Decoding The Impact Of Digital Personal Data Protection Act, 2023 On Transaction Documents
After what seemed like an eternity, India has finally got its personal data privacy legislation in form of Digital Personal Data Protection Act, 2023 (“Act”). The Act is nothing short of a seismic shift in India’s approach to safeguarding personal data in the digital age.
This article aims to delve into rather unchartered waters of the Act’s influence on the transaction documents such as shareholder’s agreement. Investors having been increasingly focusing on the data security and privacy aspects when investing in a company and the Act complements these concerns. In this context, we have set out below several key aspects that investors must give due consideration to investing in a company, especially if such company collects, stores, transfer or process huge of personal data.
1. Due Diligence
- mapping of data collected and processed by the company;
- assessment of data transfer to ensure compliance with permissible jurisdiction;
- review of verifiable consent mechanism adopted by the company (in case of children’s data verifiable parents’ consent for instance in cases of Edtech companies);
- investigating instances of users accessing their right under the Act and company’s responses in such cases;
- examining of past instances of data breaches and company’s action to such breaches;
- cyber security insurance, if any, taken up by the company.
The above enhanced Data DD should enable the investor to assess the data protection risk associated with the company and identify any liability that may impact valuation or require specific representation or indemnity.
2. Information and Inspection rights
Pursuant to this Act coming into effect, the investor or any other party, as the case may be, should ensure that there are information and inspection rights through which the investor can effectively verify that the company is duly meeting all the compliances emanating from the Act. Regular compliance and hefty penalties prescribed under the Act make it all the more necessary to place emphasis on consistent availability of information and inspection rights.
2.1 Information Rights
The investor/incoming shareholder may consider incorporating provisions obligating the company to make available to them all information necessary to demonstrate compliance with the obligations laid down under the Act. Such information may include:
- Data audit reports and periodic assessment of measures incorporated to deal with data protections issues.
- Information regarding appointment or replacement of data processor including the purpose, terms and their consequent data processing agreement.
- Details of data protection officer and data protection auditor appointed by the company.
- Notification in case of change of data protection officer and data protection auditor.
- Any intimation, information or notice regarding any dispute, impending scrutiny, request for erasure or correction of data etc.
- Any complaints, incidents or accidents in relation to personal data of data principals.
Considering that issues arising out of personal data tend to be time sensitive, it will be imperative to incorporate provisions dealing with timeframe for sharing such information and the format in which such information shall be shared. Separately, information rights may also include to provide information regarding any cyber security incident/breach which are also required to be reported to Indian Computer Emergency Response Team (CERT-In) pursuant to the direction dated April 28, 2022.
2.2 Inspection Rights
To ensure that the company is compliant with the provisions of the Act, the investor / incoming shareholder should also seek for inspection right. Such clauses typically will incorporate procedures for data audits and inspections, obligations of bearing the costs, details of auditor, timeline for submission of reports, power to contest the scope or methodology of reports, power to request new audit/ inspection, instruct further measures to ensure compliance with the Act etc.
As a side note, it must be highlighted that while the Data DD process will ensure that the target has complied with the Act and adequate measures are adopted in that regard, we need to understand that the Act has adopted a principal-based approach and does not provide a comprehensive prescriptive list of mechanisms to ensure compliance. Keeping this in mind, further clarity may be required in terms of sufficiency, adequacy and reliability of some action items and therefore getting clarity on the following points before seeking information and inspection rights would play a vital role in ensuring the such information and inspections rights are effective and of any value:
- Whether the company has appropriately trained individuals been designated as the data protection officer and data auditor
- Are there established procedures and processes in place for conducting data audits and evaluating business functions?
- Has the company taken steps to ensure adequate management and protection of data principals’ consent and privacy?
- Have company employees received training and skill enhancements to maintain compliance with the Act.
- Does the company have a positive track record when it comes to handling requests such as data corrections, erasure, grievance resolution, or other actions outlined in the Act?
- Has the company conducted thorough assessments to ensure that third parties sharing data have implemented measures to safeguard personal data?
3. Representations and Warranties
The transaction documents must be carefully drafted to incorporate specific data protection related representations and warranties especially where the company is engaged in a business that collects/process huge amount of personal data. The representation and warranties should be regarding the compliances under the Act and must also factor in the the industry specific data protection laws for example Reserve Bank of India’s digital lending guideline and data localization norms.
In addition to the above, a well drafted representation and warranty clause may be added to address the below:
- company at all times employs comprehensive security procedures and practice;
- no breaches have been occurred or in case the breaches were identified during Data DD such actions as required under law have been undertaken by the company;
- company has verifiable consent for sharing of the any personal data during Data DD;
- no personal data is transferred or stored outside in breach of the Act or other regulations;
- there have been no instances of failure to respond to data subject requests within the provided time limit; and
- company has a valid cyber security insurance.
4. Exit provisions
The investors may consider incorporating a clearly defined exit rights in the event the company faces significant data breach which affects the targets ability to conduct business or any significant instance of regulatory sanctions or penalties. For instance, the exit provision may include a significant data breach as a put trigger event and require the company to find a third party to purchase the investors shares or have the promoter buy the shares of the investors at an agreed valuation. Similarly, a drag along right in favour of the investor may also be included in case an exit does not materialize by way of put option as mentioned above.
5. Investor Approval
Considering that the Act is silent on the aspect that the data protection measures and policy should be board approved, investors may consider including such provision in the shareholder’s agreement. To further secure their interest, the investor may also consider, where it does not have majority in board or a board seat, to require the target have a prior approval of the investors for any adoption, revision or amendment to the data protection policy or measures. Similarly, in case the company executes any contract which significantly deals with collection, storage, transfer or processing of personal data, such agreement may also be required to have specific board approval or investors prior approval as the case may be.
Considering that the Act provides for substantial monetary penalties of up to INR 250 crore, it is likely to impact the way indemnity is sought and drafted in transaction documents. Data breaches and similar non- compliances under the Act resulting in a loss exceeding a certain agreed amount may be categorized as a specific indemnity item falling outside any limitation (either of quantum or time). Indemnity provisions could also be made applicable to data processors or other third parties to whom data is being transmitted and appropriate back to back clauses may also be introduced. Separately, investors may seek indemnity arising out of losses occurred due to:
- reputational damage
- occurrence of cyber attacks
- penalties imposed by relevant authorities including data protection board (as may be constituted)
- contractual liability from other parties under the express additional terms of the contract dealing with data protection
- business disruption caused by mass requests of erasure of personal data of data principles. This would be applicable in case the target company loses its major chunk of business due to multiple of its users withdrawing their consent with the target to store their data.
While the Act has truly ushered a new era in data protection landscape in India; we expect the Act will also have a significant overarching influence on negotiation and structuring of the transaction documents, particularly for companies acting as data fiduciaries. Given that a significant compliance now rests with the data fiduciaries, the Act’s impact on transaction document for data fiduciaries cannot be overstated.
In this evolving landscape, investors are likely to prioritize data protection concerns form an early stage, just as they have started emphasizing corporate governance structures at early- stage companies. This increasing concern is further reinforced by the significant penalties imposed on the company under the Act, which would ultimately also affect investor’s investment. We expect Act’s stringent provisions and penalties inducing a shift in investor expectations, thus compelling companies to proactively address data privacy and protection. As a result, we can anticipate a growing emphasis on robust data privacy and protection practices across the investment spectrum.