Written by Pratyanik Chakraborty, the Author is a Law student pursuing BBA.LLB from Indian Institute Of Management Rohtak.
Introduction
Significant mergers and acquisitions (hereafter "M&A") deals were placed in India in 2022. Noteworthy examples include L&T Infotech and Mindtree, the Adani cement merger, and the notable PVR-Inox merger. Given several factors, such as the Insolvency Bankruptcy Code and hopefully, if there is an increase in PE/VC transactions, the M&A market (if we consider it as one) will continue to flourish in the twenty-third year of this century as well.
Personal data is frequently disclosed or transferred from a seller to a buyer during M&A deals. This often comprises all personal information connected to the acquired target (or assets), including information on employees, clients, users, contractors, suppliers, and business partners. Although most personal information is transferred at closing, occasional disclosures may be made before or after signing. In light of this, it is pertinent that we discuss the intersection of data privacy and M&A. Further, the (in)famous digital personal data protection legislation pending since ‘time immemorial’- gives us a perfect time to discuss this topic. In this piece, we shall look through various case studies and risks of what might happen in an M&A deal if data privacy is not considered properly.
1. Risk of Consumer Data Breach in an M&A Transaction
As already pointed out, consumer data is one of the components shared in an M&A transaction. Globally increasing data privacy, prominently in the case of consumers, has brought data privacy to the forefront of every transaction. For example, the Consumer Protection Act 2019, labels “disclosing to other person any personal information given in confidence by the consumer unless such disclosure is made in accordance with the provisions of any law for the time being in force.” as unfair trade practices u/s 2(47)(ix). When the target company delivers the consumer's personal data to the acquiring party before finalising the deal, what might be the implications of that? Another legal challenge is what would be the implications of data transfer from the target company to the acquiring company in the case of a slump sale? (where data will be purchased along with other assets).
2. RadioShack- General Wireless
RadioShack, an American retailer, filed for Chapter 11 bankruptcy in 2015 for asset reorganization and restructuring. RadioShack decided to sell General Wireless its brand name and a number of other assets, including its customer database, for 26.2 million US dollars after an auction.
At that point, the Federal Trade Commission (FTC) and a coalition of the attorneys general of more than 30 states, headed by Texas, intervened. RadioShack had said in their privacy policy that it would not sell personal information about its consumers to any other parties. However, RadioShack was attempting to do the contrary.
3. Possible impact on DPDP bill 2022 on M&As
In their privacy policy, Radioshack stated they would not be sharing data, but India is hoping to get a statutory restriction on arbitrarily sharing collected data. The much talked about Digital Personal Data Protection Bill, 2022 (hereinafter “Data Protection bill”) u/s 9(9) of the bill says:
“The Data Fiduciary may, where consent of the Data Principal has been obtained, share, transfer or transmit the personal data to any Data Fiduciary, or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only under a valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.”
Let’s take the example of e-commerce, where data is collected in huge quantities. Both the leading two e-commerce platforms in India- Flipkart and Amazon, in their privacy policies mention that they use click or browse-wrap agreements, and the consumers give consent to their act of processing such collected data by sharing or transferring it, among other things.
But will it be sufficient to comply with the requirement that section 9(9) of the Data Protection bill tries to lay down? The problem with the click or browse wrap agreement is that it raises a question of the validity of acceptance in digital contracts as per the Data Protection bill. The same bill defines consent under the much-talked-about section 7. Section 7 notably mentions that consent should be ‘informed’ inter-alia other things. The informed consent conundrum of the digital agreement becomes the main problem in mitigating the risks mentioned in this piece through privacy policies.
4. Marriot-Starwood: a story of post-deal acquirer risk
One of the largest hotel chains in the world, Marriot International, acquired Starwood Hotels & Resorts Worldwide (hereinafter “Starwood”) in 2016 in a 13 billion US dollar deal. In 2018, after the deal was closed and Marriot International was declared the world’s largest hotel chain- a data breach of Starwood’s guest database of the year 2014 was found, and the Information Commissioner’s Office fined Marriot International 18.4 million British pounds in the United Kingdom.
5. Verizon-Yahoo: deal data distress!
In August 2016, "Peace" attempted to sell data from compromised Yahoo accounts in 2014. Yahoo confirmed the hacking of 500 million accounts. At that, it was the largest public data leak. An acquisition deal of Yahoo by the telecom giant Verizon for 4.8 billion dollars was under negotiation in 2017. As per the record, the deal ended between 250 million and 300 million US dollars after the data leak.
Recommendations
a. A Brave New World for M&A Due Diligence
Given the threats of numerous data and cyber security elements highlighted in this piece, it is essential to include data and privacy due diligence in M&A transactions. A blueprint for such due diligence might consider the following:
Data: Due diligence in such cases should start by first tracing such data collection. Specifically, the agreement used to collect such data and how the transferring or sharing of data or any related covenants are drafted to mitigate risks like Radiosacks. The data need not only be consumer data but may also include employee data, supplier data etc. In the case of consumer data, it is advised not to have a slump sale in light of 2(47)(ix) Consumer Protection Act, 2019. Even if the Data Protection bill is not turning into an act right now, the consumer data collected through digital agreements should be transferred only after a deal is closed.
Cyber Security: Cyber security due diligence may not be carried out by a legal counsel alone. A due diligence exercise carried out by an engineer (or any other professional having expertise in computers) closely working with a legal counsel should be implemented as part of M&A deals. Yahoo and Marriot teach that this kind of due diligence can reduce post-closure risks.
b. Data and Cybersecurity Conundrum
The cybersecurity due diligence and its importance for the buyer side are already highlighted in this piece. But it creates a conundrum in light of section 2(47)(ix) of the Consumer Protection Act, 2019 and section 9(9) of the Data Protection Bill.
Suppose the buyer side has to conduct cybersecurity due diligence on the target company. In that case, the target company has to give access to the said data and information to the buyer side before closing the deal. Thus, making it an act of sharing data with a third party.
This situation would be a blatant violation of section 9(9) of the Data Protection Bill because before closing the deal and successfully ending the transaction, the buyer- conducting due diligence shall be a third party as per the above-mentioned section of the Data Protection Bill. If the data in question is consumer data, then the same logic works with Section 2(47)(ix) of the Consumer Protection Act 2019.
c. M&A Insurance to the Rescue!
M&A insurance, more popularly known as “reps and warranties insurance”, can rescue both the buyer and seller sides. Reps and warranties insurance covers buyers and sellers for violations of representations and warranties in the sale and purchase agreement, a common aspect of M&A agreements. According to a 2017 AIG report, claims were filed under around one in four policies issued for transactions totalling more than US$1 billion, increasing the overall frequency of claims from 14% to 18% between 2011 and 2015. It is not unreasonable to conclude that, each year, there must be a sizable number of M&A issues resolved pre-action or when procedures are in motion because these data only reflect AIG's (mainly) breach of warranty claims experience. Thus, it can be concluded that properly drafted indemnity and insurance covenants can rescue the deals and make these problems not disappear but at least, to an extent, unshapen.
Conclusion
In strength of the aforementioned arguments data privacy and M&A transactions have an uncanny cohabitant relationship. Personal data is frequently disclosed or transferred from a seller to a buyer during M&A deals, making it essential to consider data privacy in such transactions. The risks of consumer data breaches, post-deal acquirer risk, and deal data distress are examples of what might happen if data privacy is not considered appropriately in M&A deals. The upcoming Digital Personal Data Protection Bill, 2022, proposes statutory restrictions on arbitrarily sharing collected data, which could impact M&A transactions in India. Companies must take proactive measures to ensure compliance with data protection laws and implement robust data privacy policies to mitigate potential risks. As M&A deals continue to flourish, it is crucial to recognize the importance of data privacy and ensure that it is taken into account during all stages of the transaction process.
Comments