Data Privacy

[By Rahil Arora & Vidushi Sehgal] The authors are students of Jindal Global Law School.   Introduction The realm of M&A transactions and investments today is dominated by parties sharing a potpourri of crucial data with one another and their advisors. This collaborative process involves the target company, the sellers, and the potential buyers sharing and disclosing vast amounts of information to undertake a meticulous assessment of the risks associated with a particular transaction. Through the course of this information sharing, Personal Data protection concerns are often overlooked, especially with the weakly enforced SPDI Rules. However, such an approach is unsustainable under the imminent Digital Personal Data Protection Act, 2023 (“DPDP Act” or “the Act”), and its rigorous penalty framework.  A Brief Overview of the Act  The DPDP Act is a comprehensive Personal Data protection legislation that finds its roots in Puttaswamy wherein the Supreme Court not only recognized the right to privacy as a fundamental right under Article 21 but also emphasized the need for such a legislation. Many of the Act’s provisions draw inspiration from the European Union’s General Data Protection Regulation (“GDPR”), albeit with certain modifications tailored to the Indian context. To simplify matters, the DPDP Act does not differentiate between different forms of Personal Data based on sensitivity. Any data in digital form about an individual who is identifiable by or in relation to such data, is classified as Personal Data.  Furthermore, the data ecosystem under the Act encompasses three primary stakeholders. First, the Data Principal or the individual to whom the data relates. Second, the Data Fiduciary, who determines the purpose and means of processing such data and is subject to various compliances, and penalties. Lastly, the Data Processor, upon whom no liability has been placed given that they are agents or service providers to the Fiduciary. “Processing” of Personal Data has been given a very wide definition under the Act and such processing by the Data Fiduciary must be for a lawful purpose and limited to the consent-notice framework or for legitimate uses as laid down under Section 4. Therefore, data processing should not only occur with the consent of the Data Principal and for specified purposes but also be accompanied or preceded by a notice in accordance with the provisions of Section 5. However, an exception may be made from this consent-notice framework when the same is for a legitimate use as specified under Section 7.  Personal Data in an M&A Transaction  Through the course of an M&A transaction, parties and their advisors such as legal representatives and financial auditors, share bucketloads of data concerning the target company. This exchange of information, generally facilitated through virtual data rooms, kickstarts the due diligence process and also involves the sharing of Personal Data such as supplier or vendor contracts, employment contracts, and personal details of employees, customers, directors, etc. All such information shared between the parties to the transaction amounts to “processing” under the scope of the Act.   What Role Does Each Party Play?  Given the processing of Personal Data that takes place through the course of the transaction, the inquiry that emerges pertains to the role assumed by each data processing party in such instances—whether they function as a Data Fiduciary or a Data Processor. Drawing this distinction is crucial as obligations are placed on Data Fiduciaries for their actions, as well as those of the Data Processors.  As the target or the seller furnishes Personal Data to the bidder or acquirer, it unmistakably operates as a Data Fiduciary. Importantly, this action also prompts the acquirer to similarly adopt the role of a Data Fiduciary. This is because it may process the Personal Data according to its purpose and means to ascertain the feasibility of the transaction. Thus, in such a case both the target and the acquirer will be responsible for compliance with the Act in their individual capacity. Nevertheless, this classification is not rigid and is contingent on the actions of the parties involved. Therefore, it is advisable for the parties to explicitly define their individual responsibilities and the purpose of data sharing in their pre-merger documentation. Moreover, advisors of either party reviewing documentation and Personal Data to offer professional opinions would be categorized as Data Processors under the Act.  The Grounds for Processing  Under the GDPR, processing of Personal Data for the “legitimate interests of the data controller” (same as a Data Fiduciary) is permissible. Thus, if parties to an M&A transaction can balance their interests against those of the Data Principal, they may process Personal Data without any external considerations or taking fresh consent. Interestingly, the 2022 Data Protection Bill also permitted processing of Personal Data for mergers, acquisitions, or other corporate restructuring transactions as a legitimate use thus, allowing for an exception to the consent-notice framework.   However, under the current iteration of the Act, Section 17(1)(e) exempts the application of certain provisions of the Act, including the grounds for processing under Section 4, only when the processing is pursuant to court or tribunal approved corporate actions like compromise, arrangement, merger, amalgamation, reconstruction, or transfer of undertaking between companies. Therefore, any other non-court-approved transaction such as a share sale or an asset sale would have to conform with the Act, including the consent and notice requirements prior to sharing Personal Data with a third party.   Actions To Consider  The DPDP Act envisages an extremely high penal regime in case of a Personal Data breach with penalties upon Data Fiduciaries reaching up to INR 250 Crores. Given the same, Data Fiduciaries must meet their obligations under the Act at all stages. The first step would involve determining whether the purpose for which the Personal Data is being processed is within the specified purpose for which consent was earlier obtained from the Data Principal. If beyond the specified purpose, fresh consent must be obtained from the Data Principals along with meeting the notice requirements before processing such data. In cases where fresh or prior consent proves difficult to obtain, the target