A US-based PE firm acquires a UK software company. The UK company has EU customer data in its Salesforce instance. The integration plan calls for migrating all data to the US company’s Azure environment.
Problem: The EU customer data cannot be transferred to the US without a valid transfer mechanism. Standard Contractual Clauses (SCCs) take 3-6 months to implement properly. Binding Corporate Rules take 12-18 months to get approved.
The deal model had 90-day synergy capture. The actual timeline for data migration compliance is 180 days minimum.
This is the data sovereignty problem in cross-border M&A. It affects every acquisition where the target or the acquirer has personal data of EU, UK, or other regulated region residents.
The Transfer Mechanisms That Actually Work in M&A
Standard Contractual Clauses (SCCs)
SCCs are the most commonly used transfer mechanism in cross-border M&A. They require:
- A data transfer agreement between the exporter (data controller or processor in the originating country) and the importer (data controller or processor in the destination country)
- A Transfer Impact Assessment (TIA) for transfers to countries without an adequacy decision (the US)
- Documentation that the SCCs provide essentially equivalent protection to EU law
In M&A context: If the acquirer is US-based and the target has EU personal data, SCCs need to be in place with every SaaS application and cloud provider that processes EU personal data before the data can be moved to a US-based system.
Timeline to implement: 60-90 days for a well-prepared team. 120-180 days for a team that discovers the issue post-close.
UK International Data Transfer Agreements (IDTA)
Post-Brexit, the UK has its own transfer mechanisms. The IDTA replaces the EU SCCs for UK-to-EU transfers and UK-to-countries-without-adequacy arrangements.
For cross-border M&A involving UK entities: the IDTA is required for any transfer of UK personal data to countries outside the UK.
Adequacy Decisions
The EU and UK have adequacy decisions covering each other’s data protection frameworks. This means EU-to-UK and UK-to-EU transfers do not require SCCs — they can happen freely.
US adequacy decision: The EU’s adequacy decision for the US (EU-US Data Privacy Framework) was adopted in July 2023. US companies that self-certify under the DPF can receive EU personal data without SCCs. This simplifies cross-border M&A between the EU and US — but only for companies that have certified.
Binding Corporate Rules (BCRs)
BCRs are the most comprehensive transfer mechanism but also the most complex and slowest to get approved (12-18 months typically). They are only relevant for large multinational enterprises doing frequent intra-group transfers.
In M&A context: BCRs are not a practical option for a typical cross-border acquisition. By the time BCRs are approved, the integration is already complete.
The Data Sovereignty Discovery Checklist
For every cross-border M&A deal:
Step 1: Data Mapping
- Identify all personal data processed by the target company
- Identify the geographic location of the data subjects (EU? UK? Switzerland? Other?)
- Identify the geographic location of the data stores (where is the data actually held?)
Step 2: Transfer Path
- If personal data will be transferred to a new system (the acquirer’s environment), what is the transfer path?
- Does the transfer involve a country without an adequacy decision?
- If yes, what transfer mechanism will cover it?
Step 3: Vendor Compliance
- Every SaaS vendor and cloud provider that processes EU personal data needs a DPA with SCCs (or adequacy)
- Check the vendor’s current DPAs and transfer mechanisms
- Flag vendors that don’t have adequate transfer mechanisms in place
Step 4: Integration Timeline Adjustment
- If SCCs need to be negotiated with vendors, add 60-90 days to the integration timeline
- If the target’s Salesforce org has EU personal data and needs SCCs with Salesforce, the migration of that data cannot happen until SCCs are in place
The Consequences of Getting This Wrong
GDPR Article 58 violations: Fine up to 2% of global annual revenue for violations of Article 46 (transfer provisions).
The UK ICO has the power to issue fines up to £17.5M or 4% of global annual revenue, whichever is higher.
The practical consequence: After a cross-border acquisition where data sovereignty was not addressed in the integration plan, the acquirer inherits liability for the target’s GDPR violations — including violations that occurred before the acquisition.
ACQI’s SaaS discovery module identifies which SaaS applications are processing personal data and their geographic data flows. This is the data sovereignty discovery output that the legal and compliance teams need.