The Indian Personal Data Protection Bill, 2019 (Bill), referred to a Joint Parliamentary Committee in December 2019, is likely to be tabled in the Parliament during the Budget session next year. Inspired by European Union’s GDPR, the Bill, once enacted into law (Data Regulations), will regulate processing including collection, storage, use, and disclosure of personal data, establish the procedure for cross border transfer of sensitive personal data, and set up the Data Protection Authority (Authority) as the Indian data regulator.
There exists significant literature on how the Data Regulations will increase compliance costs for global companies operating in India and Indian companies and start-ups that process personal data. However, as the experience with GDPR has shown, a more significant impact of the Data Regulations will be on its effect on M&A transactions in India. Given that the Data Regulations would apply to all organizations that collect or use personal data (i.e., data of “natural persons”), most Indian companies would, by handling information on suppliers, customers, or employees, require compliance with the Data Regulations. The significant penalties associated with non-compliance with the Data Regulations would necessitate an acquirer to evaluate the risks associated with acquiring a target company and consider deal structuring, risk allocation, and the post-closing and integration aspects more seriously.
Deal structuring – share sale or business transfers?
At the preliminary stage, an acquirer needs to evaluate the requirement for fresh consents of data principals while structuring a transaction as a share sale or business/asset sale. Per the Bill, any transaction involving the transfer of sensitive personal data outside India would require data principals and the Authority’s consent. Given the time and costs associated with seeking fresh permissions from data principals and the Authority for the transfer of sensitive personal data outside of India, significant commercial consideration of deal structuring would involve adopting a transaction structure that avoids the approvals mentioned above.
One expects the Data Regulations and its rules also to clarify whether the consent of data principals would be required upon an indirect change in control of a data fiduciary (for example, by transferring shares of the holding company of a data fiduciary) or significant change in the management of data fiduciaries, or upon transfer of sensitive personal data from an Indian owned and controlled company to an FOCC (foreign-owned or controlled company). These issues would have a significant bearing on deal structuring.
Impact on Valuation
Acquirers would also need to carefully evaluate the valuation of a target company engaged in processing personal data. A target’s valuation would reduce for remedial actions required for historical non-compliance with the Data Regulations. Further, the “purpose limitation” in processing personal data would necessitate the affirmative consent of data principals before the target or its acquirer could use any personal data for a purpose beyond what is permitted explicitly by data principals. The cost and time required for obtaining new approval of data principals may affect the feasibility and overall valuation of a transaction. Acquirers may also seek an expanded definition of material adverse effect to walk away from a signed transaction upon a target’s failure to obtain the consent of data principals for new/expanded usage of personal data.
Approach to diligence
The significant monetary and reputational implications for non-compliance with the Data Regulations, as was recently witnessed in the Cambridge Analytica data scandal case, will trigger more stringent and meticulous diligence on a target company. Acquirers and their advisors will not limit the due diligence to the usual check-the-box approach and probe the target’s management to evaluate the overall strength of the target’s data protection practices. There would be increased scrutiny on a target’s internal data protection policies, data processing agreements, notification to, and consents obtained from individuals for data use, and the legal safeguards in place for preventing unauthorized data access.
Companies that would engage virtual data rooms to host personal data for diligence would also need to ensure that the data rooms do not compromise the target’s obligations to data principals under the Data Regulations. Among others, this would include time-bound communications on data breaches, and cooperation with the target on specific requests of data principals while hosting their personal data electronically, for example, for making corrections to an incomplete or inaccurate personal data, or requests for erasure of personal data or attending to a data principal’s right to data portability.
Given the risks in sharing personal data with third-party service providers, target companies may even prefer seeking upfront consent of data principals for sharing their personal data with service providers or anonymize personal data before sharing it with an acquirer and/or the virtual data rooms, or host personal data through their internal data sites than through third-party data rooms. Besides, adopting technical controls for downloading and/or printing rights for personal data, market practices may even require undertaking due diligence in phases to ensure that the personal data is shared only with a select group of final bidders (in an auction process) or to the acquirer at the end of the diligence process or as a condition precedent.
Negotiating deal terms
Data Regulations will affect representations and warranties (R&Ws) sought by an acquirer while investing in or acquiring a target and/or its business. While R&Ws would depend on the exact business operations of the target and whether the transaction is a share sale or a business/asset sale, acquirers would expect a broader range of R&Ws and indemnities to cover unknown areas of business risks, for example, seeking R&Ws on there being no likelihood of data leaks even absent any non-compliance by the target with the Data Regulations. Conversely, a target company may be reluctant to provide specific indemnities against the business’s general risks. The limitations to indemnity claims, including the caps, the sunset period for R&Ws, and the knowledge qualifiers, would also be subject to heightened negotiations between the transacting parties.
There would be detailed negotiations in defining excluded and assumed liabilities in business transfers and whether the personal data processed by a target company would fall within the category of excluded or the assumed liability. Transitional services agreements, if executed, will also become burdened with obligations if the seller controls the processing of personal data during the transitional period. These risks may also propel transacting parties to seek warranty insurance to ward-off against unknown risks and liabilities.
Conclusion – The road ahead
Absent a central Indian law to govern data processing and privacy, hitherto, data protection issues were predominantly relegated to insignificant aspects of deal-making or attended to, on case-by-case. However, post commencement of the Data Regulations, privacy and data protection aspects are likely to receive increased attention in Indian M&A transactions. Given that the Bill prescribes no transitional provisions (and which may be retained in Data Regulations), Indian and global companies would need to be aware of the Indian data protection landscape and prepare for its implementation.
This article represents the personal views of the author and is for general information only. It is not intended to constitute or be relied upon as legal advice.