The Importance of Data
Companies are increasingly using modern analysis technologies and learning systems, both internally in their own companies and externally in consumer products. The information technologies used produce data and sometimes data is exchanged between different systems. For some companies, such as Google or Facebook, data is an essential part of the business model. This has created a data economy, i.e. a market for data, with the result that the value of data is increasing.
As an example, the importance of data in online marketing is worth pointing out: In contrast to analogue advertising in newspapers or on television, advertising on the internet is tailored to the viewer. The tailoring is based on data collected about the viewer’s surfing behavior. If, for example, the viewer on the Internet has once taken an interest in a certain product and has made corresponding search queries or page visits, corresponding advertisements will “follow” him.
This is technically realized with the help of cookies. Cookies are small text files that are stored locally on the viewer’s PC. By means of these, the viewer can be recognized on his journey on the Internet. Another possibility to recognize the viewer on the net is the so-called “Digital Fingerprinting”. Here the system configuration of the viewer is read out (e.g. browser, browser settings, operating system).
In this way, it is possible to find out when the viewer has called up a certain website, which sub-pages he has viewed, how long he has stayed on the individual pages and which other website he has subsequently called up. In this way a user profile can be created from which the interests of the viewer can be derived. The aim is the so-called targeting, i.e. the targeted addressing of the viewer in online marketing to maximize sales success.
Types of Data
Data can appear in different forms. For the purpose of this paper, three different types are to be distinguished in a simplified way:
Raw data includes all data resulting from counts or measurements, e.g. temperature measured by a sensor. But also personnel data and customer data are to be classified as raw data.
Information results from the use or processing of raw data. For example, measuring the temperature in a living space can be used to determine whether a person is inside. At temperatures below 10 degrees Celsius, there is a high probability that there is no person in the room, because otherwise the heating would have been switched on.
In addition to raw data and information, there are also so-called digital goods. These are particularly high-quality, refined data. Examples are software and eBooks.
Legal Protection of Data
In legal terms, data is protected in a variety of ways. The data protection law for example, which is anchored in the EU General Data Protection Regulation and the Federal Data Protection Act, must be observed. The scope of application of the data protection law is only opened up when personal data are available. Personal data is all information relating to an identified or identifiable natural person. Data protection law does not introduce data ownership, but it does specify the circumstances under which personal data may be processed.
Copyright law is particularly relevant to digital goods. Copyright law protects personal intellectual creations, such as linguistic works. Linguistic works include computer programs, since they are sequences of instructions written in a computer language. A special type of personal intellectual creation are so-called collective works. The personal intellectual creation consists of the selection or arrangement of the individual elements. Collective works also include database works, i.e. a systematic or methodical arrangement of various elements that can be accessed with the help of electronic means or by other means. Database works must be distinguished from databases. Databases are not personal intellectual creations, because, for instance, the level of creation is lacking. Nevertheless, the database is protected by copyright law because the database creator has made an investment to develop the database. Examples of a database are ratings for dentists published on a website or a collection of weather data.
Data that is not covered by copyright may constitute know-how. Know-how is protected in particular if it is a trade secret in the sense of the Trade Secret Act. A trade secret presupposes, among other things, that a certain piece of information, which is of economic value, is not generally known and is subject to appropriate secrecy measures. If a trade secret exists, the owner may assert claims for injunctive relief and damages against infringers.
Data enjoy further protection, for example under the criminal law according to sec. 202 et seq. of the German Criminal Code (StGB) and, if applicable, under contract law, provided the data is subject of an agreement under the law of obligations.
Consequences for M&A Transactions
In the due diligence it should be checked which data is stored by the company and according to which law it is protected. This is the only way to assess whether there are any risks associated with the data.
If personal data are present, the question arises whether the processing is lawful. If this is not the case, there is a risk of significant fines. It is therefore advisable to request the data processing list of the target company during the due diligence, including all other documentation relevant to data protection.
If the target company possesses copyright-protected data, it should be examined whether the company is either entitled to the comprehensive rights like an owner or whether corresponding license agreements have been concluded
Finally, the due diligence should verify whether the target company possesses know-how. If so, the question arises whether it is protected by the Trade Secret Act. If, for example, there is a lack of appropriate confidentiality measures, there is a risk that effective action cannot be taken against third parties who have spied on the know-how.
What must be taken into account in the company acquisition agreement?
When drafting the company acquisition agreement, a distinction must be made between share deal and asset deal: In a share deal, the shares in the target company are transferred to the purchaser. Therefore there is no direct transfer of the data. In order to secure the existence of the data, the purchaser should insist on appropriate guarantees in the share purchase agreement. In particular, a guarantee on existing intellectual property as well as on data and data protection is recommended. In case of findings in the course of the due diligence, indemnifications can also be considered.
In an asset deal, the individual assets of the target company are transferred to the purchaser. A distinction must be made: If personal data is involved, it can possibly not be transferred to the acquirer without further ado, as any transfer constitutes processing within the meaning of the EU General Data Protection Regulation and must therefore comply with the statutory provisions.
If the data is protected by copyright (e.g. software), a transfer is excluded because copyright is not transferable. However, under certain circumstances, a right of use granted to the target company by the creator may be transferred. This requires, however, that the creator has given his consent to the transfer of the right of use. An exception is provided for in section 34 para. 3 of the German Copyright Act only in the event of the total or partial sale of a company. In this case, the right of use can be transferred without the consent of the creator. However, the creator is entitled to a right of recall if the exercise of the right of use by the purchaser cannot be reasonably expected of him in good faith. In case of doubt, it is therefore advisable to obtain the creator’s consent.
If the data to be transferred are raw data or information, the question of transferability under property law arises. Whether data can be transferred like a physical object is not clear. In practice, this is solved by the auxiliary granting of exclusive rights of use in conjunction with protection measures and confidentiality agreements. In addition, guarantees and indemnifications in the company acquisition agreement should be considered.