The Relationship between
Data Protection & Mergers &Acquisitions
INDEX 01 Introduction 02 Emerging Issues of Data Protection in Mergers and Acquisitions
03 The Current Regulatory Regime for Data Protection in India
04 The Status Quo of the Personal Data Protection Bill, 2019
05
Reconciling Data Protection with M&A in India: Where to Start
06 Mitigating the Risk of Data Protection & Cyber
Security Issues in a Merger or Acquisition Transaction
07 RCIC’s Expertise Over M&A and Data Protection 08 Conclusion
www.rcic.in.
Introduction The past few years have seen the inter-play of mergers and acquisitions (M&A) law with several other laws, for example, the implications of M&A on competition concerns, tax aspects etc. One of the most recent of such issues is the one relating to implication of data protection laws on M&A transactions. Since the emergence of data protection laws, it has become one of the primary regulatory concerns that an entity is bound to comply with. Therefore, when an acquirer in an M&A transaction discovers post the deal that the target is in serious violation of data protection norms, it not only leads to a serious conict between the immediate parties, but also instills a sense of apprehension in future entities looking forward to engage in a similar M&A transaction. In this article therefore, we will be dealing with some of such cases which have occurred in the past, the lessons to be learnt from them, the current status quo in India and steps to be taken for future.
www.rcic.in.
Emerging Issues of Data Protection in Mergers and Acquisitions Of late, several examples have come to light from across the globe where entities have been distressed in an M&A transaction due to data protection and cyber security concerns. One of the most infamous cases is that of the data breach at ‘yahoo!’ discovered by its parent company Verizon after it acquired the former company. Verizon said that senior officials were aware of the data breach but yet managed to hide it while the acquisition was taking place. Resultantly, Verizon had to face a class litigation suit for the breaches committed by Yahoo! prior to the acquisition.
Similarly, Marriott International was held responsible by the Information Commissioner’s Office in U.K. for a violation of the General Data Protection Regulation (GDPR) committed by Starwood Hotels in 2014. Subsequently, Marriott International acquired Starwood Hotel in 2016, and therefore had to pay the fine of £99,200,396 imposed by the ICO for the breach.
These two cases alerted the international community with respect to data protection and cyber security issues in an M&A transaction and consequently parties started investing heavily in order to prevent such a situation. For example, during Sysco’s
www.rcic.in.
proposed acquisition of U.S. Foods, it was reported that Sysco spent $53 million just on data-related integration and “allowing the two companies’ computer systems to talk to each other.” Though India is yet to witness such a situation, the global precedents are incentives enough for Indian entities to better prepare themselves for a like situation in future.
The Current Regulatory Regime for Data Protection in India Mergers and acquisitions in India are primarily governed by the Companies Act, 2013 and the regulations made thereunder. While the Competition Act, 2002 has sufficient safeguards to prevent any M&A transaction which could potentially threaten fair competition concerns, there is currently no statutory provision which provides a safeguard against M&A transactions with potential data privacy and cyber security threats. However, there exist separate laws and regulations which independently regulate data protection in India. Moreover, privacy has been declared by the Supreme Court to be a fundamental right guaranteed under Article 21 in the case of K.S.Puttaswamy v. Union of India.
While the Personal Data Protection Bill, 2019 is yet to be enacted, the current law in force in India governing data protection is the Information Technology Act, 2000. The Act imposes both civil as well as criminal liability on entities that violate the provisions. Section 43A of the Actprovides that whenever a corporate body possesses or deals with any sensitive
www.rcic.in.
data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages to the person(s) so affected. Under the Act, the Ministry of Electronics and Information Technology has enacted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.These rules are applicable on both, body corporates as well as individuals. They incorporate the basic tenets of an ideal data protection regime, for example, formulation of a privacy policy, taking consent of consumers prior to using their data, disclosing purpose for use of data, retaining the data for only so long as it is necessary to fulfill the purpose etc.
Apart from this there are sectoral regulations governing data protection. For example, for entities engaged in the payments sector have been obliged under the RBI’s Framework for Storage of Payments Systems Datato store data of consumers locally and in case they are required to transfer data abroad, they can only do it for a period of 24 hours and must also audit the operations of the foreign entity to which the transaction is so outsourced. Similarly, the E-Commerce Rule, 2020 prohibit taking of consent from consumers in the form of pre-ticked checkboxes.
As far as cyber security issues are concerned, the Information Technology (the Indian Com puter Emergency Response Team and Manner of Performing Functions and Duties) Rules,
www.rcic.in.
2013 ("Cert-In Rules") impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents.
The Status Quo of the Personal Data Protection Bill, 2019 The Personal Data Protection Bill, 2019, a draft of which was released by the Parliament in December 2019 is awaiting the report of the Standing Committee and it won’t be long before it is finally brought in force as a law in India. Modelled along the lines of the European Union’s General Data Protection Regulation, the PDP Bill, 2019 has stringent provisions for ensuring companies with access to individuals’ data are restrained from exploiting it in any manner without first taking the consent of the individual.
Given the number of obligations sought to be imposed on Data Fiduciaries (entities with access to individuals’ data and having the discretion to decide the purpose for which to use the data) complying with the standards of data protection is a time consuming task. It requires an entity to take consent of its consumers, maintain confidentiality of the database, appoint a data protection officer to look into cases of data breach, put in place a comprehensive privacy policy.
www.rcic.in.
While that remains the status quo, a lot of Indian companies have already begun bringing about changes in their mode of operations so as to be prepared well in advance before the implementation of the data protection law. This is more so because while the earlier draft of the Personal Data Protection Bill, 2018 provided for the provisions to be implemented in a staggered manner, the Bill of 2019 proposes no such scheme. This implies that all provisions shall become applicable immediately upon its enactment. Entities have therefore begun to comply with the same, for example, most Indian entities have already put in place a nuanced privacy policy on their websites, business which operate via the e-commerce route do take the necessary consents of their subscribers etc. This is deďŹ nitely a step in the right direction and the need of the hour considering the dynamicity with which data protection regimes are inuencing business operation the world over.
Reconciling Data Protection with M&A in India: Where to Start Unlike other nations, India does not yet have a law to deal exclusively with issues of data privacy and cyber security. The provisions of the Information Technology Act, 2000 come nowhere close to the gravity of the obligations sought to be imposed under the Personal Data Protection Act. Entities must use this time which is being taken by the Parliament to enact the Personal Data Protection Act to fall in line with the compliance of the same. This is especially true for entities which are eyeing to enter into a merger transaction. While this might be easier for domestic mergers, entities looking forward to a cross-border merger might be required to go a step ahead. Indian entities looking to acquire a foreign entity must ensure that its data protection policy is in tune with the data protection laws in
www.rcic.in.
he country of the target. On the other hand, Indian entities wishing to sell their stakes to a foreign entity must also safeguard its operations against possible data breaches so that any lacuna in that regard does not pose as a hurdle to the deal..
The cases in Europe and the United States are also a wake-up call for the legislature in India which must now actively work toward introducing a framework which secures data protection in a merger or acquisition.
Mitigating the Risk of Data Protection & Cyber Security Issues in a Merger or Acquisition Transaction Some of the concrete steps that can be taken by entities involved in an M&A transaction and apprehensive of possible data breaches are as under: 1. Thorough Due Diligence: This is the first and the foremost step that would be required on behalf of the purchaser to mitigate risks of data breaches. More importantly, this doesn’t require any obligation on the part of the target and hence the efficiency of an acquirer’s due diligence depends solely on its ability to do fact-finding regarding the target’s privacy policies, records of data breaches in the past etc.
2. Cyber-Insurance: This is a kind of insurance wherein the entity insures itself from third-party cyber-attacks, data hacks, fishing and the resultant losses incurred therefrom. Though still a developing area, it is bound to become the most-sought after types of insurance in the near future.
www.rcic.in.
3. Warranties respecting Data Protection and Cyber-Security: During the negotiation stages of a deal, the acquirer must push to include warranties from the target which oblige the latter to indemnify the former in case of unforeseeable data breaches and cyber-security issues. In case the acquirer has a dominating influence, it could also attempt and try including a clause which makes violation of data protection norms a material breach and allows it to repudiate the contract on this ground.
Ricky Chopra International Counsels’ Expertise over M&A and Data Protection Being a full-service corporate law firm, Ricky Chopra International Counsels has two separate teams dedicated for both, Mergers &Acquisitions as well as Data Protection. Our prior experience of advising clients on the EU’s GDPR coupled with decades of experience in M&A gives us an edge over others. Our robust team makes sure that all nitty-gritties of an M&A transaction are taken care of, including data privacy and cyber security aspects. This has made us a preferred choice for our clients who rely on our assistance on every stage of their transaction, be it negotiation, drafting, regulatory filings and compliance etc.
www.rcic.in.
Conclusion
If the recent changes in regulations are anything to go by, it can be safely concluded that regulations are no longer applicable in isolation. Data protection laws, the law on mergers and acquisitions, competition and anti-trust law are all pervasive and tend to simultaneously govern dierent aspects of an organization’s functioning. Therefore, any organisation which intends to be a going concern in the long run must ďŹ rst ensure compliance with these inter-related laws.
*
Of f ices
Chandigarh New York
Gurugram New-Delhi
www.rcic.in.