Linking Data Privacy to Antitrust Regulations Will Drive Increased Workloads for Legal Practitioners

Aug 9, 2022

Even before our most recent national election, candidate Joe Biden signaled a tougher regulatory climate on data privacy would be on the way should he prevail. But just as quickly as Biden was elected, hopes for a federal privacy law faded, no doubt in recognition of the daunting task of ushering privacy legislation through Congress. However, in an attempt to revive an initiative already on life support, the administration issued an executive order in July, cleverly linking data privacy with requirements to more closely scrutinize M&A activity.

The executive order implicitly recognizes that, in business, data is the most precious of assets. Corporations rely on consumer data for marketing, sales, and new product development. At the same time, recent European and U.S. state legislation indicate protecting personal information is a topic of widespread concern. Biden’s executive order acknowledges both the inherent value of consumer data and the importance of data privacy compliance requirements during mergers and acquisitions.

Beyond the usual scrutiny for anti-competitive market concentration, the new executive order specifically calls for strict oversight of M&A activity among big tech, expressing concern about“…the rise of the dominant Internet platforms, especially as they stem from serial mergers, the acquisition of nascent competitors…[and] the aggregation of data….”

Antitrust Inquiry + Data Privacy = Game Changed

U.S. federal laws still allow companies wide latitude when dealing with consumer data. We don’t address consumer data protection and privacy with the same rigor as many other countries. The EU has taken the lead in data privacy with the General Data Protection Regulation (GDPR), containing specific and wide-ranging protections for all European citizens. Similar protections have been enacted in some individual U.S. states, but federal legislation has stalled and appears to lack the support necessary to move forward any time soon.

The administration’s decision to take the regulatory route in lieu of legislation to address data privacy is a creative and strategic approach that has not been widely appreciated. Federal agencies, operating independently and executing administrative regulations promulgated by the administration, are much more likely to have success enforcing protection of consumer data, and will do so faster and with virtually no judicial oversight—and all without the messy process of federal legislation.

So far, the changes introduced in the executive order have not deterred businesses from forging ahead with M&A activity, albeit with greater scrutiny and increased workload for corporate legal teams and their advisors in pre-merger due diligence. It’s also likely that responding to second requests will become commensurately more demanding and complex.

Resource planning

Even before Biden’s executive order, the production burden for second requests in large M&A cases was massive. Reviews can involve tens of millions of documents from hundreds of custodians. Precise production candidacy guidelines must be strictly followed. Timelines can be aggressive and non-negotiable. Legal teams must ensure compliance with intricate international data transfer and production regulations, and U.S./EU cases must navigate differing requirements from both jurisdictions, simultaneously.

Compliance will now be even more burdensome. Regulators will likely ask for more information on every M&A proposal of substance and there will be significantly more data to be reviewed.

So how can legal teams brace themselves for these new challenges?

Double down on preparation, well before deciding to press “go” on a major transaction. Key areas to consider include:

First, there’s staffing.: The labor market is tight and demand is particularly high for tech-savvy legal talent. Legal teams must manage staffing levels to retain a deep bench of qualified attorneys and ensure that data experts are ready to meet the increasing demands of M&A scrutiny.

Next, technology will become even more critical to perform M&A due diligence accurately, on time, and on budget. Advanced analytics tools reduce the need for manual, linear review of documents and help manage increasing data volumes.

Thirdly, external resources must be assessed at an early stage. Few organizations have the bandwidth to complete the huge amount of pre-M&A activity using in-house resources alone. New regulations will lead to a substantial uptick in demand for outside help. Any outside provider should be equipped to handle higher workloads and greater data volumes. There will be increased competition for the services of better firms. Forge those relationships now. Finally, keep abreast of evolving policies. Although organizations planning M&A activity are already bracing for more intense regulatory scrutiny, there remains uncertainty about how exactly that will play out. In the meantime, companies can help themselves by closely monitoring the activity of the Federal Trade Commission and the Department of Justice in new acquisitions. Additionally, organizations should be aware of subtle and evolving differences in data privacy and compliance rules among various regions and states, and be ready to proactively remediate or update their data-handling practices, from management and retention policies to security and compliance.

In summary, we should expect changes to M&A due diligence and enforcement of data privacy compliance to evolve quickly. Rather than waiting for stalled legislation to pass, the administration is relying on regulatory bodies to implement stricter data privacy and consumer rights protection. While this is arguably good news for those interested in preserving consumer data privacy, it will increase the burden on legal teams in advance of any M&A activity. As the situation unfolds, these teams will need skilled specialists to turn around discovery and responses to second requests within regulators’ deadlines.

Companies looking toward a merger or acquisition should be preparing now to update data governance practices and retention policies, assess staffing levels, check technology security capabilities, and determine the right mix of internal and external resources to meet the challenge of intensified regulatory scrutiny.

Close Modal

Our Framework

Understand.

During this phase, we work to step away from any assumptions and guesses about what our customers needs, and let our research findings inform our decision-making. We learn more about our customers, their problems, wants, and needs, and the environment or context in which they will use the solution we offer.

Our Framework

Define.

During the Define phase, we analyze our research findings from the Understand phase and determine what is the most important problem to solve — and why. This step defines the goal. Then we can give a clear problem statement, describing what our customers’ needs are that we are trying to solve, making sure that we heard and defined their problem correctly.

Our Framework

Solve.

This phase is an important part of the discipline in our process. People often settle for the first solution, but the most obvious solution is often not the right one. During the Solve phase, we brainstorm collaboratively with multiple stakeholders to generate many unique solutions. We then analyze our potential solutions and make choices about which are the best to pursue based on learnings in the Understand phase.

Our Framework

Build & Test.

This phase is critical in developing the right solution to our customers’ problem. An organized approach to testing can help avoid rework and create exceptional outcomes. Starting small and testing the solution, we iterate quickly, before deploying solutions across the entire project.

Our Framework

Act.

During this phase, the hard work of prior phases comes to life in our customers’ best solution. The research, collaboration, and testing performed prior to project kick-off ensure optimal results.

Our Framework

Feedback.

At the project completion, we convene all stakeholders to discuss what went well, what could have been better, and how we might improve going forward. We call these meetings “Retrospectives,” and we perform them internally as a project team, and with our external customers. The Retrospective is one of the most powerful, meaningful tools in our framework.

Next