Norton Rose Fulbright - Data Protection Report blog

With the growth of the high-tech industry worldwide, it is no surprise that more and more transactions involve the transfer of rights to access or control data and derivative data. In our previous update we discussed protecting business data in a commercial context. In the M&A context, this valuable information is either the driving force of the deal or a significant area of risk requiring special consideration, from due diligence to the drafting of substantive provisions of a purchase agreement.

Due diligence concerns

As data has become a larger component of transactions and business, regulators have imposed requirements to address privacy concerns and protect the ownership of personal data. Non-compliance with these restrictions can result in significant unexpected costs in a transaction. At the outset, it is important to get a sense of the following in relation to data and derivative data in a prospective deal:

  • Get a sense of the amount of data under consideration.
  • Identify who owns the data, who has rights to access or use the data, and who might retain access or use of the data post-transaction. Data may have been generated by a vendor’s employee or contractor, or provided by a third party who might retain rights. Of course, it is critical to ensure the vendor actually has the right to sell or grant rights to the data in question.
    • If others have access or ownership rights, determine if exclusivity is required for the transaction or whether a lack thereof might affect valuation.
    • Review any contracts with relevant third parties to identify whether there are any data-specific change-of-control provisions or other third-party consents that may be required prior to closing.
    • If the vendor does not wholly own the data, determine whether the target data may have been co-mingled with other data, or otherwise modified from the original version.
    • Determine if the data bears any risk of infringing third-party IP rights or was obtained unlawfully, or whether any such claims have been brought in the past.
  • Determine if the data was derived from a separate, original dataset. If so, it is important to establish whether the data was generated in accordance with any contractual or statutory requirements.
    • Determine whether rights to the original dataset were properly obtained, and whether the creation of derivative data was permitted.
    • Consider whether the deal requires rights or ownership to the original dataset, or just to the derivative data.
    • Confirm whether there were any requirements to de-identify or aggregate the original dataset or to limit use to certain purposes and if so, whether those requirements were followed.
    • Keep in mind that the creation of derivative data may have created new IP rights as well. For a refresher on the application of IP law to data, refer to our first update in this series.
  • Determine whether any of the data is confidential or personally identifiable; this kind of information may be strictly regulated under legislation.
    • Confirm whether the vendor complied with any applicable regulatory requirements. In some cases, data must be properly de-identified or aggregated for anonymized use at scale.
    • Review the vendor’s security protocols for compliance with industry standards, as well as the vendor’s records for any data breaches connected to the dataset in question.
    • Make note of the vendor’s physical data storage location and any third-party facility ownership, as well as any related contracts. Data stored in certain countries may be accessible by government agencies under anti-terrorism legislation. Certain data must also be kept within Canada, unless additional steps are taken.
  • Ensure you will be able to access and use the data after closing. Determine if the dataset is in an open-source or proprietary format, and whether any additional software or licenses are required to access or use the data. Consider requiring the vendor to export the data in a more accessible format.
  • Consider whether you may need expert advice in the case of AI-generated data. Ownership and use can be particularly complex in these cases. For more information, we invite you to review our previous articles on this topic here and here.

Representations and warranties

The results of the due diligence process will inform the key representations and warranties of the deal. Many of the data-specific representations and warranties parallel aspects of due diligence. As such, consider including assurances as to the following:

  • rights of ownership, use and potentially exclusivity and/or licensing;
  • the proper generation of derivative data, including:
    • whether any aggregation or de-identification has been performed properly;
    • whether the data has been utilized according to any restrictions;
  • the vendor’s compliance with any particular data security protocols;
  • the format and accessibility of the data being sold;
  • any relevant insurance policies that may continue to apply;
  • non-infringement of third-party IP rights, and a lack of history thereof;
  • a lack of breach of confidentiality obligations; and
  • compliance with regulatory restrictions on personal data and maintenance of confidentiality.

Vendor counsel should look to include a disclaimer as to data being provided “as is” and/or “with all faults,” and seek to have the purchaser waive any implied warranty of merchantability, fitness, accuracy or completeness.


Data-specific provisions can and should extend to the indemnities section, where they can protect parties from some of the most dangerous and costly risks present in IP and/or data-centric transactions. Given the weight of this section, vendors and purchasers both have important vested interests and should come to an agreement on the following suggested items:

  • Actions by third parties alleging that the data infringes intellectual property rights.
  • Claims by third parties for breach of privacy or information security.
  • Customer complaints for lost or damaged data, particularly as a result of a transfer between firms.
  • If an exclusive license is granted, indemnification or other further assurance to allow pursuit or estoppel of other parties from utilizing the data if necessary or relevant.

Data in M&A transactions going forward

As more and more corporations engage with big data and the internet of things, the relevance of data and its derivative sets continues to spread beyond the tech sector and into everything from consumer goods to personal services. With every new transaction we encounter more novel ways in which data is collected and sold. Accordingly, we expect these kinds of considerations to be relevant in not only data-specific transactions but a majority of commercial deals in the future.

Experience in drafting agreements and negotiating these terms can help you better manage these new, blended transactions.

The authors wish to thank Sol Kauffman, articling student, for his help in preparing this publication.