[By Rahil Arora & Vidushi Sehgal]
The authors are students of Jindal Global Law School.
Introduction
The realm of M&A transactions and investments today is dominated by parties sharing a potpourri of crucial data with one another and their advisors. This collaborative process involves the target company, the sellers, and the potential buyers sharing and disclosing vast amounts of information to undertake a meticulous assessment of the risks associated with a particular transaction. Through the course of this information sharing, Personal Data protection concerns are often overlooked, especially with the weakly enforced SPDI Rules. However, such an approach is unsustainable under the imminent Digital Personal Data Protection Act, 2023 (“DPDP Act” or “the Act”), and its rigorous penalty framework.
A Brief Overview of the Act
The DPDP Act is a comprehensive Personal Data protection legislation that finds its roots in Puttaswamy wherein the Supreme Court not only recognized the right to privacy as a fundamental right under Article 21 but also emphasized the need for such a legislation. Many of the Act’s provisions draw inspiration from the European Union’s General Data Protection Regulation (“GDPR”), albeit with certain modifications tailored to the Indian context. To simplify matters, the DPDP Act does not differentiate between different forms of Personal Data based on sensitivity. Any data in digital form about an individual who is identifiable by or in relation to such data, is classified as Personal Data.
Furthermore, the data ecosystem under the Act encompasses three primary stakeholders. First, the Data Principal or the individual to whom the data relates. Second, the Data Fiduciary, who determines the purpose and means of processing such data and is subject to various compliances, and penalties. Lastly, the Data Processor, upon whom no liability has been placed given that they are agents or service providers to the Fiduciary. “Processing” of Personal Data has been given a very wide definition under the Act and such processing by the Data Fiduciary must be for a lawful purpose and limited to the consent-notice framework or for legitimate uses as laid down under Section 4. Therefore, data processing should not only occur with the consent of the Data Principal and for specified purposes but also be accompanied or preceded by a notice in accordance with the provisions of Section 5. However, an exception may be made from this consent-notice framework when the same is for a legitimate use as specified under Section 7.
Personal Data in an M&A Transaction
Through the course of an M&A transaction, parties and their advisors such as legal representatives and financial auditors, share bucketloads of data concerning the target company. This exchange of information, generally facilitated through virtual data rooms, kickstarts the due diligence process and also involves the sharing of Personal Data such as supplier or vendor contracts, employment contracts, and personal details of employees, customers, directors, etc. All such information shared between the parties to the transaction amounts to “processing” under the scope of the Act.
What Role Does Each Party Play?
Given the processing of Personal Data that takes place through the course of the transaction, the inquiry that emerges pertains to the role assumed by each data processing party in such instances—whether they function as a Data Fiduciary or a Data Processor. Drawing this distinction is crucial as obligations are placed on Data Fiduciaries for their actions, as well as those of the Data Processors.
As the target or the seller furnishes Personal Data to the bidder or acquirer, it unmistakably operates as a Data Fiduciary. Importantly, this action also prompts the acquirer to similarly adopt the role of a Data Fiduciary. This is because it may process the Personal Data according to its purpose and means to ascertain the feasibility of the transaction. Thus, in such a case both the target and the acquirer will be responsible for compliance with the Act in their individual capacity. Nevertheless, this classification is not rigid and is contingent on the actions of the parties involved. Therefore, it is advisable for the parties to explicitly define their individual responsibilities and the purpose of data sharing in their pre-merger documentation. Moreover, advisors of either party reviewing documentation and Personal Data to offer professional opinions would be categorized as Data Processors under the Act.
The Grounds for Processing
Under the GDPR, processing of Personal Data for the “legitimate interests of the data controller” (same as a Data Fiduciary) is permissible. Thus, if parties to an M&A transaction can balance their interests against those of the Data Principal, they may process Personal Data without any external considerations or taking fresh consent. Interestingly, the 2022 Data Protection Bill also permitted processing of Personal Data for mergers, acquisitions, or other corporate restructuring transactions as a legitimate use thus, allowing for an exception to the consent-notice framework.
However, under the current iteration of the Act, Section 17(1)(e) exempts the application of certain provisions of the Act, including the grounds for processing under Section 4, only when the processing is pursuant to court or tribunal approved corporate actions like compromise, arrangement, merger, amalgamation, reconstruction, or transfer of undertaking between companies. Therefore, any other non-court-approved transaction such as a share sale or an asset sale would have to conform with the Act, including the consent and notice requirements prior to sharing Personal Data with a third party.
Actions To Consider
The DPDP Act envisages an extremely high penal regime in case of a Personal Data breach with penalties upon Data Fiduciaries reaching up to INR 250 Crores. Given the same, Data Fiduciaries must meet their obligations under the Act at all stages. The first step would involve determining whether the purpose for which the Personal Data is being processed is within the specified purpose for which consent was earlier obtained from the Data Principal. If beyond the specified purpose, fresh consent must be obtained from the Data Principals along with meeting the notice requirements before processing such data. In cases where fresh or prior consent proves difficult to obtain, the target must undertake anonymization or pseudonymization of Personal Data before sharing the same. Another question that arises while processing employee data in the course of an M&A transaction is whether the same may be categorized as legitimate use “for the purposes of employment”. Given that the scope of such a legitimate use has not yet been defined, to mitigate risks the target should nonetheless obtain appropriate consent from employees prior to any processing and legitimate use may act as a safety net.
Moreover, the target, when disclosing Personal Data, must adhere to the DPDP’s principles of data minimization and purpose limitation. This means that the processing of Personal Data should be restricted to what is essential to make an investment decision regarding the target, rather than sharing heaps of information with the acquirer. In line with these principles, the target may further opt to disclose Personal Data, particularly those concerning employees, in tranches or may defer the same till closing. The target must also ensure the completeness, accuracy, and consistency of the disclosed data. This obligation is important to comply with given that not only is it mandated under the Act, but the acquirer is also likely to seek representations and warranties in this regard.
Even though both parties act as Data Fiduciaries, they must enter into Non-Disclosure Agreements (NDAs) that are compliant with the DPDP Act to mitigate risk. NDAs must specify the grounds and terms of processing data, purpose limitation, data retention, security measures to be adopted, notification requirements, form and timelines of disclosure, and any other technical and organizational measures to be put in place. Both parties must also ensure that upon completion of the purpose or withdrawal of consent, the Personal Data is erased by them and their Data Processors. In the context of cross-border transfer of Personal Data for processing, a blacklist approach restricting transfer to certain notified jurisdictions has been adopted. Thus, targets must consider this alongside any sector-specific restrictions prior to engaging in any transfer of Personal Data. Finally, as advisors engaged by the parties qualify as Data Processors, their appointment should not only be under a valid contract, but parties should seek to contractually pass certain obligations and impose heightened compliance requirements upon them, to mitigate their liability.
Conclusion
The due diligence stage and Personal Data sharing form an essential cornerstone of an M&A transaction. The imminent implementation of the DPDP Act will significantly reshape the M&A landscape in India. It is imperative that all parties to a transaction, including advisors, acquaint themselves with their renewed obligations under the DPDP Act. Adhering to the same is crucial, given the substantial fines and potential reputational damage that may ensue in cases of non-compliance. Parties should not only reconsider their M&A policies to ensure that they are DPDP compliant but also attempt to mitigate their risks contractually. While this article delineates the initial considerations for processing Personal Data by parties through the course of an M&A transaction, policies and industry practices in this domain shall continue to be shaped through further implementation and interpretation of the Act.