BY DEVINA SOMANI, FOURTH-YEAR STUDENT AT JGLS, HARYANA
Introduction
India’s recently implemented Digital Personal Data Protection Act, 2023 (DPDP Act)on 11th August, 2023 exclusively pertains to the processing of personal data, regardless of its initial form (digital or analog subsequently converted into digital format). Under the Act, ‘personal data,’ is described as ‘any information relating to a recognizable individual.‘
The Act introduces ‘significant data fiduciaries’ (“SDFs”) with added duties based on data scale, sensitivity and impact. SDFs appoint a Data Protection Officer (“DPO”) and face transfer restrictions. ‘Data processors’ handle data for fiduciaries, ‘data principals’ being the subjects. The ‘Consent manager,’ registered with the Data Protection Board, centralizes consent management as a Data Fiduciary (holds responsibility for processing personal data), ensuring transparent and accessible handling.
The DPDP Act does not apply to handling the personal data of individuals located offshore if processed in India based on a contract between an entity in India and one located outside it. This exclusion aims to support Indian outsourcing firms regularly managing data of individuals outside India. However, it might hinder the chances of the European Union (“EU”) and similar regions considering India as offering sufficient protection for data transferred to such firms. Therefore, under the Act, Cross-border data transfers are generally allowed unless restricted by the government, benefiting IT companies by enabling uninterrupted operations. Moreover, the Act prioritizes existing restrictions on the transfer of personal data abroad including mandates from RBI to store payment data within India.
The Impact of the New Data Privacy and Protection laws on Mergers and Acquisitions
When it comes to Mergers & Acquisitions, evaluating the Act’s impact would primarily involve determining whether the chosen M&A structure falls within exempted M&A Scenarios, allowing a focused compliance effort on the applicable provisions. Section 17(e) of the Act states that the rules concerning the obligations of Data Fiduciaries and the rights and responsibilities of Data Principals in Chapters II and III will not be applicable in situations where data processing is essential for certain corporate actions like mergers, amalgamations, reconstructions, or transfers of undertakings between companies that are authorized and approved by a court, tribunal, or competent authority as per prevailing laws. However, any sharing or processing of personal data for M&A purposes outside the scope of a court-approved scheme must adhere to the Act’s provisions.
Should the structure not align, comprehensive compliance measures spanning the entire M&A lifecycle become necessary. This entails identifying personal data footprints through an in-depth discovery process, where records of processing are established, customer consent protocols are navigated for conflicting data, and data privacy policies for the merged entity are implemented. The buyer will have to scrutinize the type of data relevant to the target’s business and its significance in their operations. Similarly, it will need to assess whether the target company’s business model presents additional complexities or unexpected privacy vulnerabilities compared to the buyer’s current model. For instance, if specific privacy regulations apply to a particular sector of the business (such as financial institutions or insurance companies), this will likely alter the approach to how the due diligence is conducted. It becomes crucial to consider these sector-specific regulations and responsibilities when assessing the transaction’s risks and implications under the Act. Moreover, in a transaction involving a party where the primary business of the entity involves data processing (like an advertising agency or a company focused on big data and artificial intelligence), the significance of the data handled in their operations becomes even more pronounced.
Similarily, different considerations arise regarding data protection in Share sales and Asset sale transactions. For share sales, where only the shares of a company are transferred to the buyer, the company retains control over its personal data, such as employee records and customer contact details. As this control does not shift, there is no obligation to inform data subjects about post-transfer data processing unless the nature or purpose changes. However, it is advisable for the company to notify data subjects about the change in ownership to prevent any potential confusion or distrust. Any alterations to the buyer’s data protection documents post-transfer, like privacy policies, should be communicated to data subjects if they are significant. On the other hand, during Asset sales, unlike Share sales, personal data often moves from the seller to the buyer, where it becomes necessary to inform the data subjects as the controller’s identity changes. If the buyer obtains personal data, it must furnish privacy policies or other data protection documents to the concerned data subjects. This aligns with transparency principle followed by the General Data Protection Regulation (“GDPR”). The seller might agree to implement new policies before the sale’s completion. The specifics outlined in the privacy policy or other applicable data protection documents, especially regarding employees, are crucial.
Data Privacy Considerations in the Pre-Acquisition Phase
M&A deals involve handling extensive Personal Data of the target company, where a buyer’s due diligence will involve inquiry into information about data tied to the acquired target like data on employees, customers, vendors, contractors, suppliers, and business partners (Data Principals). If the seller or target discloses this personal data during the due diligence, compliance with the Act’s consent requirements (Section 6 of the DPDP Act, 2023) is necessary at that stage. Additionally, in a business transfer like a ‘slump sale,‘ where the entire business is transferred, processing personal data of customers and vendors requires consent. The seller, as the Data Fiduciary, must obtain consent before processing such data, issue notices and seek fresh consent if necessary. Since getting approvals during mergers and acquisitions can be challenging at times, alternative options may include Data Sharing Agreements(“DSAs”) which establish the specific terms and conditions governing data sharing, regardless of whether the data is transmitted within India or abroad.
In order to spot potential privacy risks, the buyer must initially comprehend the kinds of personal data handled by the target company. To assure and safeguard the buyer, the seller can provide assurances through Representations and Warranties. Additionally, the buyer should seek indemnification specifically concerning any repercussions resulting from identified non-compliance with data protection laws uncovered during due diligence. A prerequisite condition mandating the target to secure consent from pertinent data subjects. Can be incorporated into the transaction documents as condition precedents which might necessitate rectification of any non-compliance with relevant laws discovered during due diligence before finalization.
As an acquiring entity, it is vital to grasp the involvement of third-party processors linked to the target company and ascertain the scale of international data transfers. Significant focus should center on any cloud service providers engaged, the methods and locations of data storage, and the array of contracts and data processing agreements (“DPAs”) the company has in place.
In the course of an M&A deal, companies must restrict the handling of employee data to what is essential for the transaction’s objectives. Upholding principles like data minimization and purpose limitation safeguards employee privacy during this process. The Act specifies that processing Personal Data for employment purposes is deemed a ‘legitimate’ utilization. This implies that an employee’s Personal Data could potentially undergo processing without their explicit consent under certain conditions, namely: (1) Utilization of the Data Principal’s information for their employment. (2) Employing the data to shield the employer against potential loss or legal responsibility, (3) Providing any service or benefit requested by an employee who acts as a Data Principal. In a scenario where a seller might argue for the necessity of divulging such information, their rationale could be centered on ensuring that a potential buyer extends comparable offers to employees for recruitment purposes. As this disclosure directly links to the employment status of the Data Principal, it falls within the purview of legitimate use and, therefore, stands exempted from the necessity of seeking consent as outlined in the Data Protection Act.
Moreover, the legislation emphasizes the criticality of maintaining the accuracy and consistency of employee data, particularly when these data influence decisions impacting employee. Employers are further required to promptly report any breaches of personal data to the Data Protection Board (“DPB”) and affected individuals. Additionally, they must facilitate the erasure of personal data once its intended purpose is fulfilled, aligning with the overarching principles of the Act. To fulfill the transition to the Act, employers are granted the leeway to continue processing employee data until consent for such data is withdrawn. However, they are mandated to furnish employees with a comprehensive notice detailing the types of personal data being processed, the procedures to exercise their rights under the new regulations, and avenues for lodging complaints as per the guidelines under the Act.
Data Privacy Related-Risks Upon Completion of Transaction
Upon the completion of the transaction, the buyer typically expects to receive all personal data associated with the acquired business. In cases where there is a cross-border transfer of data at closing, there may be risks associated with conflict between such transfer and stricter regulations imposed by existing Indian laws on transferring personal data outside India, such as the Reserve Bank of India’s mandate for payment system data storage within the country. Section 16(2) of the Act explicitly states that it does not override current transfer restrictions set by various sector-specific laws or administrative regulations in India. Depending on the transaction’s nature, such as a spin-off of an independent subsidiary, the transferred personal data might continue to be hosted on the target’s systems sold as part of the deal.
In M&A transactions, the involvement of a third-party entity gaining access to personal data constitutes a “transfer” that could potentially breach the consent requirements under Section 6(1) of the DPDP Act. Hence, it becomes crucial to inform data subjects about such transfers. The seller should provide specific information to data subjects about the transfer of their data to a third party at the time of the transfer. After the transaction’s closure, the buyer must consider the necessary steps to utilize the acquired data while ensuring compliance with the DPDP Act, 2023.
Henceforth, it becomes crucial for the buyer to safeguard the information as mandated by DPDP Act and refrain from further disclosing the personal data without consent of the data principals as under Section 6 of the DPDP Act. As such, the seller may establish a “Data Protection Agreement” with the buyer concerning these obligations, which can also include adherence to any restrictions in the seller’s contracts with third parties regarding the shared personal data before closing.
Conclusion
India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”) has a significant impact on Mergers and Acquisitions (M&A). Replacing earlier regulations, the DPDP Act governs data handling, emphasizing consent, legitimate use, and the role of Data Fiduciaries. In M&A, it prompts necessary consent requirements during a due diligence, affecting both Share and Asset sale transactions. Employment-related data processing under the Act demands adherence to the consent framework under the Act even during transitions. Post-transaction risks emerge concerning cross-border data transfers and compliance with sector-specific Indian laws. Navigating these complexities demands proactive compliance measures to adapt to India’s ever evolving landscape in Data Privacy Laws during such M&A transactions.
The HNLU CCLS Blog 
Leave a comment