Over the last year we have seen increasing interest from our global client base in investing in strategic, transformational technology transactions with European counterparties. These transactions often facilitate access to key technologies, geographies and, of course, data. In this note we set out 6 key points to keep in mind when planning, negotiating and executing these types of transactions across Europe.
While some considerations will be relevant to Europe as a whole (including, following its departure from the EU, the UK), others may be more pertinent to Member States of the EU or the EEA more broadly. Where these differences occur we have referred to “Europe” and the “EU”/“EEA” separately.
Europe is not homogenous
Across Europe, including within the EU, attitudes towards, and perception of, certain types of technology projects, including those involving cutting-edge use of data, vary and continue to evolve. While the EU rules result in a fair degree of harmonisation in many key areas of law relating to technology, such as media, telecoms, privacy and consumer law, there is divergence in how certain EU-level rules are implemented by Member States or interpreted by courts and regulators in Member States.
- Local law review. Even if a transaction is governed by U.S. law (e.g., New York or California law), contract law of the jurisdiction of the counterparty will influence attitudes and approaches to key deal terms (e.g., a European counterparty may be less willing to accept indemnities other than to shift specific risks, as opposed to providing compensation for contractual breaches, or there may be specific formalities to be observed to execute a given form of transaction). Engaging local counsel early can help in structuring deal terms, formulating negotiating strategy and flushing out any mandatory matters of local law (and there are many aspects of EU law which cannot be contracted out of).
- Risk-based diligence of the future business model. Identify principal European markets and undertake risk-based diligence in respect of any key legal and regulatory compliance considerations (with greater rigour applying to the most commercially valuable markets). Compliance areas to watch in 2021 include: (i) emerging foreign investment laws (see below), (ii) cross-border personal data transfers, particularly in respect of the UK following the UK’s departure from the EU (see directly below), and (iii) new rules in respect of the supply of digital content and remedies available to EU consumers (for further details see Covington’s blog of November 13, 2019: EU adopts New Deal for Consumers).
- UK’s departure from the EU. The UK’s departure from the EU raises new issues – one example being the diligence that may be needed with respect to personal data transfers from the EEA to the UK. Personal data transfers from the EEA to a third country are only permitted if individuals’ rights in that third country are deemed “adequately” protected. On 19 February 2021, the European Commission published a draft “adequacy” decision so which if formally adopted would permit personal data to be exported from the EEA to the UK without further measures in place such as the Standard Contractual Clauses.
Data: access and rights
Strategic technology deals are increasingly focused on securing access to novel sources of data to help improve products and services, or to provide the raw material to derive new insights for commercial benefit.
Here are some data-related matters we encounter in European strategic transactions:
- As in other parts of the world, if critical data sources are in-licensed or from publicly available databases, it is essential to carefully review the license terms (and consider the current and intended use of such data after completion of a transaction) – in strategic transactions common restrictions that are problematic include limits on the purpose for which data can be used, sub-licensing limits, and prohibitions on “co-mingling” datasets. These terms can be particularly tricky to interpret when determining rights to use data to train AI algorithms.
- If there are no relevant license terms, then “data” is not generally protected by EU Member State or UK intellectual property law, although in certain limited cases “database” rights, and trade secrets law,  may protect the use of data.
- Where the data is personal data, the manner in which such data was originally collected will influence any further exploitation and use of such data. It will be important to assess relevant privacy notices and consents, as well as any relevant related terms (e.g., if a consumer-facing app, what rights exist in the end-user licence agreement).
- If data issues are identified, can they be overcome by updating privacy notices, consents and relevant agreements? This strategy will be most effective where the utility of the relevant data is tied to its currency. How, and who will communicate these changes to users, and, where appropriate, regulators?
- Are there sector-specific regulatory requirements that need to be taken into account? For example, (i) healthcare data is not only subject to enhanced rules under EU and UK privacy law as “sensitive” personal data but also attracts separate medical confidentiality protections, (ii) “open data” rules apply to certain financial data designed to allow consumers to migrate their data between financial providers and these rules impose certain technical and related requirements. If contemplating a collaboration involving the use of data in a highly regulated sector, consider the expertise and capability of the counterparty to meet relevant compliance obligations relating to data (and, of course, more generally).
- Differences in consumer protection laws in Europe and the U.S. For example, in the EEA, if consumers are offered digital content such as apps for purchase they must be provided with certain clear and comprehensible information regarding the seller and the goods before the purchase becomes binding. If contemplating the exploitation of technology to consumers in Europe, then associated end user contract terms and practices used in the U.S. are likely to have to be modified.
- Sources of data. Review legal and contractual rights to all sources of data relevant to the collaboration and ensure that the data was, or can be, used for the contemplated purposes.
- Develop and execute a clear data strategy. The takeaway message is that having a clear data strategy is hugely beneficial. This will help craft consistent approaches to diligence, contract terms and public messaging (all of which need to be aligned to execute an effective data-related play).
EU anti-trust considerations: co-developed IP and merger clearance issues
EU anti-trust rules prohibit agreements, including co-development and licensing arrangements, between undertakings which have as their object or effect the restriction of competition within the EU and may affect trade between EU Member States.
These rules have extra-territorial application and apply irrespective of where the undertakings are located, or the agreement concluded, provided that the agreement or practice will have an effect in the EU (for example, if the resulting products or technology are to be sold in the EU).
There are a number of “block exemptions” that provide a “safe harbour” for certain obligations and restrictions. For example, the block exemption that applies to joint research and development agreements applies where market share thresholds are not exceeded (although parties often draw analogies to the safe harbour when market shares exceed these thresholds). The block exemption provides that:
- restrictions on competing research and development in the field of the collaboration are permitted while that research and development work is ongoing, but are not permitted in unconnected fields;
- parties should only exchange information where necessary for the collaboration; and
- if there is no joint commercialisation of the research and development, that parties must all have access to the final results of the joint research and development to carry out further research and development.
Strategic collaborations can also trigger anti-trust merger notification and clearance requirements, if the arrangements are more structural in nature (e.g., a vehicle is created to carry out the research and development). Depending on the structure, nature of the collaboration, identity of (and revenue generated by) the parties, and the geographies where it would have an effect, notifications may be required in the UK, and/or at either Member State or EU-level. In some cases, it may be that assuming de facto control of an entity or securing exclusive access to intellectual property rights is sufficient to trigger these obligations.
- Engage anti-trust analysis early. Engage anti-trust analysis early in the transaction structuring process to help mitigate potential transaction delays and to take into account the broad and extra-territorial effect of EU anti-trust rules (including in respect of agreements to co-develop IP).
Foreign direct investment
While U.S. companies will be familiar with CFIUS controls in respect of investments in U.S. technologies, European foreign direct investment laws are playing somewhat of a “catch up”. EU authorities have expressed concern about foreign direct investment and have encouraged national regulators to act to prevent a sell-off of strategic assets, across a range of activities including critical infrastructure (such as for electricity, water, health, transport or financial services) and in the technology sector, and the COVID-19 pandemic has amplified these concerns. As a result, there is increasing foreign direct investment regulation across many of the Member States of the EU and the UK also has its own proposal for a National Security and Investment law expected to come into force later in 2021 (for further details, see Covington’s Competition blog for various articles, including regarding this latest FDI developments in Germany and elsewhere in the EU, as well as the UK legislative proposals).
Foreign direct investment laws can have a significant impact on strategic and global technology transactions. Consequences of the application of these laws include:
- a “patchwork” of national laws creating complexity in navigating filing and screening requirements;
- often, acquiring a direct or indirect interest of 10% can be enough to trigger foreign direct investment rules;
- asset transactions, including collaborations and licencing, may be scrutinised depending upon local nexus tests;
- there are not necessarily any de-minimis exemptions from filing requirements; and
- deal timing can be affected by long standstill periods.
- Review and monitor foreign direct investment filing requirements. Check foreign direct investment requirements in key markets, including mandatory filing requirements. As foreign direct investment rules are evolving, keep them under review during the course of the transaction.
- Deal timeline to accommodate foreign direct investment filings. Planning for co-ordinating foreign direct investment filings early will assist in mitigating potential bottlenecks. This is particularly important now that EU Member States have implemented information sharing and coordination in respect of foreign investment reviews (although decision-making powers remain national).
Employee transfer risk
EU employment law provides certain protections for employees where there is a change in ownership in an employer or the service provision in respect of activities carried out by the employee. In essence, these rules provide a right, in certain circumstances, for an employee to transfer their employment and associated rights to a third party acquirer or service provider. For example, if an employee performs a function that is outsourced to a third party, even if the third party is outside of the EU, they may be able to transfer their employment to the outsourced provider.
A key factor in assessing the employee transfer risks is whether the relevant employees are dedicated to performing the activities to be transferred. If such activities are only incidental, then the risks will be relatively low and where employees are dedicated to such activities, the risks will be higher. Longer term strategic transactions can involve greater employee transfer risks (e.g., where employees are dedicated to achieving particular strategic objective).
- Structure deal terms in light of employee transfer risk. Depending on the employee transfer risks, deal terms may need to include appropriate risk allocation terms and procedures to manage employee transfer risks.
Anti-corruption and anti-money laundering compliance risks
As we have recently highlighted, anti-corruption enforcement risk is increasing across Europe, as is cooperation among European and U.S. enforcement authorities. In addition to enforcement risks under anti-bribery laws, European anti-money laundering laws – which have recently been strengthened in various respects by the EU’s 6th Anti-Money Laundering Directive – create offences covering a broad range of dealings in the proceeds of crime, including merely acquiring or possessing property while knowing (or in some cases suspecting) that it was derived from criminal activity.
The increasing enforcement risk across Europe means that acquiring or engaging in a strategic partnership with a European counterpart can raise both domestic and U.S. enforcement risks. However, as the focus on anti-corruption enforcement is more recent in Europe than in the United States, in our experience European companies often have anti-corruption compliance programs that are less developed than those of U.S. companies. In many European countries, and particularly in the case of smaller companies, it is not uncommon for companies to have few or no anti-corruption compliance measures in place, which can both raise the corruption risk profile of a transaction and limit an investor’s ability to rely on compliance representations and warranties – particularly where they include knowledge qualifiers.
- Due diligence. Conduct compliance due diligence sufficient to assess the maturity of the target’s compliance program and its operational risk profile.
- Obtain appropriate warranties. Seek to limit knowledge qualifiers in backward-looking compliance representations, particularly in the case of companies that do not have meaningful compliance programs and are therefore less likely to be aware of violations. Build in remedies if problems are discovered later.
- Ongoing commitments. In the case of non-controlling investments and joint ventures, consider seeking forward-looking commitments to implement a robust compliance program.
 For example, there are EU-wide “database” rights that apply where the maker of a database is in the EEA, and there is a substantial investment in obtaining, verifying, or presenting the contents of the database. In the UK, it is also possible that copyright protection may apply to a database where the selection or arrangement of the database is the author’s intellectual creation.
 For example, there are EU/EEA-wide “trade secrets” rights that protect information which is secret, has commercial value because it is secret, and has been subject to reasonable steps for it to be kept secret.
 Personal data is defined broadly as any information that can identify an individual (including pseudonymous data). Note that personal data which has been “de-identified” in accordance with U.S. law requirements will not necessarily meet the requisite standard to be considered “anonymous” for EU or UK privacy law purposes.
 Under EU and UK privacy rules, any use of personal data requires a “lawful basis”, and it is crucial to assess whether there is a lawful basis to support the processing of personal data.
 The EU block exemption rules are complex, and these are non-exhaustive requirements.