Skip to main content

LUP Student Papers

LUND UNIVERSITY LIBRARIES

GDPR och due diligence – personuppgifternas räddare i nöden eller bolagens väg till döden? – En utredning med särskilt fokus på utvecklingen av artificiell intelligens

Sabogal Roldan, Andrea LU (2020) JURM02 20201
Department of Law
Faculty of Law
Abstract (Swedish)
Antalet företagsförvärv har ökat markant på den svenska marknaden de senaste åren. Med anledning av att företagsförvärv är förknippade med stora risker kan det leda till tvister parterna emellan. Det är därför av vikt att en due diligence görs för att kunna avgöra riskfördelningen när det gäller särskilda förutsättningar som är av betydelse för rättsförhållandet mellan det köpande och säljande bolaget. En väsentlig del av due diligence-förfarandet består av att hantera och bearbeta olika typer av dokument där personuppgifter är vanligt förekommande. Det har således varit av relevans att se till Dataskyddsförordningens (GDPR) reglering och hur denna påverkar due diligence-förfarandet. I kontexten hör till att artificiell intelligens (AI)... (More)
Antalet företagsförvärv har ökat markant på den svenska marknaden de senaste åren. Med anledning av att företagsförvärv är förknippade med stora risker kan det leda till tvister parterna emellan. Det är därför av vikt att en due diligence görs för att kunna avgöra riskfördelningen när det gäller särskilda förutsättningar som är av betydelse för rättsförhållandet mellan det köpande och säljande bolaget. En väsentlig del av due diligence-förfarandet består av att hantera och bearbeta olika typer av dokument där personuppgifter är vanligt förekommande. Det har således varit av relevans att se till Dataskyddsförordningens (GDPR) reglering och hur denna påverkar due diligence-förfarandet. I kontexten hör till att artificiell intelligens (AI) börjat etableras allt mer på affärsjuridiska byråer i Sverige. Det innebär att mycket av arbetet i en due diligence som tidigare gjorts av juniora jurister istället ersätts av AI-system. Situationen innebär både möjligheter och risker, därav bör fenomenet AI beaktas vid analysen av GDPR:s påverkan vid en due diligence.
GDPR innebär ökade krav på personuppgiftbehandling hos bolag och en rättslig grund krävs för att en personuppgiftsbehandling ska vara laglig. Utöver en rättslig grund krävs även att de kumulativa principerna i artikel 5 GDPR följs. Det har vidare visat sig vara flertalet artiklar i GDPR som aktualiseras vid en due diligence, däribland har artikel 6.1 a vilken behandlar samtycke diskuterats. Artikel 6. 1 f GDPR där en intresseavvägning av omständigheterna i det enskilda fallet ska göras torde emellertid vara mest relevant vid en due diligence. Därtill har vidtagande av lämpliga tekniska och organisatoriska säkerhetsåtgärder även förefallit vara av relevans. I de fall due diligence-förfarandet skulle ersättas av ett AI-system har det konstaterats att flertalet av reglerna i GDPR omfattas, trots att de inte nämns i artiklarnas ordalydelser. Det har vidare framgått att regleringen i GDPR utformats för att kunna möta den tekniska utvecklingen och därmed omfatta en potentiell utveckling av begreppet AI. Tack vare omfattningen och kraven på rättslig grund, uppgiftsminimeringsprincipen och övriga relevanta rättsliga ramar fångas flera av riskerna och utmaningarna som förknippas med personuppgiftsbehandling även i en due diligence trots att den görs genom algoritmer ett AI-system. Det kan följaktligen konstateras att GDPR påverkar informationshanteringen vid en due diligence. Användandet av AI väcker emellertid spörsmål som inte bara är etiska utan problematiska ur juridiskt hänseende. Det går inte heller att konkretisera specifik reglering som aktualiseras som standard, utan utfallet av valet av reglering beror på varje enskilt fall varför bolagen noga bör analysera GDPR inför ett företagsförvärv, i annat fall kan det leda till stora finansiella konsekvenser. (Less)
Abstract
In recent years the amount of corporate acquisitions has increased significantly on the Swedish market. Due to the fact that corporate acquisitions are associated with risks, conflicts between the parties can arise. Due diligence must hence be conducted in order to determine the distribution of risks regarding the legal relationship between the buying and selling company. An essential part of the due diligence consists of processing various documents where personal data commonly is found. It has thus been relevant to investigate the GDPR and its influence on the due diligence procedure. Furthermore, AI is becoming established in business law firms in Sweden. The associates work tasks are therefore being replaced by AI which results in both... (More)
In recent years the amount of corporate acquisitions has increased significantly on the Swedish market. Due to the fact that corporate acquisitions are associated with risks, conflicts between the parties can arise. Due diligence must hence be conducted in order to determine the distribution of risks regarding the legal relationship between the buying and selling company. An essential part of the due diligence consists of processing various documents where personal data commonly is found. It has thus been relevant to investigate the GDPR and its influence on the due diligence procedure. Furthermore, AI is becoming established in business law firms in Sweden. The associates work tasks are therefore being replaced by AI which results in both opportunities and risks. The phenomenon of AI should hence be taken into account when analyzing GDPR’s impact on due diligence.

GDPR implicates increased requirements for personal data processing at companies and a legal basis is required for a processing to be lawful. In addition to a legal basis, the cumulative principles of Article 5 GDPR are also required. Furthermore, several articles in the GDPR are relevant when analyzing a due diligence. This includes Article 6 (1) (a) which enacts consent. However, Article 6 (1) (f) GDPR, where a balance of interests is to be made of the circumstances, is of higher interest in this context. In addition, the adoption of appropriate technical and organizational security measures also appeared to be of relevance. In cases where the due diligence procedure would be replaced by an AI system, it has been found that most of the rules in the GDPR are covered, although they are not mentioned in the wording of the articles.

It has furthermore been stated that the regulation in GDPR is designed to meet the technical developments and thus include a potential development of the concept of AI. Attributing to the scope and requirements of legal basis, the data minimization principle and other relevant legal frameworks, several of the challenges and risks associated with personal data processing are mitigated, even in a due diligence despite it being performed through algorithms in an AI-system.

Consequently, it can be noted that GDPR affects the data process in a due diligence. However, the use of AI raises issues that are not only ethical but legal in nature. It is not possible to specify regulations that are updated by default since the outcome of the choice of regulation depends on each individual case. Therefore, companies should carefully analyze GDPR prior to a corporate acquisition. Otherwise it can lead to major financial consequences. (Less)
Please use this url to cite or link to this publication:
author
Sabogal Roldan, Andrea LU
supervisor
organization
course
JURM02 20201
year
type
H3 - Professional qualifications (4 Years - )
subject
keywords
GDPR, Due diligence, Artificiell intelligens
language
Swedish
id
9010992
date added to LUP
2020-06-18 10:10:30
date last changed
2020-06-18 10:10:30
@misc{9010992,
  abstract     = {{In recent years the amount of corporate acquisitions has increased significantly on the Swedish market. Due to the fact that corporate acquisitions are associated with risks, conflicts between the parties can arise. Due diligence must hence be conducted in order to determine the distribution of risks regarding the legal relationship between the buying and selling company. An essential part of the due diligence consists of processing various documents where personal data commonly is found. It has thus been relevant to investigate the GDPR and its influence on the due diligence procedure. Furthermore, AI is becoming established in business law firms in Sweden. The associates work tasks are therefore being replaced by AI which results in both opportunities and risks. The phenomenon of AI should hence be taken into account when analyzing GDPR’s impact on due diligence.

GDPR implicates increased requirements for personal data processing at companies and a legal basis is required for a processing to be lawful. In addition to a legal basis, the cumulative principles of Article 5 GDPR are also required. Furthermore, several articles in the GDPR are relevant when analyzing a due diligence. This includes Article 6 (1) (a) which enacts consent. However, Article 6 (1) (f) GDPR, where a balance of interests is to be made of the circumstances, is of higher interest in this context. In addition, the adoption of appropriate technical and organizational security measures also appeared to be of relevance. In cases where the due diligence procedure would be replaced by an AI system, it has been found that most of the rules in the GDPR are covered, although they are not mentioned in the wording of the articles. 

It has furthermore been stated that the regulation in GDPR is designed to meet the technical developments and thus include a potential development of the concept of AI. Attributing to the scope and requirements of legal basis, the data minimization principle and other relevant legal frameworks, several of the challenges and risks associated with personal data processing are mitigated, even in a due diligence despite it being performed through algorithms in an AI-system.

Consequently, it can be noted that GDPR affects the data process in a due diligence. However, the use of AI raises issues that are not only ethical but legal in nature. It is not possible to specify regulations that are updated by default since the outcome of the choice of regulation depends on each individual case. Therefore, companies should carefully analyze GDPR prior to a corporate acquisition. Otherwise it can lead to major financial consequences.}},
  author       = {{Sabogal Roldan, Andrea}},
  language     = {{swe}},
  note         = {{Student Paper}},
  title        = {{GDPR och due diligence – personuppgifternas räddare i nöden eller bolagens väg till döden? – En utredning med särskilt fokus på utvecklingen av artificiell intelligens}},
  year         = {{2020}},
}