Data privacy considerations in telecommunications M&A: do you know your risk?

Global M&A activity among telecommunications (telco) companies reflects the ongoing transformation impacting the sector in response to increasing competitive intensity, evolving consumer behaviors and disruption from so-called “over-the-top” (OTT) players, which deliver audio, video or other media over the internet without the involvement of a multiple system operator in the control or distribution of the content.

Within this context, M&A transactions (whether buyer or seller focused) among telco companies, irrespective of where the transaction occurs or what countries are impacted, will likely be subject to data privacy laws, requirements and obligations.

Efforts to update regulations regarding privacy and personal data protection are underway in several countries and regions, most notably the European Union (EU), which has introduced the General Data Protection Regulation (GDPR) package.

Compliance requirements for operators are in flux, particularly as regulators seek to strike a balance between consumer protection and national security needs. In this light, keeping pace with the different policy initiatives at a national and international level is more important than ever for operators.

In addition, telco companies face critical challenges around existing contracts with customers and third parties for the storage and delivery of information that in many cases may not be in accordance with the new EU legislation. In such cases, telco companies will need to closely examine the details and challenges within existing contractual arrangements (e.g., location of, and access to, the data) to further determine the degree of potential exposure and measures that may be required to mitigate a potential breach of the legislation.

EU General Data Protection Regulation

The EU, as the unofficial global leader in data privacy protection, recently approved the General Data Protection Regulation, which will generally impose stricter data privacy controls with respect to the personal data of EU citizens, effective May 2018. In general, the GDPR covers the following areas:

  • Penalties for breach of the new data protection rules: possible fine of up to the greater of €20 million or 4% of the global annual turnover
  • Principle of accountability: policies and procedures
  • Information technology (IT) and cybersecurity
  • Privacy impact assessments
  • Privacy by design and default
  • Mandatory data breach notification
  • Specifics on big data and profiling
  • Restrictions and requirements on exporting data outside Europe
  • Right to be forgotten and erasure of data

The GDPR will have far wider coverage than current EU data privacy law and, once it becomes effective in May 2018, will result in even fewer, if any, data privacy “free zones” remaining in the world.

Legal interception and data retention regulation

Legal interception (LI) and data retention (DR) are usually highly regulated in most countries. Mandatory processes and technical measures should be in place in order to deal with court warrants and law enforcement agency directives. Failure to be in compliance with the legal requirements could result in, depending on the country, significant fines; even the operator license could be at risk. In an M&A context, the buyer should be confident that the acquired company is free of risk with regard to the LI and DR topics. On the other hand, a telco operator that is not highly scrupulous in managing the secrecy of its own clients’ communications could face reputational damage due to improper management of the interception functionalities of their networks.

NIS directive

The Directive on Security of Network and Information Systems (NIS Directive) is closely linked to privacy regulation, especially around security incident management and coordination. Although the directive is still to be transposed into the national laws, telecommunication services will be identified as essential services and therefore under the scope of the directive.

Introduction to data privacy in telco sector M&A transactions

Most M&A transactions in the telco sector require parties to exchange at least some personally identifiable information or personal information (PI), whether it is the seller’s employees’ PI or its customers’ PI, and privacy / data protection and information security (data privacy) are now global issues regulated in most countries.

Addressing data privacy compliance is therefore important for most telco sector M&A transactions in most countries impacted by such transactions. Addressing data privacy at the early stage of an M&A transaction will allow sufficient time for any necessary remedial steps, in terms of both the transactions and the target’s compliance, without unduly delaying the transaction.

While data privacy concerns and compliance are often overlooked (at least until after the transaction has concluded), the new or significantly revamped data privacy environment of most countries will likely be brought into play by the transaction. In addition, the very real prospect of fines for breaches, possible breaches of directors’ duties, class or representative complaints, or legal actions (and the damages and compensation arising from such issues), along with a potential loss of reputation, places greater importance on data privacy compliance in terms of both the (i) transfer and collection of PI as part of the due diligence review or the transaction; and (ii) target’s compliance with the relevant data privacy laws in all relevant countries in which business is conducted.

What data privacy laws are applicable?

Before considering the general data privacy “dos and don’ts” and some country-specific data privacy issues, telco companies should remember that the data privacy laws of most countries usually cover and regulate the collection, use and disclosure of PI. In most jurisdictions, PI is usually defined to include any data or information (whether factor opinion) relating to an identified or reasonably identifiable individual. The contact information for an individual business contact at a seller’s customer are, for example, often considered PI together with the more obvious information held on individuals generally.

In many jurisdictions, sensitive information is a subset of PI and is defined as PI that relates or refers to an individual’s health, sexual orientation or practices, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, social security, tax file or national identity number, criminal record or genetic or biometric information and, occasionally, financial information, including account numbers and passwords (to name a few). In many jurisdictions, sensitive information is treated differently from general PI, often requiring consent to be collected, used or disclosed and attracting a higher level of obligations (e.g., around securing the information).

The collection and use of PI in most countries requires at least prior notice of (if not consent to) certain mandatory matters and, for sensitive information, often requires the unambiguous and informed prior consent of the relevant individual to the proposed collection, use or disclosure of such information (if allowed at all).

In addition, the transfer of PI outside of the relevant local country often requires that certain obligations must first be met by the transferee, and in many cases, the transferee will continue to have some responsibility (if not liability) for the PI it sends outside that country, including for the actions of the offshore recipient that, if conducted onshore by the transferee company, would have been a breach of that country’s data privacy laws.

Read the full report here.

EY Legal Services Contacts:


Fabrice Naftalski – Global Data Privacy Law Leader




Alec Christie – Asia Pacific Digital Law Leader & Telecommunications Partner



Richard Norbruis – Global Transaction Law Leader