Revolutionising M&A:  The role of AI in streamlining transactions

The recent rise of artificial intelligence (AI) has been an incredible asset for firms and clients alike – saving countless hours for attorneys and thousands of dollars for clients. However, while AI can be used in M&A transactions at various stages to potentially optimise processes, reduce costs, and improve the quality of decisions, it is vital to consider the potential ethical and legal concerns of using AI in view of ever-tightening data protection regulations.

This article provides an overview of how AI is used by attorneys in the North American and European Union (EU) markets, and addresses some legal and ethical considerations.

1. Use of AI in the Midwest

Market trends are pushing attorneys and the law firms where they work to (i) become more efficient, (ii) reduce costs, and (iii) accelerate the speed of handling transactions. To remain competitive and meet the above demands, the use of AI powered tools is becoming a non-negotiable in transactions; however, attorneys must tread a careful line to ensure their application of these tools meets the ethical guidelines set forth by the American Bar Association’s (ABA) Model Rules of Professional Conduct.

As one example, Model Rule 1.6 requires that a lawyer make reasonable efforts to prevent the inadvertent or unauthorised disclosure of, or unauthorised access to, information relating to the representation of a client. Attorneys should be wary about using free-of-cost AI platforms to digest any private protected information (health-related or not). Instead, lawyers should look for platforms that implement strict data residency measures for data storage, offer Security Assertion Markup Language (SAML) single sign-on (SSO), audit logs, and data storage tools that ensure uploaded data and content is safeguarded.

Once in the AI database, AI can assist in contract analysis and management. By using natural language processing, AI can review and compare contract terms, ensuring compliance and highlighting any deviations from standard terms that might pose risks. This capability is particularly valuable in large transactions involving numerous contracts. Nevertheless, human oversight and control must remain.

ABA Resolution 112 (passed in August 2019) urges courts and lawyers to address the emerging ethical and legal issues related to the usage of AI in the practice of law including:

i. Bias, explainability (the ability to explain how an AI system makes decisions, predictions, or recommendations), and transparency of automated decisions made by AI;

ii. Ethical and beneficial usage of AI; and

iii. Controls and oversight of AI and the vendors that provide AI.

Users of AI should be prepared to evaluate any legal analysis or research the AI platform has compiled for them prior to circulating material for a third-party review.

The use of AI technology has many practical applications, such as assisting in routine tasks like redline summaries of deal documents. A task that could easily take a young associate hours to handle with senior level oversight and verification can now be done in the course of seconds. This invaluable tool allows the senior attorney to focus on crafting responses to clients with background on the importance of the changes, if any, and strategic responses for the next level of negotiations.

Clients directly experience the benefits of using AI over staff time hours – increased efficiency leads to a quicker and more cost-effective work product, and overall deals can be accelerated since documents can be turned back in the course of hours or days as opposed to weeks.

2. AI regulations in the EU

While the rules of professional conduct across the EU member states set forth duties of confidentiality and conscientiousness which apply also to the use of AI by attorneys, the more general EU AI Regulation and General Data Protection Regulation (GDPR) and the European Convention on Human Rights (ECHR) also provide relevant sets of rules.

From a legal perspective, the GDPR is a regulation within the meaning of Article 288 (1) Treaty on the Functioning of the European Union (TFEU). As a regulation, it has general application, and thus is binding in all its parts and applies directly in every member state of the EU.

The purpose of the GDPR is to create a reasonable and effective regulatory framework for AI systems with a risk-based approach. Its scope of application is the regulation of AI systems primarily according to the risks that can arise from automation.

Companies and law firms must ensure that AI systems used for the evaluation or processing of sensitive information comply with EU data protection requirements found within the GDPR. Firms must guarantee that the processing of data only takes place if it occurs lawfully, under AI transparency (providing a clear understanding of how the AI system functions from the data it uses to the algorithms it employs), and with clear purpose. If GDPR requirements are not met, companies face severe penalties.

Although the provisions of GDPR do not apply to legal entities, in Austria, for example, the data of companies is protected by Austrian constitutional national law. However, this protection only covers data for which there is a legitimate interest in confidentiality. This protection is furthered by the ECHR. Restrictions on the right to confidentiality are only permitted in order to protect the overriding legitimate interests of another person.

Data must only be processed for specific, legitimate purposes and AI applications should not process data beyond the original scope or purpose. As AI is a more recent tool for M&A transactions, not much experience has accumulated yet. It is therefore necessary to individually address the issues (e.g. machine learning with client data).

A recent judgement by the European Court of Justice (ECJ) declared for the first time that previously unrestricted access to the beneficial ownership register to be unconstitutional. This ruling shows how strictly data and privacy protection under the ECHR are actually to be interpreted.

The GDPR applies to the processing of personal data in the EU, and, under certain conditions, also outside the EU, while the Austrian Data Protection Act only applies to the processing of personal data in Austria, with the GDPR taking precedence for EU-wide processing. Employees, customers and suppliers are therefore comprehensively protected by data protection regulations and their sensitive data must be handled with care.

Feeding personal data to AI tools can constitute a violation of personal rights and freedoms. Particularly noteworthy are the obligation to rectify and the right to erasure (Right to be Forgotten) pursuant to Article 17 of the GDPR. Individuals have the right to request that their data be deleted. Companies using AI must ensure that personal data is deleted or anonymised when requested, in line with the GDPR’s right to erasure. The question remains: can companies and law firms guarantee that personal data will be fully deleted when in reality AI tools are an inscrutable black box that function by collecting and storing information in order to learn from it?

Another practical example for the use of AI would be the red flag report during a due diligence check. Clients ask law firms to identify and sum up only the red flags in order to get an idea of the potential obstacles to acquiring a company while saving costs for additional billing hours. The crux of the matter is that law firms are still obligated (e.g. in Austria as a professional duty of conscientiousness) to analyse and check all given facts, data, and documents in order to be able to properly draw up outlines of those red flag risks.

This is where AI can be applied and perform a preliminary analysis to highlight any issues saving substantial (non-)billable hours of a junior lawyer's time. With the ability of AI to learn and compare documents in a matter of seconds, a mundane, time-consuming task is completed efficiently. A final check of facts by an attorney, however, is still necessary from a professional and liability point of view.

Conclusion

While AI has become a practical tool for the often tedious task of analysing data for companies when sensitive company data, including personal data, is involved, the use of AI introduces a range of potential data privacy and security challenges that must be managed at the legislative level as well as at the corporate management level. Using proper AI tools is one way to combat this problem but it is not the only solution. Integrating AI into a practice enables lawyers to provide more efficient, accurate, and strategic services to their M&A clients, ultimately leading to more successful transactions. However, AI is not a replacement tool for the human mind – all should tread with caution.

---

Dr Peter Wagesreiter, LL.M. (UPenn), read law at the University of Vienna and the University of Pennsylvania. He also completed a research stay at Harvard University and is admitted to the New York Bar. Dr Peter Wagesreiter's areas of expertise include Banking & Finance, Corporate Governance & Compliance, Data Protection, Corporate Law and M&A.

Anastassia Dambrouskaya joined Sandberg Phoenix in 2018 and is a shareholder in the firm’s Business practice group. She is a member of the firm’s Corporate industry team. Anastassia specialises in mergers, acquisitions, and dental service organisation transactions. She is skilled at representing sellers partnering with DSOs and has successfully closed nearly 350 deals.