On May 25, the European Union (EU) adopted the General Data Protection Regulation (GDPR) which establishes a new data privacy and protection regime. GDPR changes the privacy regime not just across the EU, but also impacts organisations conducting business within the EU and/ processing personal data of natural persons within the EU.
GDPR applies to processing of any personal data of natural persons within the EU (EU Data Subjects) by: (i) organisations within the EU or (ii) by organisations outside the EU, if they offer goods or services, or undertake monitoring of behaviour, of EU Data Subjects within the EU. EU is a key market for the Indian information technology (IT)/ outsourcing industry.
Further, cross-border mergers & acquisitions (M&A) between Indian and European companies are also exponentially growing. Given the significant penalties and steep compliance burden, GDPR will have a significant impact on cross-border M&A deals between Indian and EU companies.
This article discusses some of the key considerations for cross-border M&A transactions between India and the EU from a GDPR perspective.
Any GDPR exposure, including past data breach incidents or inadequate privacy policies and implementation, would have consequential impact on the valuation of target companies. In fact, in the annual filings for financial year ending 2018, several Indian companies with presence in the EU, and particularly Indian IT companies, have highlighted GDPR as a compliance risk that could impact their businesses.
In M&A deals, acquirers should at the outset assess whether or not the target’s activities are subject to GDPR. M&A deals often require parties to share personal data of its employees, vendors, customers, or business partners across the globe (including, the EU). All such personal data is protected under GDPR. As a result of the potential GDPR implications, it is imperative to have in place well negotiated and robust confidentiality agreements and non-disclosure agreements (NDAs). If personal data is shared outside of the EU pursuant to an NDA, compliance with adequate level of protection, standard model clauses, etc. will need to be assessed. If at all personal data needs to be shared, parties should have secure virtual data room with limited access and monitoring rights, and other measures to avoid any misuse of data.
Since GDPR is new and complex, most organisations are still not fully compliant of its provisions. With GDPR, organisations will need to provide control over personal data to data subjects, enable new data subject rights (such as right to be forgotten, right to data portability, etc.), and have adequate organisational and technical measures for security of personal data. To ensure compliance of GDPR at a target level, acquirers may need to conduct a thorough due diligence of a potential target. Target companies should consider sharing only redacted or anonymised data during diligence, which falls outside of GDPR applicability. Specific details such as employee or customer details, etc. should be shared only at the transaction signing stage, or as part of the deal documents.
GDPR provides penalties as high as 4% of annual global turnover or Euro 20 million, whichever is higher, for significant non-compliances. Deal documents would thus need robust representations and warranties on data protection practices and policies, excluded liability and specific indemnities for any past non-compliances and data breach incidents, and uncapped monetary liabilities to sufficiently cover any future revenue linked fines under GDPR. Acquirers should also insist for an uncapped cyber security insurance as part of the transaction to cover any foreseen liabilities under GDPR.
As part of transaction integration, parties will need to assess how data protection policies and practices of the acquirer and the target can be aligned. Further, fresh consents may be required for any additional processing activities after the transaction. If data is shared among affiliates under transition services arrangement, it will need to be subject to binding corporate rules or appropriate safeguards including model clauses and contracts.
GDPR will impact all stages of M&A deals. Prudent sellers and buyers have already started assessing GDPR compliance levels and potential impact on valuations. India, too, is expecting a new data privacy law. Recently, Justice Srikrishna committee released the draft of the Personal Data Protection Bill, 2018 (Bill), which is largely inspired by the GDPR. The draft Bill is subject to comments from the Ministry of Electronics and Information Technology, and will thereafter be tabled before Parliament before it comes a law. Thus, GDPR readiness and compliance will help companies have a competitive edge under the new privacy law in India once it comes into force.
Views are personal.
Rabindra Jhunjhunwala is partner and Shweta Dwivedi is principal associate at Khaitan & Co.