By Marco Tena
Let’s imagine the following hypothetical case. A U.S. company, A, a leader in legal technology solutions, wants to expand its presence in Latin America and is interested in acquiring a Mexican company, B, which has developed artificial intelligence-based software that generates and reviews contracts. A begins its due diligence procedures, auditing B’s labor agreements and registration with the Mexican Social Security Institute, requesting a list of private properties it owns along with the respective deeds, and reviewing B’s tax records, permits and any past and current lawsuits or administrative proceedings, among others. In addition, A reviews all licenses and patents related to B’s software, confirming that such intellectual property is properly protected and complies with local intellectual property laws.
A few years ago, by following these steps, A’s due diligence for the acquisition of B would have been complete. Today, however, considering how artificial intelligence (AI) has not only transformed industries, but also added complexity to corporate transactions, A’s due diligence is far from complete. In Mexico today, as in other markets, it is essential that companies update their strategies and contracts to address the risks and benefits associated with generative AI. This article explores the critical considerations for M&A transactions in Mexico with respect to companies that incorporate AI into their processes and products.
Since large data sets are the basis of AI-based software, it is essential to identify data sources and handling protocols. Data management must comply with Mexican law, such as the Federal Law for the Protection of Personal Data in Possession of Individuals, and international law in this area, which is evolving rapidly. Even if B fully complies with Mexican data protection laws, A could still face legal liability if B’s suppliers fail to do so. For example, A could face litigation in the future if the data of an EU citizen or Californian was obtained inappropriately, given the strict data protection laws in those jurisdictions.
Given that the use of generative AI is novel, growing rapidly, faster than the pace at which legislators can legislate for it, and that public opinion can significantly influence these legislations, parties must guard against known and unknown risks. This involves taking several precautions.
First, the parties must incorporate the data audit as a non-negotiable step of the transaction due diligence. A qualified auditor can assess companies’ systems and procedures to ensure compliance, security and privacy. In our example, B should be able to provide the auditor with copies of signed consents, privacy notices, activity logs, security measures in place, and records of any past breaches. The parties must have access to this data and, consequently, assess the risks. Information about past security breaches, particularly those involving data leaks, can profoundly impact public perception, potentially affecting portfolio values.
Most importantly, the parties should seek legal advice to add contractual clauses that protect their respective interests. For example, A needs clauses that protect its business against potential breaches or privacy violations with respect to data acquired or used prior to the acquisition. Equally important are the representations and warranties with respect to AI software. These provisions document the parties’ intentions and disclosures, and protect A against unexpected problems with the software, including aspects that the vendor did not know about or did not disclose.
A lawyer can also help companies update their policies and effectively notify customers and suppliers about the transaction. This essential step helps establish trust and ensures compliance with the Ley Federal de Protección de Datos Personales en Posesión de los Particulares and other laws requiring adequate notifications when transferring data. Following these steps ensures that companies can maintain transparency, comply with their legal obligations and foster positive relationships with stakeholders.
