Prosus Senior Advisory Counsel Marcin Czarnecki, CIPP/E, has his finger on the pulse of privacy programs for some of the most recognized digital brands in Europe. His work entails advising high-profile web brands within Prosus’ portfolio, a global technology investor.
Czarnecki is a member of the IAPP Publications Advisory Board and co-chairs Poland’s KnowledgeNet Chapter. Last year, he co-authored, “Privacy in M&A transactions: The playbook” with Naspers/Prosus Global Head of Privacy Justin Weiss, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP.
In this Member Spotlight, Czarnecki, based in Warsaw, Poland, spoke with IAPP Staff Writer Alex LaCasse to reflect on how he saw privacy regulations evolve throughout Europe prior to the implementation of the EU General Data Protection Regulation, his focus on privacy in the technology, media and telecommunications sectors, as well as mergers and acquisitions. He also discussed his work at Prosus, where he assists the firm’s clients develop their privacy programs, and advises clients on privacy aspects of M&A transactions, integrations and divestments.
(Editor's note: This conversation has been edited for clarity and length.)
The Privacy Advisor: Let’s talk about your start in privacy: What interested you most about the field?
Czarnecki: My beginning with privacy was when I was working in private practice (about 10 years ago), and that was the time when nobody knew a lot about privacy. I was one of two team members dealing with new technologies. The topic was so interconnected, as a junior lawyer, I suddenly saw an agreement regarding privacy that landed on my desk, and that's how the journey started. Privacy already seemed so important but undervalued because the regulations weren’t comprehensive, and there was not enough enforcement action. Then, the discussions about the GDPR started, and the impact of the privacy regulations in Europe started to grow rapidly.
The Privacy Advisor: In the first part of your career, your law firm focused on M&As in the technology, media and telecommunications sector. What was it like to see the conversation around privacy evolve on somewhat of a business-by-business scale as privacy became more prioritized by EU policymakers?
Czarnecki: In the first transactions that I (handled), nobody ever asked about privacy or data protection. Then, privacy started to be one of the topics deliberately being asked about, and I was asking myself these same questions while working on other transactions just years later. Still though, because of the fact enforcement wasn't that huge at the time yet, it wasn't a key area of focus. It was rather an additional field that we always wanted to highlight, but then the significance of data and the fact that a lot of transactions started being driven by data made privacy impossible to disregard.
The Privacy Advisor: When did you notice your clients were beginning to prioritize their privacy programs more?
Czarnecki: So in M&A, acquiring businesses with huge databases of clients started to upscale the significance of privacy reviews and data privacy. That more or less correlates with what I remember when the GDPR emerged, at least from the perspective that 4% of a company's global turnover could be penalized; that was a turning point and when everybody suddenly started seeing privacy as something significant. Primarily, because of the possible risk of fines, for sure.
The Privacy Advisor: You came to Prosus in 2017, so each of its different properties must have been brought into the portfolio at varying stages of compliance with the GDPR. Was it a challenge for you to help clients attain compliance? In terms of M&As, was it difficult to align the privacy programs across merging companies?
Czarnecki: Whether companies are in similar stages of compliance or not, privacy programs can vary. I think it’s always a project to combine those. Sometimes it might be even easier to step in and (help) the company that doesn't have the specific elements of a privacy program because you can apply the solutions that you already have; sometimes combining various solutions might be a bigger challenge. So, I see it as part of the M&A journey. Frequently, M&A is looked at as a stage from when somebody decides to sell a business until the sale agreement is closed. But then a whole new journey starts with integration and that one is frequently much more interesting than the main part of the transaction for me.
The Privacy Advisor: In general, what are the core guiding principles a privacy professional who focuses on M&A work should keep in mind?
Czarnecki: We're finding that more and more in M&A, it's not only the fines themselves that are the main driver for focusing on privacy, but now companies also see privacy as a responsibility in how they see the targets, how they manage the data, how the data can or cannot be used after the transaction. So, in a nutshell, it’s not only the fines that are driving the privacy focus, but also making sure that privacy is treated appropriately and data is protected.
It's why I want to highlight the M&A Playbook I co-authored. I hope that it will help a lot of privacy professionals and M&A specialists in the market to understand the nature of privacy, the challenges of M&A and to better address privacy as part of that.
Photo by Keagan Henman on Unsplash
If you want to comment on this post, you need to login.