Written by Arham Jain,
Intern-Lex Lumen Research Journal,
June 2025
Introduction
As we are aware of the fact that the issue of data privacy arose around a decade ago only. The main cause of this issue is the increase or the development of Information Technology and with the coming of AI tools this practice has taken a wide turn and targeting various big players of the market to establish their supremacy among them. Also concept of Mergers and Acquisition [1]first arose in India after the introduction of the Liberalization, Privatization and Globalization [2]in 1991. But it gained significance around a decade ago when the economy faced the peak of its globalization as the companies from almost all the developed nations came in India for trade and collaborations. There was a key issue at the time when it gained significance that in a country like India where the economy is still developing, laws are keep on evolving specially the data privacy laws, it became very difficult hence a tough task for the law makers to ensure the compliance of data privacy in the Mergers and Acquisitions for the smooth functioning of the India’s corporate world. Hence in this research we’ll discuss about the various compliance mechanism which are essential and plays an important role in addressing the data privacy concerns in the matters of Mergers and Acquisitions in India specifically.
Frameworks for the Data Privacy and Protection in India and challenges faced during M&A
While discussing about the statutory legal frameworks for Data Privacy in India, so it is divided majorly into three phase. The first phase includes The Information Technology Act (IT Act) 2000[3], this act was the first step legislation which discusses the data protection and curbing of the breach of the same. Then the second phase includes the extension of the IT Act only as in 2011 (Privacy Rules), the legislation came up with The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules[4]. The last phase includes the introduction of the separate act for the same i.e. Digital Personal Data Protection Act, 2023[5], commonly known as the DPDP Act. These legislations contain the provisions to Merger and Acquisition transaction for example, the personal data must only be collected or used after the permission of the person or the company concerned, the collecting of the necessary and specific data is allowed which is necessary for the that particular transaction, also the implementation of security safeguards and ensuring the accountability of data processed by the data fiduciaries, even in cases of cross border transactions specific conditions are to be require and in case of highly confidential transactions the prior approval of the central government is needed. If we look over the judicial precedents so in one of the landmark case of supreme court Justice K.S.Puttaswamy(Retd) v. Union of India 2018[6], the supreme court held that right to privacy is an integral part of the fundamental rights hence enshrined in the Article 21 of the Indian constitution, also the court directed that it is the duty of all whether government or the judiciary to protect the breach of data and safeguard the citizens from such abuse.
Mergers & Acquisitions highly include the exchange of transfer and sharing of high volume of personal data, business information and the highly sensitive personal data of both the buyer and seller which increases the risk of breach of privacy and sometimes even cybercrimes. There are cases of misuse of the information so it leads to the deteriorating relationship between the parties and breach of trust. In cases of lack of precautions or due to negligence if there is any breach so it can lead to financial crisis, legal liabilities and even the reputational damage also.
M&A Transaction’s [7]Compliance Mechanism
As stated above that in this modern world with the increase of technology there is increasing the high risks of personal data breach specially in the fields from where they can be accessed easily with minimal risk. But also with the development of the globalization and increase of the corporate world there are huge Mergers & Acquisition transactions, which can’t be avoided or neglected because of the data breach. In order to curb this practice some approaches are adopted or it can be referred to as the compliance mechanism in M&A transaction.
- Sector specific mechanism
An economy is divided into 3 major sectors namely, primary, secondary and tertiary, among which the service sector i.e. the tertiary sector is growing at a large pace mainly because of the increasing globalization but we need to understand the concept that there are few specific sectors under this which require special care as these sectors hold the very basic personal data of the person or the organizations, breaching of which may led to the irrecoverable damage. Some of these sectors are e-commerce and financial or banking sector, for the instance healthcare and education sector can also be taken into consideration.
- Contracting mechanism
This mechanism is highly important for safeguarding the interest of the buyer and the seller in M&A. Under this mechanism the contracting party add clauses in their contract with respect to the violation of data breach, if occurred. Also the parties sign the confidentiality or non- disclosure agreement to preserve and protect the rights and data of both the parties and also discuss the legal liabilities in cases of the breach and the process of indemnifying the loss or damages incurred, if any.
- Data Privacy mechanism
Under this mechanism the parties adhere to the data protection rules and legislations, if any (in case of India, DPDP Act 2023 and IT Act Privacy Rules 2011 before the former). They evaluate the past incidents and the pattern of the breach so that they could take precautions to avoid that in their case. In cases of any third party involvement, the data protection clause to be signed by that person to protect the interest of the other two.
- Post Transaction Mechanism
This mechanism deals this the precautions taken even after the M&A transaction. Even though the transaction is completed the interest of the party need to be protected and maintained under the safe head is the responsibility of all no matter whether the purpose of the transaction is fulfilled or not. Even after the completion of the process the person or organization need to adhere to the data protection rules, also the employees are to given the proper training in order to avoid any human error. Also proper monitoring and audit is maintained under this mechanism and the report of which is duly verified and submitted before the parties for a cross check.
All the above stated compliance mechanism led to the long term healthy relationship between the parties. Also this protects the parties from the undue negatives or disadvantages of the data breach during the M&A transactions.
Consequences of the Non- Compliance
There is a very famous saying that every coin has two side, similarly every situation has two sides negative and positive or advantages and disadvantages. Therefore, there are few problems that arose due to the non-compliance. The issue of noncompliance usually arises either due to the negligence or with the ill intention. Both the cases led to the data breach in M&A transactions which harms the parties. Few of them consequences are as follows:
- Legal liabilities- sometimes the damage is so large and unrecoverable that it led to the legal actions to protect from further breach or damage.
- Reputational harm- this is one of the most grievous harm one can get as everyone work on the basis of the respect they earn and with the breach or violation of personal data that reputation get infringed leading to the bad impact in the market.
- Financial Penalties- the legislations prescribed for various kinds of relief given to the victim and one of them is fines or compensation.
- Deteriorate relationship- the non-compliance may have led to the worsening relations between the parties.
Conclusion
Data privacy is a crucial element in M&A Transactions as it contains the personal information of the parties which if violated or misused so it may lead to the reputational harm and deteriorating inter personal relationship. There are many ways through which this can be prevented or for the matter of fact can be used as some precautions. For example, hiring of the expert, the one having knowledge in this field and is aware of the data protection policies and legislations, a regular monitoring regulation can be set up to ensure that there is no misuse of the data and many others. By following the above stated compliance, like contractual obligations, digital privacy, post transaction mechanism, the risk of violation of data breach can be prohibited or can be reduced to some extent. Hence the data protection laws must go in compliance with the M&A transactions but as it is quoted that it takes two to tango that means the precautions need to be taken care of from both the sides. The companies also during M&A transactions must comply with the rules and regulations to avoid the data violation. In a data-driven economy, this not only protects legal and financial interests but also builds confidence and trust among stakeholders, opening the door for long-term prosperity.
Bibliography
- The Indian Income Tax Act, 1961.
- Foreign Exchange Management Act, 1999.
- The SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011.
- Insolvency and Bankruptcy Code, 2016.
- The Indian Stamp Act, 1899.
[1] Companies Act 2013 (India).
[2] Majumdar, R, ‘Manmohan Singh and Reformation: Liberalization, Privatization, and Globalization’ in Concise History of Indian Economy (2023) 183, 198.
[3] The Information Technology Act 2000 (India).
[4] The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (India) https://www.indiacode.nic.in/handle/123456789/1362/simple-search?query=The%20Information%20Technology%20(Reasonable%20Security%20Practices%20and%20Procedures%20and%20Sensitive%20Personal%20Data%20or%20Information)%20Rules,%202011.&searchradio=rules accessed 10 January 2025.
[5] The Digital Personal Data Protection Act 2023 (India).
[6] Justice KS Puttaswamy (Retd) v Union of India (2018) AIR SC 1841 (India).
[7] The Competition Act 2002 (India).