For the first time in Italy, a court has affirmed that when a data controller changes, there is no need to acquire new consent from the participants of a research project involving the processing of sensitive data, should the research purposes not change.
Such an innovative principle is particularly relevant in the case of a merger and acquisition (M&A) deal involving a change of ownership of a database containing sensitive data such as a biobank (e.g. through an asset deal, a merger, etc.) since in such a case the buyer, as the new data controller, will not be required to obtain new consent from the individuals to whom the sensitive data refers, provided the buyer uses the database for the same scientific and statistical purposes directly linked to those originally communicated to the above mentioned individuals.
As we will further discuss in this contribution, this principle may have a material impact on the interests of the parties to a M&A deal and it would be consequently advisable to address it properly from a contractual standpoint in order to avoid the Data Protection Authority blocking the use of the acquired sensitive data-base requiring the buyer to obtain new consents for the use of such data, a requirement extremely time-consuming and expensive, and almost impossible to achieve in practical terms (e.g. in case of biobank containing genetic data relating to thousands of individuals).
The ruling at hand was issued by the Court of Cagliari (the Court) in the context of a litigation relating to the interim block imposed by the Italian Data Protection Authority to any processing of sensitive and genetics data contained in a biobank acquired in the context of an asset deal.
The petitioner was Tiziana Life Sciences PLC, an English biotechnology company focused on developing innovative treatments for cancers and autoimmune disease. Specifically, Tiziana Life Sciences bought a biorepository from Shar. DNA, an Italian company declared bankrupt in 2012. The biorepository includes 230,000 pieces of genetics data, and biological samples from 11,700 individuals from a small community located in Ogliastra, Sardinia. This community has been isolated from the rest of the world for years, developing a unique genetic homogeneity and providing data records that trace their genealogy back to 1600, and it has the second highest longevity in the world. For such unique characteristics, the biobank represents a sort of holy grail for scientific researchers in novel molecules that impact serious human diseases in the area of oncology and immunology.
However, following the acquisition of the biobank the Italian Data Protection Authority imposed an interim block to any further processing of data relating to the Shar. DNA’s biobank alleged violations of the Italian Data Protection legislation.
The Court reversed this decision and voided the Data Protection Authority’s provision. Specifically, the Court ascertained that there is no need to request consent any time the data controller changes but only if the purposes of the processes actually change. Making the obligation to get new consent dependent only on the formal circumstance of the data controller’s change may lead to contradictory consequences. In fact, it may be the case that, following a M&A transaction that does not entail a formal change of the data controller (e.g., a share deal), the buyer intends to change the purposes of sensitive data processing and, in such case, new consent would not be required.
Tiziana Life Sciences, as the new data controller, demonstrated that the processing it intended to perform on the sensitive data has the same aims as the first project, to which the interested subjects had originally consented. Therefore, in this circumstance, the Data Protection Authority, imposing on Tiziana Life Sciences a measure beyond the actual need to protect the interested subjects’ rights, had not properly balanced the parties’ interests.
3. Tips on how to address this matter in a M&A deal
In the case of an asset deal where the acquisition of a data base containing sensitive personal data such as a biobank is material for the buyer, it would be a priority for the buyer to protect itself from any risk that the Data Protection Authority may block the use of the data base or may apply fines for the use of the data base in breach of the data protection regulation post-closing.
In order to reduce risks related to this matter, we list below a few precautions and remedies that it would be advisable to adopt from a contractual standpoint in the light of the ruling of the Court of Cagliari:
In a M&A deal, the buyer is the party that usually has the main interest in the correct use and processing of sensitive data contained in a purchased biobank, although similar interests may arise for the seller should a portion of the purchase price be subject to the achievement of certain milestones in case of an earn-out structure. In such a case, a misuse of the sensitive data by the buyer in breach of the data protection regulation post-closing may impair the achievement of the earn-out by the seller (by way of example, the missed achievement of certain results of a clinical trial or research that entails the use of the biobank), and it would be advisable for the seller to spell out in the acquisition agreement detailed diligent requirements and activities to be carried out by the buyer with regard to the use and processing of the sensitive data and the biobank.
4. Final remarks
The principle stated in the Court of Cagliari’s ruling opens new perspectives for the valorization of biobanks and databases collecting personally sensitive data. In fact, should this principle not be amended by any appeal court, a prospective buyer would not need to get a new consent from the data subjects if it intends to keep the same purposes of the processing declared by the seller. This would allow an easier circulation of these databases and biobanks, that would also have positive effects on the enhancement of scientific research.