Iqbal Khan, Partner at Shardul Amarchand Mangaldas, and Paavni Anand, Associate at Shardul Amarchand Mangaldas
A year after the introduction of the draft Data Protection Bill in India in 2018, a new Data Protection Bill was introduced in the Indian House of the People (i.e., the Lok Sabha) in December, 2019 (the Bill). With the introduction of the new Bill, India is one step closer to enacting a comprehensive data protection legislation.
The Bill is largely based on the European Union General Data Protection Regulations (the GDPR), and goes far beyond its predecessor, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the SPDI Rules) to implement a legislation, which enshrines the fundamental principles of privacy.
The Bill has been referred to a joint parliamentary committee of both houses of the Indian Parliament, and the committee is expected to submit its report before April, 2020.
The enactment of the Bill has several implications on strategic and financial investment activity (such as M&A and other minority / majority investments, respectively) in India, particularly for potential investments in data intensive targets, such as those in the software, artificial intelligence, pharmaceutical, hospitals, e-wallet and financial sectors.
Data localization and commercialization of data:
Over the past few years, data has become one of the key assets that potential investors of data intensive targets are looking to acquire. Investors are not only seeking to process this data for their own businesses, but also to commercialize this data for sale.
Much to the dismay of potential investors, the Bill proposes to introduce certain data localization restrictions. 'Sensitive personal data,' which, amongst others, includes financial, health, biometric and genetic data, can only be transferred outside India with the approval of the new Data Protection Authority. Also, the Bill empowers the Central Government to determine what will be classified as 'critical personal data,' and provides a blanket ban on any processing of critical personal data outside India. This may be crucial for certain types of cross border M&A transactions, and limits the avenues for commercialization of data.
The introduction of data localization restrictions on payment system operators in 2018 received a lot of resistance from global giants, such as Apple, Google and Amazon, who saw great potential for their e-wallet businesses in the Indian market. However, the Indian government refused to take a step back. The new Bill now extends these restrictions to a much broader category of data.
In order to incentivize companies to store data in India, and to allow India to reap benefits of huge revenues from the potential data center market, the Union Budget 2020-21 encourages private players to set up data center parks in India.
However, without a detailed policy in place at this stage, which addresses concerns relating to real estate and infrastructural support to set up these data centers, it is too early to tell whether companies will be willing to invest in the Indian data center market. Also, building data center hubs in India may simplify compliance with the data localization requirements, but does not take away any of the difficulties that investors may face in commercializing data at a global level.
Classification as 'data fiduciaries':
Potential investors will need to carefully consider and analyze further (see below) whether they are willing to be classified as 'data fiduciaries,' and be bound by the obligations attached to such a classification. Whereas the present SPDI Rules limit such obligations to the person who 'collects' the data from the data principal, the Bill broadens the scope, and defines a data fiduciary to mean any person who 'determines the purpose and means of processing the personal data.'
As an example, 'A' is an online pharmacy and 'B' is a biomedical data aggregator looking to invest in 'A.' If 'A' transfers data collected from its patients to 'B,' will 'B' also become a data fiduciary, and be required to comply with all the obligations applicable to a 'data fiduciary,' because 'B' determines the purpose and means of processing this data on its own?
What if 'A' and 'B' enter into a contract, which allows 'B' to only analyze data on behalf of 'A'? In such a scenario, 'B' does not determine the 'purpose' but only determines the 'means' of processing by choosing the best algorithms to achieve this purpose. Will 'B' become a data fiduciary?
Amongst other obligations, data fiduciaries are required to provide a detailed notice to the person to whom the data relates (i.e., the 'data principals') at the time of collection of such data, setting out, amongst other things, the purpose of collection, the details of the data fiduciaries, the basis for processing and the details of data processors. Additionally, the notice should contain information regarding any 'cross border transfers.' These notice requirements are much more extensive than those provided in the present SPDI Rules and the GDPR.
For example, even if an Indian target sets up an overseas office to conduct its operations, if data will be transferred to the overseas office, then details of this office need to be provided to the data principal.
Investors will also need to consider whether, even by simply acquiring control or majority or minority voting rights in a target, by virtue of having certain veto and governance rights (such as controlling the board or veto rights over a change in business plan or operational matters or to enter into new material contracts), the investor becomes the person who determines the 'purpose and means of processing' of data collected by the target. If so, the investor may be classified as a 'data fiduciary.' In such a scenario, will the investor need to issue fresh notices to all data principals?
Also, the Bill requires that consent of the data principal be obtained 'at the commencement of processing.' This consent must be free, informed, specific, clear and capable of being withdrawn. Although the present SPDI Rules require that the prior permission of the data principal be sought before any information is shared to a third party, the SPDI Rules do not set any standards to obtain this permission. These standards are also higher than those set out in the GDPR, which requires consent to be obtained, but does not specify that consent needs to be obtained 'at the commencement of processing.'
The Bill does not provide any clarity on how this would practically work. For instance, does consent need to be obtained every time a new data processor commences processing? Does consent need to be obtained every time a data processor commences processing for a new purpose? Or can omnibus approvals be obtained?
The Bill empowers the Data Protection Authority to specify codes of practice for data governance, and such codes can include the manner of issuing notices to, and obtaining valid consent from, data principals. Perhaps these codes of practice will provide further clarity on how notices are to be issued and consents are to be obtained.
Classification as 'significant data fiduciaries':
If the investor or target are 'data fiduciaries,' based on certain criteria, which includes their turnover and volume and sensitivity of data they receive, they may also be classified as 'significant data fiduciaries.' Significant data fiduciaries need to obtain registration, are subject to independent audits and need to comply with reporting requirements.
Also, commencement of any processing, that involves new technologies, large scale profiling or use of sensitive personal data, is subject to the significant data fiduciary conducting a data protection impact assessment. Based on the impact assessment, if the Data Protection Authority finds that such processing is likely to cause harm to the data principal, then the Data Protection Authority can direct the data fiduciary to modify the processing or even to cease processing altogether.
This requirement may hinder innovation and discourage investment in certain sectors, such as the AI and pharmaceutical R&D sectors. Also, we will need to wait and see whether the regulations enacted by the Data Protection Authority for this purpose grandfather processing that has already been taking place prior to the enactment of the Bill and notification of such regulations.
Due diligence, acquisition and integration:
Many Indian companies are already GDPR compliant. However, once the Bill is enacted, Indian companies will also need to ensure compliance with the incremental requirements set out under Indian law. This will also impact cross border transactions, as the investor and the target will need to ensure compliance with data protection laws across multiple applicable jurisdictions.
Apart from conducting legal, financial and tax due diligence, investors in data intensive sectors in India should now also consider conducting data protection due diligence, in order to ensure that the relevant targets are compliant with data protection laws, and have adequate systems in place to ensure that requisite standards of privacy and data protection are maintained. This is because investors not only need to protect themselves from monetary liabilities set out under the Bill, but also from any potential reputational harm that such investors may be exposed to. For this reason, during the documentation process, investors should protect themselves by seeking adequate representations and warranties, backed by indemnities, regarding the target's compliance with data protection laws.
Also, given that non-compliances with data protection laws may adversely impact the business of the target, if the due diligence uncovers any such non-compliances, investors must seek to re-evaluate investment hypotheses (and valuation), to ascertain whether future compatibility with the new Indian regulations is commercially and legally viable.
Investors will also need to ensure that the due diligence and acquisition process itself does not flout any data protection restrictions, such as notice and consent requirements. Investors should also consider entering into confidentiality agreements with requisite provisions, to ensure adequate protection of any data processed by the investor or its advisors.
As part of integration planning, the acquirer and the target should ensure that adequate IT infrastructure and cyber security measures are in place for takeover, integration and / or expansion of the target's business in a compliant manner.
Relaxations to encourage innovation and for M&A:
The Bill also empowers the Data Protection Authority to, by notifying regulations, create a 'sandbox' for encouraging innovation. Entities undertaking businesses involving AI, machine learning and 'any other emerging technologies in public interest,' can apply for certain relaxations as to the applicability of some of the data protection obligations. Once approved, this 'sandbox' will be available to these entities for a maximum of 36 months.
We will need to wait and see how these regulations define the scope of 'emerging technologies.' For instance, can the entity be engaged in multiple businesses, out of which only one falls within the scope of the sandbox? Can the entity be engaged in a business with purely commercial purposes, or will the sandbox only apply to entities engaged in a business with 'public purpose'? At what stage does a business cease to be classified as an 'emerging technology'?
Also, the Bill allows the new Data Protection Authority to notify regulations to set out exceptions to the applicability of some of the data protection obligations for 'reasonable purposes.' As per the Bill, one of these 'reasonable purposes' can be M&A.
Will this exemption only apply to the data processed as part of the investment process (such as for the purpose of due diligence and documentation), or does this mean that potential investors may not need to seek fresh consents once they acquire management rights or control over their target? Will this exemption extend to both strategic and financial investors? Will the Data Protection Authority legislate for any special requirements in case of a foreign investor or majority / minority / buyout transactions?
While the Bill lays the foundation for a new privacy regime in India, the Bill leaves a lot of questions unanswered. The devil lies in the details of the regulations to be notified by the new Data Protection Authority, which will hopefully provide clarity on how the Bill is to be enforced from a practical perspective.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.