Information obtained in the context of a merger and acquisition transaction: beware of criminal liability risks in the event of subsequent reuse

In a noteworthy published decision, the Criminal Division of the French Court of Cassation (the highest court in the French judiciary system) ruled that data obtained during pre-acquisition audits (due diligence) can be considered intangible property that may be unlawfully appropriated, potentially amounting to the criminal offence of breach of trust (abus de confiance). 

This decision calls for increased vigilance in the management, dissemination and use of data exchanged during negotiation phases of an operation for all professionals concerned. 

The Criminal Division of the French Court of Cassation (Crim., June 25, 2025, no. 24-80.903 & 21-83.384, published in the Bulletin) has offered important guidance regarding the applicability of the offence of breach of trust to data obtained during pre-acquisition audits. In this particular case, a holding company accused another company and its director of fraud and breach of trust, arguing that they had misused data obtained during pre-acquisition audits, with the aim of making bids to take over assets before the Commercial Court after the complainant company’s subsidiaries involved in the initial audit had been placed in receivership. 

In this matter, the French Court of Cassation heard appeals against two rulings by the Investigating Chamber of the Versailles Court of Appeal, which had overturned the indictments against the company and its director, on the one hand, and had upheld the dismissal of the case against them, on the other. 

On this occasion, the Criminal Division was called upon, in particular, to determine whether data gathered during a pre-acquisition audit could classify as intangible assets susceptible to misappropriation within the meaning of the offence of breach of trust.  

Intangible data are “susceptible to misappropriation”

The offence of breach of trust, as defined in Article 314-1 of the French Criminal Code, occurs when a person is entrusted with funds, securities or property on a temporary basis and misuses them in a manner contrary to the purpose agreed upon with the owner, thereby causing harm to the latter. 

In light of this definition, the question arose as to whether data obtained in the course of pre-acquisition audits could give rise to punishable misappropriation, as the Investigating Chamber of the Versailles Court of Appeal had ruled that this type of intangible information was –by its very nature– not subject to precarious transfer and could therefore not constitute a breach of trust. 

Conversely, the Court of Cassation has found that “information such as that provided during a pre-acquisition audit may constitute an intangible asset that is susceptible to misappropriation” (§ 22). 

This stance is in line with established case law, which broadens the concept of “any property” referred to in Article 314-1 of the French Criminal Code to include intangible assets or simple information (see, e.g.: Crim., March 22, 2017, no. 15-85.929, published in the Bulletin; Crim., January 8, 2020, no. 18-85.510; Crim., March 13, 2024, no. 22-83.689, published in the Bulletin). 

This decision thus further establishes the possibility of applying the offence of breach of trust to the misappropriation of data, regardless of the medium on which it is transmitted or stored. 

In this respect, the Criminal Division is adapting to the reality of the new methods of transmitting this data via dematerialized means such as electronic data rooms or shared computer files, without the delivery of any physical media. 

The loss is inferred from the misappropriation 

Another important point in this decision is that the French Court of Cassation reiterates a well-established solution according to which the victim’s loss “is inferred from the existence of the misappropriation” (§ 23) (see, e.g.: Crim., March 5, 1980, no. 79-91.966, published in the Bulletin; Crim., March 13, 2024, no. 22-83.689, published in the Bulletin). 

It is therefore not necessary to demonstrate any specific loss caused by the misuse of data: the mere fact that it has been reused for purposes other than those for which it was provided is sufficient to constitute an offence. 

Therefore, in practice, the person or entity having disclosed the data and information may argue that a criminal offence has been committed, regardless of whether the improper reuse of their data and information caused them any loss or not, as this issue only affects the existence and quantum of their right to compensation. 

Practical consequences and precautions 

For all parties involved in transactional processes (in mergers and acquisitions, but more broadly for all processes involving a pre-acquisition audit, for example in real estate), this decision calls for increased vigilance, even if, in the case at hand, the lack of evidence of any misuse of the collected information ultimately led to confirmation of the case’s dismissal. 

This caution should be demonstrated right from the initial phase of the operation onwards, through the establishment of appropriate contractual frameworks (confidentiality agreements, etc.) that clearly define the terms and conditions for the use of the data transmitted and its purpose, as well as, where applicable, determine the fate of this information depending on the outcome of the transaction process (deletion of data, etc.). 

Also –and above all–, this vigilance must be exercised in handling data that must be protected from any inappropriate reuse that could give rise to criminal liability, particularly in the event that the contemplated transaction ultimately does not proceed. 

Stakeholders who have gained access to such data must therefore exercise the utmost caution if they subsequently participate in other projects in connection with the initial process, as they could easily be accused of misusing or unlawfully leveraging the data they previously received. 

Beyond the companies and executives involved in acquisition processes, all of their advisors (lawyers, investment bankers, etc.) must exercise the same level of vigilance, as they could also face liability –especially for aiding and abetting– if they are found to have been aware of the improper reuse of data obtained during pre-acquisition audits.