The President of India gave her assent to the 'Digital Personal Data Protection Act, 2023' ("Data Protection Act") on August 11, 2023. The Data Protection Act has not yet come into force. It will come into force once the Central Government issues a relevant notification. The Data Protection Act gives the Central Government the power to notify different provisions of the Data Protection Act on different dates. All indicators point to a swift notification of the law, given that it has been in the offing for several years. As organizations ramp up their internal processes and systems to be ready, one aspect that deserves careful attention is the impact of the new law on M&A and corporate restructuring.

The Data Protection Act: Key Concepts

  • The Data Protection Act is divided into 9 (nine) chapters and 44 (forty-four) sections. The Central Government has the power to prescribe rules on several aspects of the data protection framework.
  • The Data Protection Act regulates processing of personal data which is in digital form. As on date, any non-digital forms of personal data will be regulated by the Information Technology Act, 2000 ("IT Act"), and the rules framed thereunder. As far as personal data in digital form goes, the Data Protection Act repeals Section 43A of the IT Act and by implication the 'Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011'.
  • Before embarking on a discussion on the topic, certain key concepts of the Data Protection Act are discussed below:
    1. "Data Principal" means the individual to whom the personal data relates.
    2. "Data Fiduciary" means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
    3. "Data Processor" means any person who processes personal data on behalf of a Data Fiduciary.
    4. "Personal Data" means any data about an individual who is identifiable by or in relation to such data. It is pertinent that the Data Protection Act does not make any distinction between sensitive and non-sensitive personal data.
    5. "Personal Data Breach" means any unauthorised processing of personal data that compromises the confidentiality, integrity, or availability of Personal Data.
    6. "Processing" in relation to Personal Data, means a wholly or partly automated operation or set of operations performed on Personal Data.

M&A: WHAT SHOULD ORGANIZATIONS PAY ATTENTION TO?

  • Section 17(1) of the Data Protection Act states that the provisions of Chapter II (except sub-sections (1) and (5) of section 8), Chapter III and Section 16 of the Data Protection Act ("Identified Provisions") will not apply to the processing of Personal Data of a Data Principal by a Data Fiduciary in certain situations like corporate reorganization and restructurings approved by a court or a competent authority.
  • To elaborate, Section 17(1)(e) of the Data Protection Act provides that the Identified Provisions would not apply with respect to:
    1. a scheme of compromise or arrangement or merger or amalgamation of two or more companies;
    2. reconstruction by way of demerger or otherwise of a company;
    3. transfer of undertaking of one or more company to another company;
    4. division of one or more companies;
    5. approved by a court or tribunal, or other authority competent under law. The scenarios enumerated in (i)-(iv) above will hereinafter be referred to as "Exempted M&A Scenarios".
  • Since Section 17(1)(e) of the Data Protection Act requires an approval from a court or competent authority, the exemption from the application of the Identified Provisions cannot be availed in other situations. For instance, an acquisition implemented by way of a share purchase agreement that does not require an approval as contemplated above would not fall under the Exempted M&A Scenarios. In such a case, the processing of Personal Data by a Data Processor would bear the full force of the Data Protection Act.
  • This is different from the Digital Personal Data Protection Bill, 2022 ("2022 Bill"), which stated that a Data Principal is deemed to have provided her consent to the processing of her Personal Data if such processing is necessary in the public interest, including for "mergers, acquisitions, any other similar combinations or corporate restructuring transactions in accordance with the provisions of applicable laws". The language of the 2022 Bill (superseded by the Data Protection Act) is broader and appears to accommodate all types of M&A and not just M&As approved by a court or tribunal.

Identified Provisions

As discussed above, the Exempted M&A Scenarios do not attract the provisions of the Identified Provisions. It is therefore pertinent to examine the Identified Provisions in a little more detail.

Chapter II: Obligations of a Data Fiduciary

  • Chapter II of the Data Protection Act requires a Data Fiduciary to process the Personal Data of a Data Principal only in accordance with the Data Protection Act, for a lawful purpose and (i) for which the Data Principal has given her consent; or (ii) for certain legitimate uses.
  • The key aspects of the consent framework and legitimate use are discussed below:
    1. Notice to the Data Principal for consent - A request for consent by the Data Fiduciary will be accompanied or preceded by a notice to the Data Principal. Such notice will detail the purpose for which the Personal Data is proposed to be processed.
    2. Validity of consent already obtained - If a Data Fiduciary has already obtained the consent of the Data Principal for processing Personal Data prior to the commencement of the Data Protection Act, the Data Fiduciary would be required to provide a notice to the Data Principal notifying the Data Principal about the purpose for which the same has been processed. The Data Fiduciary can continue to process such information till the Data Principal revokes her consent.
    3. Specified purpose - The Data Fiduciary is required to process the Personal Data of the Data Principal for a 'specified' purpose only. The specified purpose must be clearly defined and certain. It cannot be processed for purposes not directly relevant to the object of collecting it in the first place. The law prohibits and invalidates the use of personal data for other purposes. It provides several illustrations to make this point.
    4. Erasure - Unless retention is required by law, the Data Fiduciary should erase the Personal Data of the Data Principal upon the earlier of (a) withdrawal of consent; or (b) the specified purpose is no longer being served.
    5. Legitimate use - The Data Fiduciary can process Personal Data sans consent if the proposed use is covered as a 'legitimate use' in terms of the Data Protection Act. The Data Protection Act lists the grounds of legitimate use.
    6. Data breach - Upon occurrence of a Personal Data Breach, the Data Fiduciary is obligated to immediately notify the affected Data Principal as well as the Data Protection Board regarding such a breach.

Chapter III: Rights and duties of the Data Principal

Chapter III of the Data Protection Act enumerates the rights and duties of the Data Principal which includes:

  • the right to access information about personal data;
  • the right to seek erasure of their data;
  • the right to have their grievances settled; and
  • the right to nominate another individual to exercise their rights in case of death or incapacity.

Section 16: Processing of Personal Data outside India

The Central Government may 'blacklist' certain countries / territories for the purpose of transfer of Personal Data. Further, if any law prescribes a higher threshold of protection, or specifies any restriction on the transfer of personal data outside India, such laws and the restrictions therein would continue to be applicable and would prevail over the Data Protection Act. For example, the Reserve Bank of India's stipulations on storing payments data only in India.

Certain Sections of Chapter II that apply to Exempted M&A Scenarios

Notwithstanding the exemptions, the following provisions continue to apply to Exempted M&A Scenarios also ("Applicable Provisions") will:

  1. Obligation to comply overrides the duties of the Data Principal (Section 8(1)): A Data Fiduciary cannot waive its obligations under the Data Protection Act by claiming that there exists an agreement to such effect with the Data Principal, or that the Data Principal has failed to carry out the duties provided under the Data Protection Act. The Data Fiduciary will continue to be liable for any processing of Personal Data undertaken by it or by a Data Processor on its behalf.
  2. Reasonable security safeguards (Section 8(5)): A Data Fiduciary is required to protect Personal Data in its possession or control by taking reasonable security safeguards to prevent Personal Data Breach.

Our Analysis on what Organizations should do:

If organizations are in the middle of evaluating M&A opportunities at the time of notification of the Data Protection Act, they must evaluate how the Data Protection Act would impact their investment plans and prepare for the same. They would first need to evaluate whether the chosen M&A structure is covered under the ambit of the Exempted M&A Scenarios or not. If the M&A structure is covered, then they can simply focus their efforts on ensuring compliance with the Applicable Provisions only. If this is not the case, they will need to ensure compliance with the Data Protection Act in its entirety. Such compliance will cover the entire life cycle of an M&A deal, from due diligence to post-closing integration. Some of these aspects are explored in the ensuing section.

Personal Data of customers and vendors

  • M&A transactions typically require parties to process a lot of Personal Data relating to the target company and its business. Such information typically covers Personal Data of employees, vendors, and customers (i.e., the Data Principals). If the seller / target is required to disclose (i.e., process) the Personal Data of such Data Principals during the due diligence stage itself, the consent requirements under the Data Protection Act must be fulfilled at that stage itself.
  • Further, a transfer of business (i.e., 'slump sale' in Indian parlance) contemplates the transfer of the entire business undertaking. The undertaking typically comprises assets, liabilities and employees relating to a particular business. The processing of Personal Data relating to customers and vendors pursuant to the sale of a business undertaking would be subject to the consent framework. This would entail the seller of the business (being the Data Fiduciary) obtaining the consent of such Data Principals before processing of their Personal Data. Unless such a consent has already been obtained, the seller or target entity is required to issue the relevant notice and obtain a fresh consent for such processing.
  • Obtaining consents in M&A deals can sometimes prove cumbersome. It can also be time-consuming and this calls for a slightly practical and nuanced approach. We have detailed some options as follows:(i) Unless non-disclosure of such Personal Data is not an option, the seller / target can consider disclosing redacted data or anonymised data sets which makes it difficult to identify the Data Principal. Such disclosure falls outside the ambit of the Data Protection Act. (ii) Another approach would be to defer disclosure of such information / Personal Data till closing of the M&A transaction. To provide the buyer the necessary comfort and protection, the seller / target can offer representations and warranties, backed by requisite indemnities, on the information contained in the data sets.

Personal Data of employees

Certain transactions (like slump sale) contemplate the transfer of employees from the seller to the buyer. This would require the buyer and seller entities to exchange Personal Data relating to an employee. This would have ideally required the consent of an employee as per the consent framework envisaged in the Data Protection Act. However, the Data Protection Act provides that processing of Personal Data for employment is a 'legitimate' use. This means that the Personal Data of the employee can be processed without the employee's consent provided the Personal Data is used for:

  1. The employment of the Data Principal.
  2. Safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, and/or classified information.
  3. Provision of any service or benefit sought by a Data Principal who is an employee.

The seller can argue that the disclosure of such information is required to ensure that the buyer makes comparable offers to the employees for joining it. Since such disclosure relates to the employment of the Data Principal, it is covered under legitimate use, and hence is exempt from the consent requirements under the Data Protection Act.

Organizations must note that once enacted, the Data Protection Act has one of the stiffest penalty regimes among several commercial legislations. The Data Protection Board is empowered to levy a penalty of up to INR 250 (two hundred and fifty) Crores for Data Fiduciary's failure to taking reasonable security safeguards to prevent Personal Data Breach. Failure to report a Personal Data Breach entails a maximum penalty of INR 200 (two hundred) Crores. Given that the penalties for non-compliance of the Data Protection Act are stringent, organizations must pay careful attention to how the new law impacts M&A activity to ensure preparedness and compliance.

Information Technology Practice

JSA provides value added legal services across the whole range of innovative technologies. We advise creators, licensors, buyers, sellers and users of information and technology, on all aspects of technology law. JSA has developed an extensive technology practice in response to the global focus on the development of online systems and services. Our strong expertise and long-standing representation of leading software, telecommunications, and media companies have made us uniquely qualified to address the legal challenges associated with information and communication technology. JSA provides advice on highly sophisticated data management, data security and privacy issues. Our depth of experience gives our clients the crucial advantage of consistent and comprehensive, yet practical advice. We have carried out audit and risk assessments, customised global privacy and information management policies, helped create international data transfer strategies, structure and negotiate complex international data transfer agreements. JSA is well positioned to assist clients in managing the ever-increasing threat in cybersecurity. We routinely help clients in creating, managing and maintaining a secure cyber-presence in the face of escalating threats and legal requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.