deceptive act” under Section 5 of the FTC Act.  While representations such as the one made by LinkedIn are not the only way for parties in an M&A transaction to allocate the (growing) risks associated with privacy and data security, they are increasingly common.  This is particularly true given the complexity and costs of conducting privacy and data security due diligence prior to a transaction and the recent increase in regulatory attention to this issue.