Global merger and acquisition activity broke records in 2018. And with technology and intellectual property continuing to be central to many of these deals, IP diligence is a critical component in every M&A transaction involving software or other technologies.

For disrupters and technology innovators, novel IP issues frequently surface during IP diligence, often long before courts and lawmakers have resolved ambiguities or gaps in IP laws presented by these technologies. The EU’s 2018 General Data Protection Regulation appears to have been only the first of many paradigm-shifting privacy laws. The California Consumer Privacy Act is next, while data rights and other novel IP issues will continue to impact the IP diligence process.

Developing Strategies

Forward-looking technology companies anticipating an acquisition or capital raise this year can avoid costly delays or negative impacts on their valuation by developing a strategy to address issues likely to arise during IP diligence.

In carrying out IP diligence, buyers typically seek detailed information and schedules of the IP rights and agreements within the scope of a transaction, and they want representations and warranties about the IP assets. Acquirers and investors engage counsel to evaluate the relevant IP portfolio; review licenses and other IP-related agreements; conduct independent searches to confirm chain of title; review privacy and data policies and practices; and negotiate IP-related covenants, representations and warranties.

Key to these technology deal negotiations is which party will bear the risks identified in the IP diligence process. Indemnities, “holdbacks,” liability caps and, in recent years, representation and warranty insurance have all been used to allocate these risks. In many instances, companies can minimize transaction risks by developing strategies to address issues that are likely to surface during the IP diligence process.

‘Proprietary’ Data

As companies continue leveraging their access to data to provide services and analytics, tech companies continue to mine aggregated data sets for new and innovative purposes. Companies typically place substantial value on their proprietary data, but investors may find that much of these data have limitations or contractual obligations that constrain the apparent value or may expose an acquirer to liabilities. Data-related IP diligence is increasing in importance, and there are a number of issues that should not be ignored.

While some jurisdictions like the EU have created sui generis database protections, in the U.S., data is generally only protectable as IP as a trade secret or as a compilation under copyright laws. Protecting data as a trade secret requires significant efforts to maintain the information’s secrecy, and sharing data without sufficient contractual restrictions on use or disclosure—or failing to police or enforce those restrictions—can jeopardize its trade secret status.

Although the underlying facts represented by raw data are generally not eligible for copyright protection, a dataset can be protected as a compilation if the dataset meets the required minimum level of originality. In either case, the proprietary nature of data derived from third-party sources and contractual limitations imposed on data use by their sources require careful review.

Privacy laws, including the GDPR and CCPA, often give consumers the right to require deletion of their protected personal information or opt out of its sale to third parties, further complicating whether companies own the IP rights for datasets that include protected information.

Protecting AI-Generated Works

Although artificial intelligence only recently made the leap from sci-fi to the real word, companies have rapidly adopted AI tools to improve business processes. The legal system, however, has not evolved as quickly, and protecting

IP rights for AI technologies presents challenges. Since the U.S. Supreme Court’s 2014 decision in Alice Corp. v. CLS Bank International, securing patent protection for software requires meeting strict requirements for eligibility formulated by the court. While some AI software inventions may meet these high standards, notable uncertainties remain about the patentability of software.

While the code powering AI software may be protected under U.S. copyright laws, that protection will not extend to the functionality of AI software tools, such as the algorithms that often make these AI tools valuable. The output of AI tools not generated by humans may be ineligible for copyright protection as well. Following a series of disputes over the copyright status of selfies taken by monkeys, the U.S. Copyright Office recently clarified that works of authorship “must be created by a human being” to be protected. These limitations make trade secret laws critical for protecting AI-generated works.

The WHOIS Blackout

While confirming ownership of domain names was previously a relatively straightforward part of the IP diligence process, changes driven by GDPR compliance have limited access to information that was once publicly available. For years, domain name registrars have been contractually obligated by the Internet Corporation for Assigned Names and Numbers to make registration details publicly available through WHOIS databases. But when the GDPR took effect, ICANN permitted registrars to comply with the GDPR by removing information from public WHOIS databases globally. This information blackout has extended beyond individual EU data subjects, and many registrars declined to separate GDPR-protected records from those not covered by the EU regulation, making records unavailable for domain names owned by legal entities and natural person registrants. Going forward, the burden will fall to sellers to produce documentation verifying domain name ownership.


Jonathan Gordon is a partner in Alston & Bird’s Technology & Privacy Group. Jesse Welsh-Keyser is an associate in the group.