The July edition of Au Courant feature Mr. Anupam Shukla, partner at Pioneer Legal, heading the technology law and privacy practice at the firm wherein he discusses M&A transactions.

Mr. Anupam Shukla is a partner at Pioneer Legal, heading the technology law and privacy practice at the firm. He has over 10 years of experience advising on several cross-border private equity and M&A transactions. Mr. Shukla has been ranked as one of the Top TMT Lawyers in India by Asian Legal Business in 2022 and recommended as a practitioner in the PE and M&A sector in various legal rankings.

1. A transaction might involve transfer of sensitive or private information from one entity to another. Hence, before a deal is closed, what are the aspects of data protection and privacy that one needs to keep in mind while carrying out the due diligence of an entity? Moreover, what are the ensuing consequences if it is found that the entity passing the data has had data leaks and what are the laws in place regarding the same?

Confidentiality of proprietary data and information being shared as a part of the due diligence becomes very critical. Usually, in M&A transactions, the strategic acquirers are also involved in similar businesses. In such cases, the target companies tend to ring-fence the more critical data and only share it post-closing. Further, companies need to note that the data which constitutes personal data or sensitive personal data should be shared for diligence only after ensuring that such disclosure is covered under the consents procured from the data principals.

2. Various surveys have discussed that data breach has increased during the pandemic and this includes high risk in the domain of P/E transactions as well. Where do you see the main data privacy and cyber security risks arising in the future? What advice would you give to managers of this high-risk data on the cyber risks they face?

Data is an indefinitely replicable resource. Stolen/ leaked data often ends up for bulk sale on dark web forums available to multiple bidders. It then finds its way to those who intend to use it to harm your computer systems or for unsolicited advertisement or analytics. In a recent survey by Local Circles, 41% of Indians surveyed blamed their banking and telecom service providers for personal data breaches. A Surfshark report ranked India third globally in data breaches, with the number of Indians impacted having almost quadrupled in 2021 compared to 2020.

More and more businesses have moved a significant proportion of their activities online. This exposes them to the risks of data breaches. Businesses in India cannot wait for the regulatory requirements to catch up. Suitable security systems need to be instituted across sensitive industries to prevent such data breaches with measures such as periodic audits and internal training.

3. The importance of data protection is still very niche in India. In your opinion, is there the necessary acknowledgement of this within the industry as to the need of maintaining robust data privacy systems? Is India, which is in the process of acknowledging data privacy and rewriting IT Laws, falling short on this front?

To say that India needs a robust data privacy law is an understatement. In addition to prescribing heavy penalties, privacy law would also set data security standards and mechanisms to be adopted by all organisations. As more and more facilities and services shift to digital delivery, stringent steps are required to prevent data breaches.

4. Major brands and companies have dealt with a data breach that has cost millions of dollars. Major cosmetic brand, Kylie Cosmetics had a recent data breach. Similarly, Yahoo has dealt with the data breach of millions of users with their un-encrypted passwords and data being stolen as a result of which it even lost deals. There is a new variable that needs to be considered in P/E valuation too: the impact of an undisclosed cyber breach and the consequences of it. This also includes the likeliness of insider thefts. What are your views on the same and how do you advise your clients in this regard?

These days, the due diligence exercise also covers instances of data breaches or leaks, if any. Such instances are evaluated basis various factors such as the extent of the breach, type of data disclosed, age of such data, was such data in encrypted or anonymized form, etc. Basis all such factors, the acquirers evaluate the business and legal risks in the transaction. This becomes very critical as it is difficult to ascertain the potential loss which could be suffered on account of data breaches.

5. The Indian Computer Emergency Response Team (CERT-In) in April this year issued certain guidelines relating to the cybersecurity space in India. Upon the release of these guidelines, concerns were raised by various Virtual Provided Network (VPN) Providers that following these guidelines will render their privacy-oriented business model meaningless, as they require them to log details of all the persons who access their servers. Further, there were also concerns about the mandatory 6-hour timeframe for reporting incidents and the broad definition of incidents to be reported. This has led VPN providers like Surfshark and Express VPN to exit the Indian market and shut their servers here. In your opinion, what is the correct approach that the Indian Government should have taken or can take now to ensure a seamless implementation of these guidelines?

Considering the rise in cyber incidents, it is understandable that the government may want to put in place mechanisms that make redressal of such incidents more effective. Regulating VPNs is a step in that direction. However, the government should have ensured the privacy law was enacted before coming up with a regulation requiring private entities like the VPN service providers to store a massive amount of data belonging to private individuals. The PDP bill 2019 which was long awaited has recently been withdrawn by the government. This increasingly makes the approach of the government feel rushed.

6. How is the cross-border transfer of data handled since most jurisdictions have varying regulation controls existing in the space of data privacy and protection? Also, when data flows from a strictly regulated data space country to one with fewer regulations, how does it impact the target companies and how is this vulnerability to data leaks being tackled in the present day?

This is one area which is a great source of concern in cross-border transactions. Privacy legislations and their enforcement differs significantly from country to country. In this case, investors generally tend to perform a technical due diligence of the internal safety mechanisms implemented by the target group. Local law firms are also retained to undertake a due diligence from a local privacy compliance perspective. Any potential areas of exposure are evaluated by the PE investors, and such risks are addressed by way of indemnity and/or a corrective action before the transaction consumation.

7. In the post-pandemic period, the process of due diligence has undergone quite a change and it relies less on physical or on-site meetings and more on Virtual Data Rooms (VDRs). The pandemic has shifted the process to working remotely and therefore such VDRs have become a vital part of each transaction/deal. In your opinion, what are the things that need to be kept in mind by both, the target company, as well as the acquirer company when selecting their VDR for due diligence as even a small mistake can lead to accidental disclosure of information such as sensitive intellectual property information?

The parties need to select VDRs basis individual need cases. A safe and secure infrastructure is provided as a baseline by almost all VDRs. However, for highly sensitive data, VDRs providing a higher degree of DRM restrictions on access to data, print or screenshot restrictions and other technological safeguards are adopted by the deal teams. This however has the downside of increasing the costs and making the diligence process more cumbersome and time-consuming. Finding an appropriate balance is important.