In continuation to our previous blog Legal Framework Governing Data Protection and M&A Transactions in India, in this blog, we shall discuss the impact of the Personal Data Protection Bill, 2019 on M&A transactions.
SCOPE
The Personal Data Protection Bill, 2019 (the Bill) is largely based on the European Union’s (EU) General Data Protection Regulation (GDPR), and goes far beyond its predecessor which is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules), in enacting legislation that enshrines the fundamental principles of privacy. Within the territory of India, the Bill covers the collection, storage, and use of personal data by the Government, domestic as well as international companies. It is premised on the underlying principle that personal information should only be obtained and processed with the consent of the individual to whom such information pertains.
KEY FEATURES
The Bill has introduced certain new restrictions on the transfer of data that will impact the Mergers and Acquisition (M&A) transactions. The features are discussed hereunder:
Data Localization
Data Localization refers to a set of policies that limit data flows by confining physical data storage and processing within a jurisdiction’s boundaries. The Bill introduces Data Localization restrictions in particular to regulate the flow of ‘Sensitive Personal Data’ which includes financial, health, biometric and genetic data.
Sensitive Personal Data can be transferred outside India only with the prior approval of the Data Protection Authority (DPA). Furthermore, the Bill also gives the Central Government the authority to define what constitutes ‘Critical Personal Data,‘ and prohibits any processing of such Critical Personal Data outside the territory of India. This move could prove to be crucial importance for some types of Cross-Border M&A transactions/deals, while also creating limitations for data commercialization opportunities. The main objectives behind adopting Data Localization by the Indian Government are:
- National security and law enforcement
- Increasing economic growth
- Limiting foreign surveillance
- Implementing data protection laws more effectively
Data Fiduciary
The Bill has imposed various obligations on the Data Fiduciary. Data Fiduciaries are those entities who collect data and have the discretion to decide the purpose for using collected data. Data Privacy Regulations, across the globe, require such an entity to obtain consumer consent, maintain database confidentiality, hire a Data Protection Officer (DPO) to investigate data breaches, implement a detailed Privacy Policy, etc.
Earlier, only the entity which collected data was considered as Data Fiduciary. However, upon the enactment of the Bill, the scope of the term would be broadened to also include persons who determine ‘the purpose and means of processing data’. However, the status of the Data Fiduciary will still remain ambiguous in cases where such an entity only has the means to access data but does not determine the purpose for using the data.
Significant Data Fiduciary
The Bill does not define ‘Significant Data Fiduciaries’, but instead directs the DPA to notify Data Fiduciaries or classes of Data Fiduciaries, provided they meet the criteria based on factors like the volume and sensitivity of personal data processed, the risks to Data Principal(s), the organization’s revenue, and the use of innovative technologies.
The ‘Significant Data Fiduciary’ will be made to comply with additional requirements such as obtaining registration, conducting independent audits and impact-assessment of processing involving Sensitive Personal Data.
Furthermore, if the DPA, after thorough examination of the impact-assessment, determines that it might adversely affect the Data Principal(s), then the DPA can instruct the Data Fiduciary to alter or even stop the processing. These additional requirements are also expected to impact the investment and discourage innovation to some extent.
Sandbox: Relaxation to Encourage Innovation and M&A Transactions
The Bill also allows the DPA to create a “Sandbox” for the purpose of promoting innovation by notifying Regulations to that effect. Businesses that use Artificial Intelligence (AI), Machine Learning (ML), or ‘any other developing technology in the public interest’ can ask for exemptions from some of the obligations under the Bill. Furthermore, the Bill allows DPA to notify exceptions from the applicability from obligations for ‘reasonable purposes’ as well. The Bill set out certain conditions which can come under the ambit of ‘reasonable purposes’ and M&A is one of them.
PENALTIES AND COMPENSATION:
Penalties and compensations are divided into two categories:
a) Failure of the Data Fiduciary to meet its duties and obligations with respect to Data Protection and Privacy may result in a penalty of up to Rs. 5 Crores or 2% of its total worldwide turnover for the previous financial year, whichever is higher;
b) Processing data in violation of the provisions of the Bill is punishable with a fine of Rs.15 Crores or 4% of the annual turnover of the Data Fiduciary, whichever is higher.
RECOMMENDATIONS FOR M&A TRANSACTIONS: THE WAY AHEAD
1. Due Diligence
The Acquirer must be aware of the Target Firm’s personal information as well as the procedures in place to ensure Data Privacy & Security, confidentiality, and integrity. Therefore, it becomes important on the part of Acquirer to scrutinize the existing Privacy Policies of the concerned Target Firm and ensure its compliance with not only all the current but also the prospective Data Protection Laws and Regulations on the horizon, such as the Bill.
Furthermore, due diligence becomes even more important for the Acquirer as it/they must protect itself/themselves not only from the monetary liabilities, but also from any potential reputational harm it/they may face in lieu of any failed deal. As a result, Acquirers should obtain proper representations and warranties, backed by indemnities, on the target company’s compliance with the prevailing Data Protection laws.
2. Virtual Data Room Considerations
Virtual Data Rooms (VDRs) are document repositories where the Target Firm can quickly upload its documents to a remote repository that is accessible from anywhere in the world. The Target Firm must ensure that the organization hosting the Data Room, as processor, has provided adequate safety and security controls to ensure that the data is properly safeguarded.
The Data Minimization Principle must also be followed – the Target Firm should only upload such personal data as is strictly relevant and necessary for evaluating the Target Firm and/or its assets, and any superfluous data should not be included. Furthermore, the Target Firm must also ensure that Sensitive Personal Data must be subjected to greater controls and extra measures must be put in place like limiting the data to specific folders with increased access control.
3. Data Retention
Personal information should not be retained after a transaction either by the Target Firm or the Acquirer merely because it is easier and less expensive to keep it than to delete it, when the same is not mentioned in the contract. There may be a legal obligation on either party to retain it, but if the transaction is exceptionally data-heavy, a risk-based appraisal of the value of maintaining each data category will be required.
4. Warranties & Indemnities With Respect To Data Protection
The Acquirer must strive for warranties and indemnities from the Target Firm throughout the negotiating stages of the M&A transaction/deal, requiring the latter to compensate the former in the event of unanticipated data breaches and cyber-security lapses. If the Acquirer has a significant amount of power, it may try to include a clause that deems violations of Data Protection laws a substantial and/or fundamental breach of the contract/agreement signed between the parties.
5. Transparency In The Use Of Personal data
Even if the Target Firm will remain the ‘Controller’ after the transaction is completed in the case of a Share Sale, it will need to examine whether the purpose or use of personal data will change as a result of the transaction. If there is a change, it will need to revise its Privacy Policy/Rules to reflect these additional purposes at the very least.
AMLEGALS REMARKS
Both the Buyer and the Target Firm should take due care of the massive volume of personal data that is processed and transferred throughout an M&A transaction and the potential data privacy measures to be incorporated at each stage.
Due to lack of a data protection law in India, there will always be a risk in M&A transactions pertaining to proper enforcement of data protection measures and confidentiality of Data Subjects. Hence, as of now, every decision in such transactions would be risk-based decisions for the parties. Besides, it should also be ensured that the databases and systems are duly safeguarded in order to avoid any potential data breach.
However, once the Bill is enacted, the corporate entities need to modify their data protection measures in order to comply with the law.
– Team AMLEGALS assisted by Ms. Shereen Samant and Ms. Shwetna Jain (Interns)
For any query or feedback, please feel free to get in touch with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com.
Leave a Reply