The European Data Protection Board released a statement last month on the privacy implications of mergers.

The European Data Protection Board has expressed concern over the privacy implications of mergers upon becoming aware of the intention of Google LLC to acquire Fitbit Inc. The board is primarily concerned that this may put a major tech company in the position to acquire even more sensitive personal data about people in Europe, and this could cause a high level risk to the fundamental rights to privacy and the protection of personal data. The EDPB has stated before that it is imperative that we assess longer-term implications of significant mergers like this, on consumer rights and data protection. In the statement, the EDPB reminds the parties of this proposed merger to assess and mitigate any possible risks of this merger to the rights to privacy and data protection before notifying the European Commission of the proposed merger.

“The EDPB therefore reminds the parties to the proposed merger, in accordance with the principle of accountability, of their obligations under the GDPR and to conduct in a transparent way a full assessment of the data protection requirements and privacy implications of the merger” The board will itself consider the implications that this merger may have for the Protection of personal data in the European Economic Area and, while remaining vigilant on this and similar cases in the future, stands ready to contribute its advice on the proposed merger to the Commission if so requested.

In a 2018 statement, considering the acquisition of Shazam by Apple, the EDPB warned that increased concentration in digital markets could potentially threaten the level of data protection and freedom enjoyed by digital consumers, and advise that independent data protection authorities may aid in the assessment of such an impact on the consumer or society. They also added that “This assessment, as well as the identification of conditions or remedies for mitigating negative impacts on privacy and other freedoms, may be separate to and independent from, or integrated into, the analysis carried out by competition authorities during their assessment under competition law. “

When it comes to sharing customers’ data in this context, margers might be the suitable way to go, because they imply that the controller entity does not change. All other ways would need to be extremely transparent and give the involved users a chance to object. However, if the controller becomes part of a corporate group, the data could be shared within the group subject to a legitimate interest assessment (LIA). This should be done on a case-by-case basis anyway, as the LIA might not pass the proportionality test always.

According to Cristina Contero Almagro, Aphaia’s Partner, “the assessment of the data protection requirements and privacy implications of the merger should cover, as one of its main elements, a full evaluation of the security measures that are in place in the other company, not only the current ones, but also those implemented during the previous years. The data breach suffered by Marriott last year is a good example that shows the relevance of properly checking and monitoring the security measures before going ahead with an acquisition or a merger”.

Do you have questions about how a merger or an acquisition may impact data protection in your company? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.