Data Privacy in Transactions
Potential data breaches lurking within target companies are a big issue and the consequences of this can be both expensive and also damaging to business reputation.
The role of data and GDPR (General Data Protection Regulation) compliance in M&A transactions has grown significantly since the GDPR’s arrival in 2018. The expanded obligations and liabilities (with administrative fines of up to 4% of annual global turnover or €20 million whichever is the greater) and the heightened risk environment means that data issues can be a “deal blocker” if they are not dealt with in a timely and effective way. Data protection authorities are willing to issue substantial fines, e.g. £18.4m against Marriott (UK), €50m against Google (France) and €33m against H&M (Germany). Further, the prospect of “class actions” by affected individuals is on the rise in the UK, with claimant classes being built against British Airways and others.
In addition to this, when dealing with insolvent sellers challenging data issues often arise from the transfer of customer lists and databases, which are often a significant asset for the buyer. European e-commerce and the squeeze on Big Tech.
Big Tech and e-commerce are fully under the microscope of the EU Commission (and at Member State level and globally) at the moment and this will have trickle-down implications for other businesses. A legislative proposal for the EU’s Digital Services Act is expected to be published by the end of this year or early 2021 for comments and feedback. This is the first big proposed overhaul of European internet regulation for twenty years. It will introduce a regulatory-focussed regime around matters such as misinformation, illegal trade and transparency.
In tandem with this, the EU’s Digital Markets Act is expected to be a more competition-focussed regime that will contain the Platform/Gatekeeper code. It will contain do’s/don’ts for large online platforms - or those who are indispensable for other companies to reach consumers online - to curb what it sees as anti-competitive behaviour. It will also contain the “New Competition Tool” designed to give the EU and EU Member State competition agencies enhanced market investigation powers in the digital space including remedial powers as well (similar to the UK regime). The Commission expects to consult on the legislative proposal in early 2021. This was originally meant to apply to a wide range of sectors including financial services and agri-food but will now be targeted mainly at tech companies.
The regulatory scrutiny on e-commerce and tech also extends to the merger control arena. The EU Commission and national competition agencies worldwide are concerned that they are missing so-called “killer acquisitions” whereby Big Tech acquires nascent tech start-ups with little or no revenue, thus falling below the existing filing thresholds. This perceived “enforcement gap” has resulted in varying new thresholds (Germany, Austria), procedures (EU) and proposals (France, Korea) to catch such deals by extending jurisdictional powers. In addition, the EU and other agencies including the UK’s CMA are revising and enhancing their substantive assessment tools to better equip them to handle and if necessary challenge digital, big data and e-commerce deals.
Smart Buildings and the technological spread
Technology dominates the design and configuration of modern office buildings, as digital solutions are applied to everything from access and occupancy, booking rooms and hot desks, locating colleagues, to controlling heating, lighting and ventilation. Increasingly this is also being applied to added services such as food ordering, medical services, personal deliveries, child care, parking, bike storage, showers and so on. All of this produces data, which in turn gives rise to inevitable issues with GDPR and cyber-security.
Another dimension to this is the need to obtain and store data on visitors to buildings for the purposes of anti-pandemic track-and-trace programmes. Projecting into the possible near future, this could be further complicated by any roll out of vaccination certificates or medical immunity certificates containing or linking to sensitive personal or medical data and which might be used to facilitate access to buildings or transport.
In addition, remote and home working means that even more of our office conversations are, or are capable of, being recorded. It is predicted that by 2025 some 75% of work conversations will be recorded and analysed (Gartner Top Strategic Technology Trends 2021). In addition to the obvious privacy and data protection issues, it also gives companies an even greater degree of practical risk exposure to what their employees are saying, writing or otherwise communicating, work-related or otherwise.
The flip side of all this is the increased difficulty with which companies can effectively monitor and regulate the communications of their employees and data storage, security and proliferation by them. We now live in a transactional environment where professional employees switch from one app or device to another, from conversation to conversation, whether it is Zoom/Webex/Teams/Bluejeans one moment, to Whatsapp/WeChat/sms the next, with documents and files stored on home laptops, ipads and other personal devices, sent over home or coffee shop wifi networks and/or printed and spread out over kitchen tables. Yet another headache for employers is the myriad of social media options and the ease with which these can quickly land the user (and often their employer as well) into hot water.
Working from home – hidden legal issues lurking
As we know, for many professions the pandemic has fundamentally changed peoples’ working and commuting patterns and longer term is likely to result in more and more remote working. For some employees, typically at the more senior end, this includes the possibility to base themselves abroad and in many ways this could end up being a lifestyle goal for many.
However, where the work is performed in a country that is different from that in which the employees are normally based and in which the relevant employer is located, this can give rise to tax issues, such as tax and social security contributions for both the employer and employee, plus the operation of any relevant double-tax treaty/reciprocal agreement requirements or exemptions. In addition there will be other legal considerations, such as whether any local law employment rights or obligations are triggered, whether there are any health & safety or other working environment obligations on the employer and also whether immigration/working visa/etc. rules must be met. For regulated industries the relevant regulatory considerations add a further aspect.
Employers will also need to consider whether an employee working abroad means the employer has a permanent establishment in the tax jurisdiction in that location and, in theory at least, this could result in the employer being liable to pay foreign corporate and employment taxes, among other tax obligations.
The data security and data privacy implications around home working are accentuated where an employee is working in a country that is outside of the EEA and not subject to GDPR and other EU data privacy laws.
With the economic fallout from the pandemic set to continue well into next year, there is an anticipated increase in the use of credit bids in insolvency-type situations by secured lenders. In certain circumstances, a secured lender can ‘bid’ its secured claim against the purchase price in a sale of the secured assets. The secured lender can compete with cash bids for the collateral, bidding up to the face value (principal and accrued unpaid interest) of its secured obligation. Rather than paying cash for the collateral, the secured lender can offset the purchase price by the value of its outstanding claim against the collateral.
Credit bids can protect value in the collateral when asset values are depressed, and avoid the secured lender from being cashed out by a third party for less. By offsetting the purchase price against the claim, the acquisition can be cash-free apart from taxes, professional costs and frictional costs. The credit bid can form part of a ‘loan-to-own’ strategy, where the secured lender wants to take ownership of the collateral.
The growth in alternative debt providers’ appetites for acquiring assets from distressed companies has seen a rise in credit bidding as a loan-to-own strategy, and many of them will have experience of credit bidding in asset sales undertaken in Chapter 11 bankruptcy processes. Loan-to-own strategies involve providing or purchasing (in the secondary market and typically at a discount) the distressed company’s secured debt. This is done with a view to enforcing the security and acquiring shares in, or assets of, the obligors, often by way of a pre-packaged administration sale. Fair market value has to be achieved, but distressed sales processes are usually undertaken at speed and there may be an implied discount for distress. Furthermore, the secured lender can bid the face value of the debt, not what they paid for it.
DAC 6 - reportable cross-border arrangements
DAC 6 is an EU Directive which requires disclosure of “reportable cross-border arrangements” to the relevant EU Tax Authority. The information disclosed will then be exchanged with all other EU Tax Authorities. Penalties for failing to comply can be heavy.
Compliance is required by anyone who is an “intermediary”. This is anyone who arranges, organises or puts together a deal – so as well as lawyers and accountants, this can also catch private equity houses, funds and so on. If there is no “intermediary”, the compliance burden falls on the taxpayer.
The UK regulations implementing DAC 6 came into force on 1 July 2020 and the first reports must be filed by 30 January 2021. The regime has a retrospective effect for cross-border arrangements where the first step was implemented on or after 25 June 2018. This is all unaffected by Brexit.
Carried interest under attack
The UK government has launched a review of capital gains tax in response to unprecedented levels of government spending during the pandemic. One of the areas under the spotlight is the favourable tax treatment given to carried interest structures and how these are taxed compared to conventional income.
In many ways it feels like we have gone full circle back to 2007 when leading private equity executives were summoned to appear before the UK Treasury Select Committee and the tabloid headlines that summer were dominated by claims that they paid less tax than their cleaner (i.e. confusing effective rates of tax with total amounts of tax paid). This is all still at the review stage and whether the UK is prepared to adopt a less favourable tax regime than its competitors remains to be seen, but watch this space.
UK National Security and Investment Bill
The UK Government have introduced to Parliament the long-awaited National Security and Investment Bill. The Bill is a transformative event for investors in UK businesses and assets, proposing sweeping new powers for Government to scrutinise and intervene in a wide range of transactions on the basis of UK national security.
Brexit’s Back, Alright!
It wouldn't be a proper horizon scan without a final word on Brexit! 2020 has been tough for the consumer and retail industry and, with the end of the Brexit transition period on the horizon, it's about to get tougher.