DATA PRIVACY: M&A TRANSACTIONS IN INDIA

Introduction -

Data is the most prized possession a firm must have in the present-day economy. More importantly, preserving data and guaranteeing its security is crucial during a merger or acquisition in a field that is becoming more international with various national and international laws to consider. Due diligence is the first and most crucial stage when a privacy function participates in a Mergers & Acquisitions (M&A) transaction. Questions about the target company's data on its workers, directors, customers, clients, etc., may arise during the due diligence process. This further arouses questions about how or how much personal data may be shared, saved, or processed. While the regulatory environment in India around data protection and flows continues to develop, privacy issues in such transactions become pertinent.

How is Privacy impacting M&A Transactions? -

The compliance of a target firm with data protection regulations must be carefully evaluated in light of the wave of data legislation now in effect because it may impact the transaction's value. Significant data compromises can potentially harm business ecosystems, the global financial market, and M&A deals. In 2017, after realising that 3 billion Yahoo accounts had been compromised, Verizon reduced its offer to purchase Yahoo by USD 350 million. Another illustration is the USD 123 million GDPR punishment Marriott International received as a result of a data breach at Starwood Hotels that occurred before Marriott ever acquired them and this had a significant effect on the sale. Businesses should be aware of the enormous amount of personal data handled throughout an M&A transaction and the pertinent data protection concerns at each stage, whether they act as buyers or sellers.

Applicable Data Privacy legislations in India -

While the draft Data Protection Bill 2021, is yet to be tabled before the Parliament that lays down a comprehensive regulatory mechanism of data privacy, the Information Technology Act, 2000 (“IT Act”) is the current law in force in India. According to Section 43A of the Act, any corporate body that deals with or has access to sensitive personal data or information, and is negligent in maintaining a reasonable level of security to protect that data or information and as a result causes any person to suffer an unjustified loss or gain, will be held responsible and must compensate the person or people who were harmed.

Furthermore, another applicable enactment is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 enacted under the IT Act. It contains the fundamental components of an ideal data protection regime, such as creating a privacy policy, obtaining consent from customers before using their data, revealing the reasons for data usage, and storing data for as long as it is required to achieve the purposes. There are also sector-specific regulations that govern data protection, such as those that apply to businesses in the payments industry. These businesses must abide by the RBI's Framework for Storage of Payments Systems Data in order to store consumer data locally. If they must transfer data abroad, they may only do so for 24 hours and must also audit the operations of the foreign company that handles the transaction's outsourcing.

Likewise, the E-Commerce Rules 2020 forbid obtaining consumer consent through pre-ticked options. Furthermore, the most recent directives under the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2022 place strict notification obligations on service providers, intermediaries, data centres, VPN service providers and corporate entities upon the occurrence of particular cyber-security incidents.

Privacy Risks that may arise in M&A Deals -

In order to identify possible privacy risks, the buyer must first understand the categories of personal data that the target company processes. In particular, the buyer must know whether the target company processes large volumes of sensitive personal data or sensitive proprietary information, as these data types frequently call for extra security and care. Before conducting additional research, it is vital to comprehensively understand the data protection regulations that apply to the target firm. Compliance with DP rules must be assessed whether it be the GDPR, CCPA/CPRA, or another Data Protection (DP) law.

As an acquirer, it's critical to comprehend the role of outside processors working with the target company and to gauge the volume of global data transfers. Due care must be taken to any cloud service providers involved, how and where the data is stored, and whatever contracts and data processing agreements the business has signed. The most crucial parameters to consider are whether the target firm has ever experienced a data breach, how they documented and reduced the risks associated with one, and how they handled the situation generally. It is crucial to evaluate the target company's data breach event structure and determine whether it complies with the relevant DP law and the essential steps to record and describe the occurrence. In addition to prior circumstances, the vulnerability of current IT systems will be considered when determining the prospective level of risk. The information security policies and security measures implemented by the target companies to safeguard data must be examined.

Moreover, it must be determined if the target organisation regularly evaluates risks and tests its systems for vulnerabilities and penetration. Additionally, it will be examined to see if employees—particularly those who regularly deal with personal data—have received proper data privacy training. Even though the target company's paperwork may be in order, it is crucial to ensure that employees are knowledgeable about these policies and processes and successfully put them into practice in their daily tasks.

Data Transfers in Virtual Data Room -

In M&A transactions, it is typical for the parties and their advisors to communicate with each other in a virtual data room (“VDR”) while conducting due diligence on the target company. It may be necessary to submit information and documents containing personal data to this data room, such as client contracts, employment contracts, etc. This sharing of personal information would be regarded as "processing", and, as such, must adhere to the GDPR's guiding principles and any other applicable data protection legislation.

A trustworthy VDR service provider must be picked to help assure compliance with the data protection requirements. If necessary, a data protection impact assessment must be carried out with the proper organisational and technical safeguards in place. To guide the VDR service provider's operations, a suitable Data Processing Agreement must be signed. Only the minimal amount of personal data or special categories of personal data required for the particular purpose shall be uploaded and shared on the VDR platform, and all personal data that is to be uploaded and shared within the VDR shall be anonymised and fully redacted unless a valid legal basis applies. The access permissions to the VDR shall be restricted suitably to ensure the security of the data on this platform.

Conclusion-

Although it is increasingly the norm in M&A agreements and even financings, the additional due diligence on privacy could take longer and push back the closing date. Changing the purchase price could be a bargaining point based on the review results and the value of the personal data. Due diligence must be performed using a comprehensive data privacy methodology to address the concerns relating to the compliance duties for data privacy in an M&A transaction. These shall include obtaining a comprehensive knowledge of the privacy risks, mapping out data holding structure, its processing and other regulations. In any agreement, the sale of data between the companies will be void after a merger if the permission and data transfer agreements aren't in compliance with local or international data privacy rules. Both businesses will also need to make sure that customers are informed about the deal and how their data will be used by the combined company. After the purchase, both parties must connect related IT systems and move data to ensure business continuity and keep partners and workers informed about data privacy practises. Therefore, due diligence must be performed with a comprehensive data privacy strategy and taking account of the points as illustrated above, in order to address the difficulties of data privacy compliance duties in an M&A transaction.