Australian FlagThe previous decade saw the expansion of data privacy laws in Australia and throughout the globe in terms of their application, enforceability and scope, as well as the protections made available to individuals through primary legislation.[1] As we enter a new decade, we are beginning to see the evolution of privacy and data as a multi-regulatory compliance issue, as data protection issues start to permeate additional legal frameworks. Data privacy and protection is no longer confined to issues between a business and its customer, with a privacy regulator, such as the Office of the Australian Information Commissioner, overseeing this relationship in light of applicable laws. Instead, data privacy and protection is becoming increasingly relevant in previously unconsidered aspects of a business’ operational cycle. This article examines this trend by considering data privacy and protection developments within Australian takeovers and foreign acquisitions law.

Foreign Acquisitions Regulation

The acquisition of businesses and companies in Australia by foreign persons is regulated by the Foreign Acquisitions and Takeovers Act 1975 (Cth) (the FATA). Under the FATA, the Treasurer has the power to block foreign investment proposals that are contrary to Australia’s national interest. To this end, the acquisition of companies and businesses that hold data with national security implications has always been a focus of the Foreign Investment Review Board (FIRB, the body responsible for administering the FATA). However, this focus is expanding, with FIRB indicating changes to the treatment of foreign investment that will result in access to Australian personal data.

This new regulatory approach was highlighted by FIRB’s Chairman, David Irvine, who stated that – “the protection of sensitive data is becoming the issue du jour, and not just sensitive national security data”, in a speech to the Australia China Business Council in Sydney in August 2019. Mr. Irvine would go on further to note that –  “the development of data-security conditions – conditions on the foreign investor to protect data – continues to be a key area of focus for [FIRB]”.

While FIRB has not officially updated its regulatory approach, the Treasurer’s broad powers under the FATA to impose conditions on acquisitions which may otherwise be contrary to the national interests means there is little limitation on what conditions may be imposed. Acting within this scope, FIRB (as noted by law-firms across Australia) has recently began to impose data privacy conditions upon proposed foreign acquisitions including:

  • restrictions on storing data offshore;
  • restrictions on foreign and overseas access to Australian data by upstream investors and personnel;
  • requirements that foreign acquirers have applicable data protection certifications and safeguards in place;
  • requirements that foreign acquirers provide FIRB access to data upon request;
  • the imposition of record keeping requirements with respect to offshore access to data; and
  • the imposition of governance and physical access restrictions to support the undertakings set out above

Given it is not FIRB’s preference to prohibit foreign acquisitions where possible, we do not consider this new focus is likely to present a bar to foreign investment. However, FIRB’s data-conscious approach is likely to require a shift in focus for foreign-acquirers. Foreign companies and individuals looking to invest in Australia will need to ensure that their data protection systems are consistent with Australian best practice standards and may need to be prepared to keep data-processing operations within Australia. Meeting these conditions may result in additional costs and could lead to the promotion of domestic acquisitions if foreign acquirers are deterred by Australian-focussed data protection standards which may not align with the data protection standards of a particular foreign-acquirer or international data protection standards generally.

We consider FIRB’s new focus will require foreign-purchasers and their advisors to review investment outcomes, transaction timetables and due-diligence protocols. In this vein, foreign-purchasers targeting an Australian business holding substantial amounts of potentially sensitive data, will need to conduct additional due diligence on both the target and its own data protection practices to ensure it is in a position to comply with any condition imposed by FIRB. Additionally, foreign-purchasers will need to be aware of additional scrutiny their applications may face as data-protection issues are considered by FIRB, along with potential delays in response times.

Takeovers Regulation

In Australian takeovers law, the Competition and Consumer Act 2010 (Cth) (the CCA) prohibits mergers or acquisitions that would have the effect, or be likely to have the effect, of substantially lessening competition in a market. Recently, the Australian Competition and Consumer Commission (the ACCC, the regulatory body responsible for administering the CCA) recommended legislative amendments to include new factors it must consider when evaluating whether a merger or acquisitions will be prohibited under the CCA. These proposed new merger factors related directly to data and technology considerations, which arose as a new focus for the ACCC after its in-depth review of digital platforms within the Australian market.

Following a direction from the Australian Government for the ACCC to consider the impact of online search engines, social media and digital content aggregators (referred to as ‘digital platforms’), the ACCC published a report into its Digital Platforms Inquiry in June 2019 (the Report). Among other things, the Report examined the intersection of competition, consumer protection and data privacy regulation. Ultimately finding that competitive digital markets that require participants to comply with robust privacy standards, coupled with laws, which give actual powers to consumers, are more likely to establish a healthy ecosystem of digital services that will increase the privacy standards of digital platforms as they compete for data-conscious users.

For context, in reaching this conclusion, the Report undertook a detail analysis of Facebook, Google and other digital platforms’ market power, concluding that these digital giants’ position and influence within the market effectively insulated them from competition. The ACCC identified the acquisition of potential competitors by dominant firms and the economy of scope created via the control of data sets as two factors that can contribute to an uncompetitive digital market, as is currently seen with Facebook and Google.

These findings culminated in an official recommendation to amend Australian merger law, set out below:

                Recommendation 1: Changes to merge law

                That section 50(3) of the CCA be amended to incorporate the following additional merger factors:

(j)         the likelihood that the acquisition would result in the removal from the market of a potential competitor; and

(k)        the nature and significance of assets, including data and technology, being acquired directly or through the body corporate

Given the ACCC’s focus on digital platform giants like Facebook and Google, and their use of data to drive advertising revenue and consumer engagement in an ever-increasing cyclical flow, this recommendation appears to target inter-sectoral acquisitions of data rich entities. In short, this recommendation suggests that the ACCC considers the acquisition of a business by another where the two are not normally in competition should still be prohibited where the acquisition of data could lead to a substantial lessening of competition if sufficiently exploited by the acquirer. This recommendation, if implemented, would put data at the forefront of Australian merger law’s focus and broaden the scope of mergers and acquisitions in Australia that may be subject to ACCC review or prohibition.

However, the Australian Government released its response to the Report on 12 December 2019, leaving the majority of the ACCC’s recommendations unaddressed, including the recommendation set out above. While the Government has committed to further monitoring and reporting on competition in digital markets, the development of voluntary codes of conduct and intends to increase penalties and empower consumers in the privacy space, there are no current plans to amend Australian merger laws to implement the changes set out above.

While there are no imminent changes to law, we consider the ACCC’s stance on this issue remains relevant. Despite the fact that the factors the ACCC can take into account under section 50(3) remain unchanged, the ACCC’s focus on data may lead to data and privacy issues being highlighted by the ACCC within the current legislative merger framework. There is scope for the ACCC to apply more scrutiny to takeover proposals in data rich targets by considering how data, and the acquisition of data, may interact with current  merger factors such as barriers to entry, the likelihood of substantial profit or price increases and the nature and extent of vertical integration in a market. Accordingly, potential bidders will need to be cognisant of the ACCC’s new focus and consider addressing data-acquisition issues within the scope of notifications to the ACCC in connection with acquisitions of data-rich entities.

This evolution in regulatory focus from FIRB and the ACCC signifies an expanding awareness of data protection and individual privacy as a key area of concern for Australian regulators. Businesses and entities investing in Australia will need to ensure that they stay abreast of data protection and privacy issues within their own organisation and any target they are looking to acquire. If your company needs advice in connection with an acquisition or takeover in Australia with respect to data protection and privacy, please do not hesitate to contact us.

[1] See the Australian Privacy Act 1988, overhauled in 2014, the European General Data Protection Regulation, implemented in 2018, and the California Consumer Privacy Act, which commenced 1 January 2020.