New Consent for Processing Sensitive Data Not Needed After Change of Data Controller : Data Protection Thoughts and M&A Tips

By Luca Gambini and Elisa Stefanini

1. Introduction

For the first time in Italy, a court has affirmed that when a data controller changes, there is no need to acquire new consent from the participants of a research project involving the processing of sensitive data, should the research purposes not change.

Such an innovative principle is particularly relevant in the case of a merger and acquisition (M&A) deal involving a change of ownership of a database containing sensitive data such as a biobank (e.g. through an asset deal, a merger, etc.) since in such a case the buyer, as the new data controller, will not be required to obtain new consent from the individuals to whom the sensitive data refers, provided the buyer uses the database for the same scientific and statistical purposes directly linked to those originally communicated to the above mentioned individuals.

As we will further discuss in this contribution, this principle may have a material impact on the interests of the parties to a M&A deal and it would be consequently advisable to address it properly from a contractual standpoint in order to avoid the Data Protection Authority blocking the use of the acquired sensitive data-base requiring the buyer to obtain new consents for the use of such data, a requirement extremely time-consuming and expensive, and almost impossible to achieve in practical terms (e.g. in case of biobank containing genetic data relating to thousands of individuals).

2. Background

The ruling at hand was issued by the Court of Cagliari (the Court) in the context of a litigation relating to the interim block imposed by the Italian Data Protection Authority to any processing of sensitive and genetics data contained in a biobank acquired in the context of an asset deal.

The petitioner was Tiziana Life Sciences PLC, an English biotechnology company focused on developing innovative treatments for cancers and autoimmune disease. Specifically, Tiziana Life Sciences bought a biorepository from Shar. DNA, an Italian company declared bankrupt in 2012. The biorepository includes 230,000 pieces of genetics data, and biological samples from 11,700 individuals from a small community located in Ogliastra, Sardinia. This community has been isolated from the rest of the world for years, developing a unique genetic homogeneity and providing data records that trace their genealogy back to 1600, and it has the second highest longevity in the world. For such unique characteristics, the biobank represents a sort of holy grail for scientific researchers in novel molecules that impact serious human diseases in the area of oncology and immunology.

However, following the acquisition of the biobank the Italian Data Protection Authority imposed an interim block to any further processing of data relating to the Shar. DNA’s biobank alleged violations of the Italian Data Protection legislation.

The Court reversed this decision and voided the Data Protection Authority’s provision. Specifically, the Court ascertained that there is no need to request consent any time the data controller changes but only if the purposes of the processes actually change. Making the obligation to get new consent dependent only on the formal circumstance of the data controller’s change may lead to contradictory consequences. In fact, it may be the case that, following a M&A transaction that does not entail a formal change of the data controller (e.g., a share deal), the buyer intends to change the purposes of sensitive data processing and, in such case, new consent would not be required.

Tiziana Life Sciences, as the new data controller, demonstrated that the processing it intended to perform on the sensitive data has the same aims as the first project, to which the interested subjects had originally consented. Therefore, in this circumstance, the Data Protection Authority, imposing on Tiziana Life Sciences a measure beyond the actual need to protect the interested subjects’ rights, had not properly balanced the parties’ interests.

3. Tips on how to address this matter in a M&A deal

In the case of an asset deal where the acquisition of a data base containing sensitive personal data such as a biobank is material for the buyer, it would be a priority for the buyer to protect itself from any risk that the Data Protection Authority may block the use of the data base or may apply fines for the use of the data base in breach of the data protection regulation post-closing.

In order to reduce risks related to this matter, we list below a few precautions and remedies that it would be advisable to adopt from a contractual standpoint in the light of the ruling of the Court of Cagliari:

• to clarify in the recitals of the acquisition agreement that the buyer’s main driver to acquire the seller’s going concern is the acquisition of the biobank which represents a material part of the going concern without which the buyer would have not acquired it; if the Data Protection Authority blocks the use of the data base before closing because the target company has used the sensitive data for scientific purposes other than those relating to purpose for which the original consents have been obtained, the above mentioned recital to the agreement would provide grounds to affirm that the block of the data base is an event having a material adverse effect on the business, results of operations, assets, or the condition of the target company’s acquired going concern, triggering the MAE closing condition and providing the buyer with the right to walk away and not to close the transaction;

• to add a specific R&W according to which the seller(s) warrants that “(i) the Target Company holds and processes the Sensitive Data in compliance with the applicable Data Protection Regulation and the Target Company is the only Data Controller of the Sensitive Data in compliance with the applicable Data Protection Regulation; (ii) the Target Company is not using the Sensitive Data for purposes other than those indicated in the Disclosure Schedule and communicated to the individuals to which the Sensitive Data belongs to; (iii) no event has occurred which allows revocation or termination thereof or otherwise result in any other impairment on the rights of the Target Company as data controller to hold and process the Sensitive Data or the Biobank; (iv) the Seller(s) or the Target Company have not received any warning letters, notices of adverse findings, or similar documents that assert a lack of compliance with any applicable regulatory requirements that have not been fully resolved in all material respects to the satisfaction of the Data Protection Authority with respect to the Business or the Biobank, and there is no pending or threatened material regulatory or enforcement Action of any sort against the Seller(s) or any Target Company, relating to the Biobank (vi) none of the Seller(s) nor the Target Company (in each case, in respect of the Business), nor any of their respective Representatives, has taken any action with respect to the Business or the Biobank which would cause the Target Company with respect to the Biobank to be in violation of the applicable Data Protection Regulation”; an extensive R&W of this kind is even more important in case of acquisition of a biobank considering that it is unlikely that the buyer with its consultants would be able or intend to verify the collection of all the consents of the individuals whose genetic data are contained in the purchased data base in compliance with the data protection regulation and the continuous use of the biobank in compliance with the data protection law for the same scientific purposes directly linked to those originally communicated to the interested subjects; in case of a data base such as a biobank containing thousands of pieces genetic data, the due diligence activities on this matter would most likely be partial since it would be carried out on a sample-basis and/or by reviewing the standard form of the consent letter, interviewing the management and selected officers, etc., leaving room for a certain degree of uncertainty;

• to bring down the R&Ws as closing conditions so that in case of a material breach of the R&W relating to the data protection compliance of the processing and use of the sensitive data and the biobank, the Buyer would have the right to walk away;

• to add an interim “conduct of the business” covenant according to which the seller(s) and the target company shall not process and use the sensitive data for scientific and statistic purposes other than those indicated in the Disclosure Schedule.

In a M&A deal, the buyer is the party that usually has the main interest in the correct use and processing of sensitive data contained in a purchased biobank, although similar interests may arise for the seller should a portion of the purchase price be subject to the achievement of certain milestones in case of an earn-out structure. In such a case, a misuse of the sensitive data by the buyer in breach of the data protection regulation post-closing may impair the achievement of the earn-out by the seller (by way of example, the missed achievement of certain results of a clinical trial or research that entails the use of the biobank), and it would be advisable for the seller to spell out in the acquisition agreement detailed diligent requirements and activities to be carried out by the buyer with regard to the use and processing of the sensitive data and the biobank.

4. Final remarks

The principle stated in the Court of Cagliari’s ruling opens new perspectives for the valorization of biobanks and databases collecting personally sensitive data. In fact, should this principle not be amended by any appeal court, a prospective buyer would not need to get a new consent from the data subjects if it intends to keep the same purposes of the processing declared by the seller. This would allow an easier circulation of these databases and biobanks, that would also have positive effects on the enhancement of scientific research.