Insight,

Share purchase agreements: Lessons for Sellers

Triumph Controls UK Limited & others v Primus International Holding Company & others [2019]

This case covers the typical arguments which arise in SPA disputes in circumstances where a target does not perform as well as expected.  In March 2019, the UK's High Court handed down its judgment on, amongst others, three key areas which corporate lawyers, buyers and sellers should be mindful of, being:

(1) notification of warranty claims;

(2) fair disclosure; and 

(3) forward looking projections. 

The High Court's ruling provides the following important takeaways:

  • sellers need to be mindful of the standard test of disclosure set by UK case law in order to ensure that sufficient detail is included in any disclosure to be considered "fair".  Whilst disclosing the contents of a virtual data room is a generally acceptable approach in a UK transaction, it is best practice to append the data room index to the disclosure letter and provide the buyer with a USB/CD containing the data room documents.  To seek to avoid uncertainty around "fair disclosure", the data room should be properly structured, with key sections specifically referred to within the disclosure letter.

  • both buyers and sellers (alongside their lawyers) each need to be careful when drafting and negotiating share purchase agreements and disclosure letters.  Whilst a seller in most cases is not required to warrant the accuracy of forward-looking projections, there is still danger in warranting any type of future projection or performance.  

  • If projections are provided and a buyer wants comfort as to the standard of care applied when forward-looking projections have been prepared, a seller could accept the wording "careful enquiry with management"; or alternatively a warranty could have been qualified by a specific accounting standard.  

This case helpfully outlines to sellers what careful preparation of such projections could involve in order to meet the requisite standard.  By way of example, in this instance, taking into account key operational and financial assumptions, the building of buffer stock, reducing arrears, increases in costs and delays were all noted as important when modelling forward-looking projections (albeit this is not an exhaustive list and will of course be dependent on the facts). 

Facts

Triumph Controls UK Limited, a multinational aerospace and defence manufacturer (the claimant) ("Triumph"), bought the entire issued share capital of three subsidiaries specialising in the manufacturing of composite components for the aerospace industry (the "Targets") from Primus International Holding Company & others, a multinational manufacturer of complex aircraft components (the defendant) ("Primus") pursuant to the terms of a share purchase agreement dated 27 March 2013 ("SPA"). 

The value in the Targets was derived from their future profitability, which was partly dependent on the transfer of operations from the UK to Thailand.  Due to delays in such transfers and the UK subsidiary losing its "NADCAP" industry accreditation, the Targets suffered a significant shortfall in revenue resulting in Triumph bringing a claim for damages of approximately $63.5m against Primus in which a number of warranty breaches were alleged. 

Judgment

Valid notice of warranty claims

The SPA contained standard language obligating Triumph to notify Primus of any claim for breach of warranty, in this instance, within 18 months of completion of the acquisition.  The SPA required Triumph to provide unambiguous notice with sufficient details to enable Primus to investigate the claim and make financial provision for such claim.  Primus argued that valid notification of the alleged breaches of warranties had not been provided under the terms of the SPA as Triumph had included additional and/or different complaints when launching legal proceedings to those allegations contained in the notification.  Primus believed that such additional and/or different claims could not form part of Triumph's claim.  

However, the High Court felt otherwise.  It found that a summary of the claims contained in the notification, whilst not amounting to full particulars of a claim (as required in formal legal proceedings), did make Primus aware of the substance of the claims being made. 

Triumph also claimed that Primus had failed to provide adequate notice of the breaches of warranty at closing, breaching the notice clause of the SPA, which meant the liability cap for breach of the SPA was $63m rather than the $15m cap for claims.  Triumph argued that notice of a breach of warranty was an "other obligation", not a breach of warranty.  In this instance, the High Court agreed with Triumph as this would defeat the purpose of the $15m cap for claims. 

Fair disclosure against warranties 

Triumph argued that the documents disclosed by Primus, and subsequently referred to in the disclosure letter, did not clearly disclose the true and full extent of the operational situation of the Targets.  Eurocopy v Teesdale [1992] and Infiniteland v Artisan [2005] set the UK precedent in respect of disclosure whereby a claim for breach of warranty cannot be brought by a buyer if it knew about the breach when entering into the transaction, although Infiniteland meant it may be possible to modify the contract. 

The High Court ruled in favour of Primus, finding that they had clearly and fairly disclosed the significant delivery and quality issues with the Targets to Triumph, and as such were not liable for this particular warranty claim. 

Forward looking projections

Triumph argued a number of breaches of warranties, including that the forward-looking projections relating to the Targets were not "honestly and carefully prepared".  Triumph failed to establish any other breach of warranty.  The projections did not take various matters into account including the loss of the NADCAP accreditation, the significantly reduced rate of both the transfer of work to Thailand and production in Thailand.  Primus argued that whilst they had prepared the projections honestly and carefully and based the projections on due and careful enquiry, they had not warranted to their accuracy. 

Whilst "carefully prepared" was not a defined term in the SPA nor a recognised accounting term, the High Court found, taking an objective approach based on what a professional in that field would consider reasonable, that the projections should have included various adjustments which would illustrate the potential delay in profitability for the Targets.  This included, for example, challenges relating to training and delays and more importantly, the recent operational difficulties the subsidiaries had experienced.  

Consequently, the High Court held that the projections had not been carefully prepared.  Primus were ordered to pay the difference between the price Triumph paid and the price it would have paid had the projections been properly adjusted (subject to a contractual cap on liability of $15m).


LATEST THINKING
Insight
This article was written by Mark Schaub and Atticus Zhao

08 November 2021

Publication
The growth of the digital economy has led governments around the world to seek to regulate cybersecurity and privacy of individuals. The digital economy has eroded national boundaries, accentuated possible risks to infrastructure and allows for personal information to be collected on a scale undreamt of and to be used in ways few understand. China's authorities tackled cybersecurity with the PRC Cybersecurity Law (Cybersecurity Law) which came into effect on 1 June 2017. This law also touched upon privacy concerns and marked that regulating of the digital economy and cyberspace was a serious objective. On 1 September 2021, China Data Security Law came effect. The focus of this law is the protection and security of critical data in relation to national security and the public interest. China's new Personal Information Protection Law (PIPL) which comes into effect on 1st November 2021 deals in a much more comprehensive manner with individual data. The Cybersecurity Law, the Data Security Law, PIPL and a plethora of other regulations need to be considered as a whole when international companies operate in or with China. However, as we explain in this article PIPL will likely cause much more concern for international businesses as 1) it is coming soon; 2) it applies much more broadly; 3) it establishes very legitimate rights for individuals vis a vis their personal data but such rights will need to be reflected in business processes; 4) the penalties have real teeth; and 5) one can expect very active enforcement due to a mix of motivated regulators and concerned individuals being empowered to take action. In this article we seek to provide an overview as to how PIPL will hold companies accountable and also what measures we believe need to be taken.

15 September 2021

Insight
The growth of the digital economy has led governments around the world to seek to regulate cybersecurity and privacy of individuals. The digital economy has eroded national boundaries, accentuated possible risks to infrastructure and allows for personal information to be collected on a scale undreamt of and to be used in ways few understand. China's authorities tackled cybersecurity with the PRC Cybersecurity Law (Cybersecurity Law) which came into effect on 1 June 2017. This law also touched upon privacy concerns and marked that regulating of the digital economy and cyberspace was a serious objective. On 1 September 2021, China Data Security Law came effect. The focus of this law is the protection and security of critical data in relation to national security and the public interest. China's new Personal Information Protection Law (PIPL) which comes into effect on 1st November 2021 deals in a much more comprehensive manner with individual data. The Cybersecurity Law, the Data Security Law, PIPL and a plethora of other regulations need to be considered as a whole when international companies operate in or with China. However, as we explain in this article PIPL will likely cause much more concern for international businesses as 1) it is coming soon; 2) it applies much more broadly; 3) it establishes very legitimate rights for individuals vis a vis their personal data but such rights will need to be reflected in business processes; 4) the penalties have real teeth; and 5) one can expect very active enforcement due to a mix of motivated regulators and concerned individuals being empowered to take action. In this article we seek to provide an overview as to how PIPL will hold companies accountable and also what measures we believe need to be taken. What You Need to Know 1. The Big Issues Time is of the Essence - On 1 November 2021, China's new Personal Information Protection Law (PIPL) comes into effect. Companies will therefore only have 2 months to analyze and comply with the new regime. Who is in Charge of Enforcing PIPL? Will it be Enforced? The key regulator in charge of PIPL and its roll out is the Cyberspace Administration of China (CAC – also known as the State Internet Information Department). CAC which was only established in 2014 has been increasingly active in setting and enforcing PRC government policy in respect of data and cybersecurity. CAC has been very active in cracking down on tech companies that fail to follow data security regulations and often teaming up with SAMR (China's competition watchdog). In addition to having a proactive and hands-on regulator in charge, PIPL implementation will also be buoyed by self-regulation on the part of China's big tech that wishes at all costs to avoid the ire of CAC (in particular consumer facing e-comm and sharing economy companies). It is worth noting that (Article 58) PIPL singles out the important internet platforms for several obligations including an obligation to stop providing services to products or service providers that are in serious breach. To ensure such gatekeepers have sound internal compliance system, the PIPL requires important internet platforms establish independent agency mainly composed of external members to supervise personal information protection. However, perhaps the biggest issue for consumer facing companies is that the PIPL gives the right for the user to seek redress before the court if a data handler refuses to comply with a legitimate request. The power of the Chinese consumer should not be underestimated. In recent years, there are already cases brought by Chinese consumers before courts due to the services or products providers' harming of consumers' personal data. Chinese consumers are very keen to draw attention to corporate misbehavior to the courts, media or authorities. Price of Non-Compliance is High – The PIPL has real teeth –serious breaches can result in fines of up to RMB 50 million or revenue confiscation of up to 5% of annual revenue and in most serious cases your business operations could be suspended or your company closed down. If your business relies upon APPs then such APPs may be taken down or suspended from digital platforms. 2. What does PIPL Change? The main changes made by PIPL are: Individuals will have more rights over the use of their data – including right to access, correct, restrict or have their data deleted. In addition, where consent is used as the legal basis for collecting and using personal data, individuals will have the right to withdraw their consent at any time. The bar for obtaining valid consent is set very high under PIPL (similar to current GDPR standard) as consent has to be informed, freely given (i.e. completely voluntary with no coercion) and explicit (i.e. the individual has to take an affirmative action to indicate their consent). . Data sharing/transfer – individuals will be provided far more detail as to who has access to their information, what they are doing with the data and which other parties are gaining access to such data. Management Systems & Controls – Western companies that have grappled with GDPR roll out will be familiar with the requirements for putting privacy management systems in place. Companies will need to put systems in place to protect personal information in their custody. Data localization – PIPL builds on the data localization requirements set out under the Cybersecurity Law for operators of critical information infrastructure (CIIO) and further requires personal data involving a large number of data subjects as specified by CAC to be located onshore and requires approvals to transfer offshore. 3. Questions to Consider Question 1: Will PIPL Effect My Company? If you are doing business in or with China then it is highly likely to be yes. It is also clear that the timeline to bring your businesses into compliance is ambitious. Despite the 1st November 2021 deadline it is likely that work will be needed for many months thereafter. Even in Europe with its 2 year transition deadline (not 2 months as for PIPL) few companies are likely to be fully compliant with their GDPR obligations – it may not even be possible. However, if your China business is already GDPR compliant then some adjustment would be required but most of the heavy lifting would already have been done. If no personal data management is in place in your China operations then a lot more work awaits. In our opinion the companies that are most likely to be scrutinized under PIPL are: China's tech giants – these are companies that manage and access enormous amounts of personal data. Recent events show that the Chinese authorities are keen to ensure these companies manage personal data responsibly. Foreign Companies Reliant on China's Tech Giant – if you are reliant on the tech giants (i.e. ecomm sales; SaaS; gaming) then expect the tech giants to be the gate keepers – your non-compliance will be their non-compliance. And they really do not want to be non-compliant so vigorous vetting is expected. This may be an unexpected issue for foreign companies that have been operating offshore beyond the application of Chinese regulations. PIPL applies extraterritorially. Consumer Facing Companies – China's consumers are increasingly active in holding companies to account. The growth in social media, use of internet and consumer protection laws means consumer complaints and lawsuits is an increasingly expensive and risky aspect of doing business in China for consumer brands. Foreign companies Handling Mass Personal Data – if you have a sizeable China consumer facing business you may well face barriers to transfer personal data overseas. This may affect companies such as brands that analyze consumer information overseas for their loyalty programs or the like. Foreign companies Handling Sensitive Personal Data – even if you are not dealing with mass levels of data you will face additional requirements if you are dealing with sensitive personal information. This could impact 1) education – if you are collecting personal information of minors under age of 14; 2) healthcare – if you are collecting or transferring health data or biometric data; 3) fintech – if you deal with financial data; 4) location tracking – this may be the one that leads to the most unforeseen problems as it could be problematic for many tech companies that rely on geo-mapping ranging from digital marketing; mapping; autonomous cars; ride hailing apps etc. Using Biometric Personal Data – in addition a sensitive area is if you use or collect facial recognition, fingerprints, voiceprints or other biometric data from consumers or employees. This is a sensitive area for the government and individuals alike. As more and more APPs rely on biometrics it will be important to ensure individuals have a choice how to authenticate who they are and also how the collected data will be used. Question 2: Will Chinese individuals have greater rights over their data? Will I need to change IT systems to accommodate? Is this fair? Yes. PIPL will greatly enhance the rights of Chinese individuals over their personal information. These rights include the right to know and make decisions relating to their personal information; right to restrict or prohibit processing of their personal information; right to have copies of their personal information; right to the portability of their personal information; right to correct and delete their personal information; right to request organizations handling their personal data to explain their processing rules and right to withdraw consent. In addition, Chinese consumers will be better protected from potential manipulation by big tech information pushing and digital marketing. In particular, consumers will have the right to refuse decisions being made automatically by algorithms based on collected data. In addition, personal information handlers will not be able to use data mining to differentiate offers between consumers (i.e. mostly charging different prices). What does this mean for companies dealing with personal information from/in China? IT systems will need to be able to do the following: Where Consent is relied upon, obtain Informed and On-going Consent: handlers will need to inform consumers about who will be handling their data, purposes and methods, and their rights. In addition, specific consent will be required for sensitive personal information (i.e. including information such as on biometric identifiers, religious faith, medical data, financial status, and location tracking, as well as the personal information of minors under the age of 14) and for images (i.e. facial recognition, CCTV etc.). These requirements will give individuals greater control how their personal data is or is not used. It will also make it more difficult for covert data-mining being used for targeted marketing. Handlers dealing with sensitive personal information (most commonly this will be biometric data) will likely need pop up windows to ensure that explicit consent can be clearly shown. Companies will need to have privacy policies in place with individuals. Make it convenient to withdraw consent: many have found that it is easy to click "OK" but challenging to find a way to say "Not OK" or "no longer OK". PIPL requires handlers to make it convenient and easy to let users withdraw consent. In addition, the handler cannot punish such a user by refusing to provide products or services unless the data was necessary to their provision. The Ministry of Industry and Information Technology (MIIT) has been very active in taking action in this respect against APPs. This is to stop covert data mining as APPs require access to personal information or microphone which is not relevant to their product or service. Treat data sets differently: systems will need to differentiate between individuals that wish to exclude automated decision-making algorithms and those who find it convenient or do not care. Also IT systems will need to make it convenient for individuals to opt out of such algorithm based decision making (i.e. not just to use of their data). As PIPL requires information to only be used as required it may be wise to ensure systems have data segregation or masking options – this will allow personal information only to be viewed by those that need to. Manage Data for Individuals:– Systems should facilitate access by individuals, allow for editing or deletion of personal information and provide copies upon request. Also as data should generally only be retained for the shortest time necessary the IT system should automatically delete data once the declared purpose has been achieved. There is precedent for this in that China's E-commerce Law (Article 24) grants users the right to deregister and delete their accounts and all information held by e-commerce operators, and also request copies of their personal information. Allows for Data Portability: Individuals will be allowed to obtain, reuse and move their personal data for their own purposes. Transfers of data will need to comply with CAC requirements. Question 3: Do I Really Need to Put Anything Real in Place? Companies that Handle Personal Data will need to Build a Privacy Management System PIPL will require companies to do more than just theoretically comply with the law. PIPL does place an obligation on personal information handlers to put controls in place to avoid data leaks or hacks including: • Internal security management systems and operating procedures; • Implement categorical management of personal information; • Use technical security measures such as encryption and de-identification; • Determine reasonable operational authority for people handling personal information, periodic security education and training for relevant employees; • Formulate and organize implementation of emergency plans for personal information security incidents; • Regular security audits. Personal information handlers will also need to make considered assessments of their personal information protection measures and make a record of how the data was handled when 1) handling sensitive personal information; 2) when using personal information for automated decision-making; 3) entrusting personal information to third parties or disclosing personal information; 4) providing personal information abroad; or 5) other personal information handling activities that will have a major impact on individuals' rights and interests. In addition, companies handling personal information that meets the threshold that is to be specified by CAC will need to designate a person in charge of personal information (Article 52). Companies await with great interest what threshold CAC will specify with guesses ranging from 100,000 data sets or people (based on mobile date regulations) to 1,000,000 based on this being the CAC's requirement that would trigger a cybersecurity review of a Chinese centric company seeking an overseas listing. If your company is based overseas then you will need to find a designated representative or establish an organization within China – this may be a WFOE, rep office or other trusted individual. This is similar to the requirement for overseas cosmetics companies appointing a local representative. This has been a headache for those who do not have on the ground Chinese operations. Given the potential liability under PIPL it is difficult to imagine that law firms or accounting firms will be lining up to act in this regard. Companies will need to consider how they deal with Employee Data Most of the focus by Western companies will be on how to deal with consumer personal data (and in some cases suppliers or partners). The other group which will very likely affect every foreign invested enterprise (FIE) in China is how to deal with employee personal data. The main challenges in respect for employee data will be as follows: Data exports – many FIEs will collect sensitive personal data from their China based employees (e.g. HR and payroll data such as name, address, email address, salary, nationality, ethnicity, gender, etc.) and then transfer such data overseas. It will be necessary to obtain explicit consents from employees and follow the cross-border transfer requirements.

15 September 2021