[By Aditi Kundu & Prithviraj Chatterjee]
The authors are students of Hidayatullah National Law University, Raipur.
Introduction
Passed on 11th August 2023, the Digital Personal Data Protection Act of 2023 (‘the Act’) envisages to regulate the intricacies of digital personal data processing. Once enforced, through this act the government aims to recognise the rights of individuals regarding their personal data and at the same time ensures personal data processing entities lawfully carry out their operations. Such entities apart from adhering to their obligations under the Act will also have to oversee its compliance during Mergers and Acquisitions (‘M&A’) transactions. While navigating the contours of the Act, the Authors will also analyse multi-fold implications on M&A transactions concerning Buyer Company, Seller Company and Legal Advisors. Finally, a clear picture would be visible by a sectoral study of M&A transactions occurring in the Financial Sector.
Overview of the DPDP Act, 2023
The main focus revolves around the protection of Digital Personal Data which is any piece of information in a digital medium that identifies/relates to an individual. The data stored by an entity is susceptible to mishandling and breach of privacy during various formalities and processes involved in M&A transactions which calls for greater liability on such entities in order to hold them accountable. The enforcement of the DPDP Act would subsume the governance regarding digital personal data while non-digital personal data would still fall under the Information Technology Act, 2000 (‘IT Act’) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘SPDI Rules’).
Breakdown of the Act
The Act has recognised three central stakeholders, i.e. Data Fiduciary, Data Principal and Data Processor. Firstly, the Data Fiduciary determines the purpose for which the personal data will be processed. Secondly, the Data Principal is the individual whose data is in question. Lastly, Data Processors are those who process the data on behalf of the Data Fiduciary.
Obligations of Data Fiduciary
The obligations of Data Fiduciary can be categorised into (i) Consent specific obligations; (ii) General obligations.
The data fiduciaries can process personal data only for lawful purposes. And this processing can be justified on two grounds, firstly, informed consent of the data principals and secondly, certain legitimate uses recognised under Section 7 of the Act. Such consent has to be explicit and can be attained via notice which has certain parameters such as it should convey what personal data will be collected and the purpose for the same.
A major respite for the Data fiduciary comes in the form of exemptions of its obligations for certain cases such as scheme of arrangement, merger, amalgamation, demerger and any reconstruction or transfer of undertaking. However such exemption is granted once a court, tribunal or other competent authority gives its approval to the transaction. By providing this the Act naturally creates a distinction in Section 17(1)(e) between those transactions that get approval such as scheme of arrangement or mergers and those that do not need any approval like acquisitions or share purchase transactions. The former transactions therefore are exempted while the latter will still need to comply with the provisions of the Act.
Implications for Various Parties in an M&A Transaction
In a M&A transaction, both the seller and buyer companies are obligated as data fiduciary to comply with the Act, since they determine how data will be processed throughout the transaction. While entities like legal advisors are data processors acting on behalf of aforementioned data fiduciaries.
Seller Company
The present scenario with most privacy policies follow the trend of using crafty, broad and vague consent requirements such as allowing the sharing of data with an intermediary, vendors or service providers but the Act will require all sellers to overhaul their current privacy policy with specified consent to accommodate any future potential merger or restructuring process. This is a viable precautionary measure for sellers to avoid any messy litigation while they are engaged in a major transaction. Additionally, compliances are enhanced against the selling company regarding serving consent notice which must instil an affirmative and clear action from the data principals which will require the seller company to incorporate an effective consent mechanism. Further Section 8 (6) of the Act compels the data fiduciary to inform the Board and each Data Principal in the event of a personal data breach which would lead to a negative market perception thereby affecting the seller’s valuation during an ongoing transaction. Now in the absence of a minimum threshold, even a minor breach can have huge implications due to the spread of misinformation in the market.
Buyer Company
The major obligation for the Buyer Company would be the diversification of its Due Diligence drill. The expanded horizon of due diligence would entail checking the status of the seller company’s compliance with the data privacy laws which would include any sector-specific guidelines as well; ensuring that the seller company’s privacy policies are as per the law; the buyer will also have to run through the contractual obligations of the seller company. For example, where the seller company is a service provider its privacy obligations under the third-party contracts will have to be checked. In an M&A transaction, buyer companies have a level of protection against the seller companies by way of Representation & Warranties (‘R&W’) given by the latter for its legal compliances. Considering the wide ambit of privacy laws, it would be beneficial for the buyer companies to negotiate for a privacy-specific R&W, this would maximise the protection against hefty fines and penalties under the Act in case of any unanticipated breaches.
Legal Advisors
Having seen that the sole responsibility for any breach would lie on the data fiduciary, it is very likely that the data fiduciaries would intend to be indemnified by the law firms, who process each transaction, for a breach caused by the latter. Therefore it is pertinent for law firms to negotiate such indemnity clauses while dealing with buyer or seller companies. Moreover, the law firms will need to provide an equivalent standard of protection to ensure they have secured their interest. Furthermore, it is the law firm’s responsibility to carry out the intensive due diligence tasks which is necessitated by the comprehensive obligations imposed on the data fiduciary.
Financial Sector Analysis
The Financial Sector including Banking and Financial institutions collect vast bulk of personal data of its customers such as account details, credit information, transaction details, customer service details and details about any financial products purchased. By putting the HDFC Limited and HDFC Bank Merger (‘the Merger’) on spotlight which was concluded on July 1st, 2023 we will analyse how the merger would have unfolded differently in respect of data privacy compliance had it occurred after the implementation of the Act.
The Merger in question was a stock swap merger that made HDFC Bank (‘the Bank’) the 7th largest bank in terms of market capitalisation. Combing through the privacy policy of the Merged HDFC Bank it is quite clear that the Bank has defined its purposes for personal data collection in a loose fashion by circumventing specific events such as M&A transactions and restructuring processes under the guise of sharing data with third parties for carrying out the legitimate interest of the Bank. Moreover, the Merger’s Scheme of Arrangement included the transfer of Undertakings which encompassed customer credit information, customer contracts, borrower information and customer pricing information thereby effectuating the transfer of personal data. If the merger transpired after the Act was enforced, then the privacy policy of the Bank would have breached its obligation of obtaining ‘informed consent’. Therefore, the Bank would have had to revamp its privacy policies which would outline specific use and transfer of personal data during a restructuring transaction. This informed and explicit consent tailored for M&A purposes during the initial interaction between the bank and its customers would reduce additional M&A costs for future transactions. Further, the Bank would have to provide in the scheme of arrangement that the merged entity would manage the personal data by ensuring proper compliance of the Act, this would involve the security safeguards adopted while processing the data by the resultant entity.
A Plausible Way Forward
To mitigate against the additional obligations put by the Act, the companies can gear up their legal cushion to protect themselves from added costs in any restructuring activity. Firstly, through a more comprehensive due diligence process, the buyer company can work out the fallacies in the seller company’s privacy policy in order to reach a more appropriate purchase price by accounting for additional compliance costs to be borne by the merged entity post-transaction. Secondly, there exist financial products like Cyber Security Insurances, which provide financial coverage to companies to protect against losses, breaches and third-party claims. Now, although there are indemnity obligations under an M&A transaction whereby the buyer company is indemnified by the seller company in respect of the latter’s legal compliances, Cyber Security Insurances can provide an additional layer of protection. Such insurances provide extra coverage whereby the buyer company is protected beyond the meagre indemnity provided by the seller, and the latter can limit its losses while carrying out the indemnity obligations. Lastly, effective compartmentalisation and segregation of high-risk personal data, such as account details, addresses and phone numbers, from generic data would ensure safer data management and transfer. A seller company can get rid of redundant data prior to a transaction thereby reducing its obligations and providing more attention to the transfer of high-risk data. Also, attention can be given to a more stage-wise personal data transfer, which would allow the transfers to be better mapped while reducing the risks associated with the transfer thereby allowing room for damage control in case of a breach. For instance, at the due diligence stage, employee data can be restricted to the positions held by them rather than sharing account details, salary structures, individual health concerns, etc.
Conclusion
The new personal data protection regime comes along with heavy fines and penalties making compliance a necessary measure for the companies. In this light, it is important that the companies undergoing an M&A transaction or likely to undertake any restructuring process ensure that their personal data management and transfer structures are legally sound. Since, the major implication of the Act for any restructuring would be the considerably increased costs, apart from compliance the corporates must also secure themselves cost mitigating measures to provide against any unforeseeable direct or indirect breaches. The Act, in its current form, requires to be supplemented by the government’s guidance regarding aspects of effective consent collection, the extent of the legitimate uses of personal data, etc., with more clarity the gravity of implications can be better understood.