Yes to Privacy, No to Exits

 

A new directive by the Privacy Protection Authority may lay a deathblow on exits, mainly by companies selling to consumers

 

The New Directive

Most data held by commercial companies with respect to their customers is subject to the Israeli Privacy Law. Such statute focuses on the duty to register data bases with the Data Bases Registrar.

Recently, the Privacy Protection Authority published a draft of a directive regarding the transfer of such data bases in the framework of mergers and acquisitions of companies. The principle guiding the PDA is that the customers (and not the company holding the data bases) are the owners of the data in the data bases.

Allegedly, the draft sets the following rule: upon the sale of the company, the requirement shall be only notice to the customers in the data base. However, the draft further states that in the event that the transfer of the data as part of the company’s sale is to a company of different character or the objective of the data’s use changes due to the sale, the positive consent of the customers shall be due. One of the examples of cases where consent shall be required is sale to a foreign entity. Practically, this is a very broad exception to the rule.

The Issue – Privacy v. Exits

Companies selling to customers usually hold data bases that are important to their business. The consent requirement may wreck sale transaction thereby. First, obtaining consents from most customers may be impossible, since those receiving the consent request will delete or disregard it, their interest therein being limited.  Secondly, as part of the procedure for the sale of a company, usually it is impossible to publicly notify of the transaction prior to its closing; such disclosure may cause the acquiring and selling companies grave damages.

Therefore, at least with respect to technology companies referring to consumers, which are often directed to sale to foreign entities, the directive may be a disaster. Note that as it is such companies are deprived in Israel, for example with respect to their financing opportunities. It also worth mentioning the place of the Hitech industry in Israel’s economy and its dependency on exists.

Further, the scope of the directive’s application is not clear. For example, will it also apply in cases where the company is acquired without changing the legal entity holding the data base?

In addition, the derivative seems to be based on the duty of report changes in the data base registered details, including the holder thereof. The PDA interprets a technical authority thereof to impose on the selling and acquiring entities a duty to obtain consents from all customers in the data base. That may have major implications. Thus, such matter should be subject to formal regulation promulgation procedures, not just as a directive.

 

What do you think of in this tension between the right to privacy and the interest to have exits? How would you resolve this issue?

 

Hebrew version published with News1 today