Key words: How does GDPR affect D&O liability exposure? What is the impact on insuring M&A transactions?
Thailand does not have a single law governing data privacy and data protection. A Personal Data Protection Bill ("PDPB") is currently being considered by the Council of State after receiving Cabinet approval in May 2018.
GDPR will apply to Thai companies with operations in the EU, where personal data is processed in relation to the company's operations. Thai companies without an EU establishment will also be subject to GDPR if they process the personal data of EU nationals.
Although the PDPB, if enacted in its current form, would represent a significant improvement in Thai data privacy and protection, it is unlikely to achieve the same levels of protection and privacy as the GDPR.
If the PDPB becomes law, Thai companies will nevertheless be required to ensure that their data processing, storage, use and protection systems and procedures comply with the PDPB. Thai companies may nevertheless be required to comply with GDPR as a precondition to further business dealings with EU customers, suppliers and partners.
D&O Insurance issues
Thai law requires directors to act in the best interests of the company and not to cause the company to suffer harm. It also holds directors of Thai companies personally liable for damages if their acts are not within the scope of their authority. Companies and shareholders can pursue claims against directors for compensation for harm caused to the company.
Prosecution of breaches of GDPR and the PDPB could result in claims against directors and management for failing to ensure that the company had compliant systems, procedures and policies, where this failure is the cause of the harm suffered by the company. There is also the risk of such claims where business is lost as a result of a failure to comply with GDPR, even where there is no legal obligation to comply.
If a company is fined under GDPR, the resulting financial burden will increase the pressure on the company's directors and management to explain the breaches and address the financial consequences of the fines with their shareholders. Directors and management would then be at greater risk of claims by the company and shareholders arising out of harm suffered by the company as a result of such breaches. Although companies can hire IT and security professionals and delegate implementation and compliance to such employees, this does not reduce or exclude their responsibility to their shareholders for breaches.
If the PDPB is enacted as currently drafted, it is likely to lead to a higher level of investigation of data protection, resulting from a greater awareness of personal data privacy and the consequences of a breach of the PDPB. This will increase the pressure on directors and management to ensure that they have implemented policies and procedures to ensure compliance with the PDPB and to deal effectively, promptly and appropriately with breaches.
Many companies rely on D&O policies to protect their directors and management from such claims and to fund the defence of claims and prosecutions. GDPR and the PDPB may prompt a greater interest in D&O insurance in Thailand. A critical factor will be the first wave of prosecutions and convictions and the way in which D&O policies respond, particularly the extent to which D&O policies will cover the costs of defending criminal prosecutions, regulatory investigation and criminal sanctions against directors and management.
An equally important issue is the extent to which D&O policies will respond to the less direct consequences of a breach or a failure to implement compliant procedures and policies, such as loss of reputation. Directors and management should also consider the extent to which they can be held accountable for losses and harm suffered by the company for such indirect consequences and the extent to which D&O Cover will respond on their behalf.
This may require companies to thoroughly and carefully review their all insurance cover and to ensure that existing cover addresses any potential liabilities and claims or additional cover is obtained. A failure to do so may create a separate potential liability for directors and management.
Companies will need to assess the need for cyber risk insurance or to ensure that an existing cyber risk policy is updated and provides cover commensurate with the increased compliance requirements and consequences of a breach. It may also be necessary to consider the extent to which D&O and cyber risk policies interact and where neither policy may provide insurance cover for certain types of claims. In view of the increasing role and importance of the internet in business and the rise of blockchain systems, this interaction may be a key and ever more critical aspect of coverage disputes.
The impact of GDPR, PDPB on M&A transactions
The implementation of GDPR and the PDPB will increase the regulatory and compliance issues which the parties must address in an M&A transaction. When coupled with the increasing amounts of data and levels of detail of the data for M&A transactions, this provides both challenges and opportunities for insurers.
Although neither the GPPR nor the PDPB have any direct impact on the contents or operation of an NDA, their impact should be addressed in its terms and scope. Companies and their directors and management will need to assess the extent to which the disclosure of the data falls within the permitted categories under GDPR and/or the PDPB and how to deal appropriately with data which fall outside these permitted categories for disclosure.
This is likely to make DD a more time consuming and complex task and could result in further potential liability for directors and management. Directors and management will be accountable to the company and shareholders for the consequences if the transaction does not proceed because the disclosure is seen by the counterparty/counterparties as inadequate or if disclosure breaches GDPR and/or the PDPB and results in a fine or criminal prosecution and/or an end to the transaction.
Negotiating the Sale and Purchase Agreement ("SPA")
The impact of the GDPR and PDPB should also be considered in the context of negotiating the terms of the SPA. Buyers should consider the extent to which the purchase price should reflect breaches of GDPR and/or PDPB and whether the purchase price should be divided into instalments to mitigate the risk of fines and penalties imposed after completion arising from a pre-completion breach of GDPR and/or PDPB by the target company. Responsibility for assessing this will ultimately fall to the directors and management of the buyer/s.
The directors and management of the target bear responsibility for ensuring that only data which meet the tests of legitimate interest and/or give effect to a contract are disclosed. The time to obtain consent, where necessary, and the consequences of a refusal must be factored into the transaction timeline. The timing of the disclosure in the transaction is also a key factor and consideration should be given to disclosing data as late in the process as possible.
For DD after the SPA is signed, the target company should ensure that it can demonstrate to the buyer that it complies with GDPR and/or PDPB. The target company should also be prepared to disclose details of its data protection procedures and protocols, including potentially details of cyber risk insurance. Buyers will need to undertake their own investigations into compliance with GDPR and/or PDPB by the target and satisfy themselves as to the level of compliance by the target.
Companies will need to ensure that they have appropriate insurance to deal with resulting claims by shareholders, primarily against the directors and management. A key issue will be the extent to which D&O policies respond to such claims and whether insurers will provide new forms of cover to address this potential liability exposure.
Representations and warranties
Negotiating representations and warranties will now need to address compliance with GDPR and/or the PDPB.
Buyers should require representations and warranties by the target in relation to compliance with GDPR and/or PDPB and address any identified and/or disclosed shortcomings of the data processing, protection and transmission systems and procedures of the target. Any requirement for suitable and appropriate rectification as a condition precedent to completion should be set out as clearly as possible in the SPA.
Indemnities by the target of the buyers to rectify any deficiencies in GDPR and/or PDPB compliance or breaches of GDPR and/or PDPB and in respect of fines and penalties must also be assessed carefully.
This may make warranty and indemnity insurance ("W&I Insurance") more attractive and provide a level of comfort and protection. Although W&I Insurance has not been as widely accepted or used in transactions in Thailand, the impact of the consequences of a breach of a representation or warranty in relation to GDPR and/or PDPB compliance may prompt a greater interest.
The requirements of the insurer, including their assessment of the transaction and the risks of a breach of the representations and warranties, will need to be accommodated. The additional layer of scrutiny may no longer be seen as unwelcome by Thai companies and moderate a reluctance to consider W&I Insurance.
The availability and cost of W&I Insurance may have an effect on the nature and extent of the representations and warranties. Insurers offering W&I Insurance should consider the extent to which W&I Insurance is available, excluded or restricted for representations and warranties in relation to GDPR and/or the PDPB, particularly in relation to breaches known to the target and/or disclosed in the DD.