In continuation to our previous blog Role of Data Privacy in M&A Transactions- Part I, in this blog we shall discuss the legal framework pertaining to Data Protection vis-a-vis M&A transactions in India.
INFORMATION TECHNOLOGY ACT, 2020
The Information Technology Act, 2000 (IT Act) imposes liabilities, both civil as well as criminal, on the parties acting in violations of the provisions of the Act. Under Section 43A of the IT Act, if the body corporate possessing, dealing and/or handling any ‘sensitive personal data’ or information, does so negligently or fails to maintain reasonable security practices, thereby resulting in wrongful loss or wrongful gain to any person, then such body corporate may be held liable to pay damages to the person so affected.
INFORMATION TECHNOLOGY (REASONABLE SECURITY PRACTICES AND PROCEDURES AND SENSITIVE PERSONAL DATA OR INFORMATION) RULES, 2011
Under the IT Act, the Ministry of Electronics and Information Technology (MeitY) has enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Rules).
These Rules are applicable on both, body corporate as well as individuals. They assimilate the precepts of ideal Data Protection regimes, such as formulation of a privacy policy, obtaining consumer consent before using their data, and storing and/or processing the data only until the time it is of necessity and, thereafter, discarding it upon completion of usage.
COMPETITION ACT, 2002
Although the Competition Act, 2002 incorporates sufficient safeguards to prevent any threat to fair competition in the process of Mergers & Acquisitions (M&A) transactions, it currently has no statutory provision providing safeguards against M&A transactions with the risk of potential data privacy and cyber security threats.
However, the Competition Act, 2002 read with the Competition Commission of India (Procedure in Regard to Transaction of Business Relating to Combinations) Regulations, 2011 (CCI Rules, 2011) governs M&A transactions which are likely to cause appreciable adverse effects on competition in India and also regulates ‘combinations.’
COMPANIES ACT, 2013
In India, M&A transactions are governed by the Companies Act, 2013 (the Act) and the regulations made thereunder. In general, the Act governs all companies incorporated in India. It provides that all corporate transactions, such as mergers, primary or secondary acquisitions, etc. shall be in accordance with the provisions of the Act, read with the Rules framed thereunder and provisions amended from time to time.
PERSONAL DATA PROTECTION BILL,2019
A year after the introduction of the draft Data Protection Bill in India in 2018, the new Personal Data Protection Bill (the Bill) had been introduced in the Lok Sabha in December, 2019. As the Bill was introduced, India moved a step closer to the enactment of a comprehensive data protection legislation and framework. However, since then, there has been a delay in the enactment of the legislation.
Largely based on the European Union’s General Data Protection Regulation (GDPR), the Bill goes beyond the scope of its predecessor, i.e., the IT Act and the Rules, 2011, and emphasizes on implementing a legislation to consolidate the fundamental principles of Data Privacy. The Bill is expected to have far-reaching implications on the strategic and financial investment activities, in particular M&A transactions. It will also have a major impact on other minority/majority investments, respectively within the country, and particularly in reference to potential investments in data intensive targets – for example, those in the software, artificial intelligence, financial sectors etc.
FRAMEWORK FOR STORAGE OF PAYMENTS SYSTEMS DATA, RESERVE BANK OF INDIA
Apart from the legal framework mentioned above, there also exist Sectoral Regulations that govern Data Protection in India. To quote an example, entities which are engaged in the Payments Sector have been compelled under the Reserve Bank of India’s (RBI) Framework for Storage of Payments Systems Data to store data of their consumers locally, and in case there is a requirement to transfer such data abroad, the concerned entity can only do so for a period of 24 hours and must also audit the operations of the foreign entity to which the transaction has been outsourced.
INFORMATION TECHNOLOGY (THE INDIAN COMPUTER EMERGENCY RESPONSE TEAM AND MANNER OF PERFORMING FUNCTIONS AND DUTIES) RULES, 2013
Where Cyber Security issues are concerned, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (Cert-In Rules) impose a mandatory notification requirement on service providers, corporate entities, intermediaries and data centers upon the occurrence of certain cyber-security incidents.
HARMONIZING DATA PRIVACY AND M&A TRANSACTIONS IN INDIA: LOOPHOLES
To begin with, a Data Protection law has the potential to provide a clear legal basis for our ancillary rights and entitlements that can be reasonably expected to arise from the Fundamental Right to Privacy – defining what is permissible and what is not, clarifying the scope of our Fundamental Right to Privacy, and explaining what Data Fiduciaries who collect our personal data can and cannot do with it.
Having said that, India – unlike several other major legal regimes – does not have any specific law, at present, that pertains to and governs Data Privacy and Cyber Security. However, in the landmark judgement of K S Puttaswamy v. Union of India, (2017) 10 SCC 1, the Nine-Judge Bench of the Hon’ble Supreme Court of India (the SC) unanimously upheld and recognised the Right to Privacy under Article 21 of the Constitution.
Although this ‘Fundamental’ Right to Privacy has been read into Article 21 of the Constitution, what exactly would fall under the purview of this right has not been laid down and would have to be decided by the Courts on a case-to-case basis. And since there is no specific Data Protection Regulation in place, it is hard to juxtapose this Fundamental Right to Privacy in order to be able to tell what rights we do have, thereby rendering any constitutional protection to privacy practically meaningless at this point.
Furthermore, Data Protection laws enable effective judicial redressal and prohibit data fiduciaries from collection personal data unlawfully. Currently, the Indian Constitution allows a limited remedy for the infringement of the Right to Privacy. Writ petitions cannot be filed against purely private bodies as they do not come under the ambit of ‘State’ defined under Article 12 of the Indian Constitution. This means that if in an M&A transaction any data that is either used by the Data Fiduciary who initially collected it or the purchaser of the company who gets the data in possession of the Data Principal during the deal, and thereafter misuses the data, the Data Principal has limited recourses available.
Currently, the recourse that is available with the Data Principal is under Section 43A of the Information Technology Act, 2000 (“IT Act”) read with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules”). Data Principal(s) can claim compensation from the ‘body corporate’ that did not adopt appropriate security practices to protect the data.
The Privacy Rules, with regards to the prior consent of the data principal, retention of collected data and grievance redressal mechanism, are only applicable when it comes to ‘Sensitive Personal Data’ and not on Personal Data per se. Sensitive Personal Data includes passwords, health data, financial data or biometrics, whereas personal data includes home address, phone numbers, political opinion, etc. However, presently, there are very few cases on privacy infringement that are filed by data principals.
The major loophole in the current regulatory regime on Data Privacy is that injury to privacy is not considered to be an ‘actual damage’. The IT Act only provides for compensation for actual loss and not damages which are inherently punitive in nature. Thus, the Data Principal, owing to the limited redressal mechanism, finds it non-feasible to file a case each time their privacy is infringed.
Furthermore, the current regulatory regime does not classify ‘Data Fiduciary’ in a manner that determines the purpose and means of processing personal data. The Data Fiduciary is the entity or individual who simply collects information. As an example, A collects biomedical data of its patients and B later acquires A and all the data which A collected is transferred to B. According to the present Privacy Rules, B will not be considered as Data Fiduciary as he did not initially collect the data. He/It would, thus, not be under any obligation to protect the transferred data and ask for the consent of the Data Principal(s) before releasing the data or transferring it to any other body corporate.
AMLEGALS REMARKS
With the rise in the digital economy, safeguarding personal and sensitive data of the Data Subjects has become the need of the hour. Due to the lack of concrete and specific legislation, Data Privacy issues are often overlooked. In the backdrop of the same, the corporate entities collecting data during M&A transactions should lay out the basic details pertaining to data collection such as what data is being collected, how such data is being processed, the regulations governing the processing of data, if any, etc.
It is important to obtain consent from the Data Subjects before commencing the data collection procedure and the corporate entities involved in the M&A transaction should ensure that the Data Subjects have a clear idea about the transaction and how the data will be used after the M&A.
– Team AMLEGALS assisted by Ms. Shereen Samant and Ms. Shwetna Jain (Interns)
For any query or feedback, please feel free to get in touch with vineeta.tekwani@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply