
Introduction
In today’s digital age, where information flows freely across borders, the need for robust data protection laws has become paramount. As individuals and organizations increasingly rely on technology to store and process personal data, governments around the world have recognized the importance of safeguarding this information and ensuring its proper use. In this article, we will explore the landscape of data protection laws at the global level, understanding their significance, key principles, and the challenges they face.
- Introduction: The Importance of Data Protection Laws
In an interconnected world where personal data is constantly being collected and shared, the need to protect individuals’ privacy has never been more critical. Data protection laws serve as a legal framework that governs the collection, processing, storage, and sharing of personal data. These laws aim to strike a balance between allowing the beneficial use of data for societal and economic purposes while ensuring the privacy and security of individuals’ information.
- The Evolution of Data Protection Laws
The journey of data protection laws began in the 1970s when countries like Sweden and Germany introduced pioneering legislation to address concerns about privacy and data processing. Over time, the awareness of the need for data protection grew, leading to the development of comprehensive laws in various countries and regions. One significant milestone was the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018, which set a high standard for data protection and privacy rights.
- Key Principles of Data Protection
Data protection laws are built upon key principles that guide their implementation. These principles include:
- Lawfulness, Fairness, and Transparency
Data processing must be conducted lawfully, with a legitimate basis, and individuals should be informed about how their data will be used.
- Purpose Limitation
Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
- Data Minimization
Only the necessary personal data should be collected, ensuring that it is relevant and limited to what is required for the intended purpose.
- Accuracy
Organizations should ensure that personal data is accurate, up to date, and rectify any inaccuracies in a timely manner.
- Storage Limitation
Personal data should be kept in a form that allows identification for no longer than necessary for the intended purpose.
- Security and Integrity
Data controllers and processors must implement appropriate technical and organizational measures to protect personal data from unauthorized access, alteration, or disclosure.
- Accountability
Data controllers are responsible for demonstrating compliance with data protection principles and should be accountable for their data processing activities.
- Major Data Protection Laws around the World
Data protection laws exist in various countries and regions worldwide, each with its own unique characteristics and requirements. Some notable laws include:
- General Data Protection Regulation (GDPR)
The GDPR, enacted by the European Union, is one of the most comprehensive data protection laws. It grants individuals greater control over their personal data and imposes strict obligations on organizations handling such data.
- California Consumer Privacy Act (CCPA)
The CCPA is a groundbreaking data protection law in the United States, providing California residents with enhanced rights over their personal information and imposing obligations on businesses operating in the state.
- Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is Canada’s federal privacy law that regulates the collection, use, and disclosure of personal information by private-sector organizations.
- Personal Data Protection Act (PDPA)
The PDPA in Singapore establishes a framework for the protection of personal data and governs organizations’ data collection, use, and disclosure practices.
- Privacy Act
The Privacy Act in Australia regulates the handling of personal information by Australian government agencies and sets out individuals’ rights regarding their data.
- Challenges and Limitations
While data protection laws play a crucial role in safeguarding personal information, they face several challenges and limitations. Some of these include:
- Global Compliance
With data crossing borders effortlessly, ensuring global compliance with data protection laws becomes complex. Organizations must navigate different legal requirements and harmonize their practices accordingly.
- Technological Advancements
The rapid pace of technological advancements often outpaces the development of legal frameworks. Data protection laws must adapt to address emerging technologies such as artificial intelligence, biometrics, and the Internet of Things.
- Enforcement and Penalties
Enforcing data protection laws and imposing penalties on non-compliant organizations can be challenging. Authorities need adequate resources, expertise, and cross-border cooperation to effectively monitor and penalize violations.
- The Role of International Cooperation
Given the global nature of data flows, international cooperation is vital in addressing data protection challenges. Collaboration between governments, organizations, and regulatory bodies facilitates the sharing of best practices, harmonization of laws, and effective enforcement across borders.
- Conclusion
Data protection laws at the global level are essential in safeguarding individuals’ privacy rights in the digital era. These laws ensure that personal data is processed lawfully, securely, and transparently while providing individuals with control over their information. However, as technology continues to advance and data flows become more complex, ongoing efforts are needed to address emerging challenges and enhance international cooperation in data protection.
- Conclusion
Q1: What is the purpose of data protection laws?
A1: Data protection laws aim to safeguard individuals’ privacy by governing the collection, processing, storage, and sharing of personal data.
Q2: Which is the most comprehensive data protection law?
A2: The General Data Protection Regulation (GDPR) enacted by the European Union is considered one of the most comprehensive data protection laws.
Q3: Do data protection laws apply globally?
A3: Data protection laws vary by country and region. However, with the global nature of data flows, compliance with multiple laws is often necessary for organizations operating internationally.
Q4: How are data protection laws enforced?
A4: Data protection laws are enforced by regulatory authorities who have the power to investigate non-compliance, issue penalties, and ensure organizations adhere to the principles outlined in the laws.
Q5: How can international cooperation help in data protection?
There is no scope or extent of due diligence. It is performed depending on the transaction that is being anticipated. It can be as exhaustive or as brief as a person wants, because the consequences of the transaction have to be eventually faced by him.
What is venture capital?
Venture capital is nothing but external aid offered to a small business or start-up in the form of an investment made by another entity. An investor or a venture capitalist may be an individual, a group of investors, an investment bank or a financial institution. Venture capital funds can help kick start the success journey of a small business. Along with financial help, venture capitalists may also offer technical expertise. It is a risky investment, but in return of the capital, the investor shall receive an equity stake as well as decision-making and managerial powers. The Securities and Exchange Board of India (SEBI) released the SEBI (Venture Capital Fund) Regulations in 1996, which provided the main regulatory framework for venture capital in India until 2012, when they were replaced by the SEBI (Alternative Investment Fund) Regulations, 2012.
SEBI (Venture Capital Funds) Regulations, 1996 and the SEBI (Alternative Investment Funds) Regulations, 2012
Venture capital in India was legalized by the Government in 1988. A joint venture between ICICI and UTI was the first organization that began its venture capital operation in the country. Once the SEBI (Venture Capital Funds) Regulations of 1996 came into force, the industry became well regulated and started growing a lot faster.
Regulation 2 (m) of the 1996 Regulations defined a venture capital fund for the first time, as a “a fund established in the form of a trust or a company including a body corporate and registered under these regulations which has a dedicated pool of capital that is raised and invested in a manner that complies with the specified regulations.” This definition was considerably changed by the 2012 Regulations and Regulation 2 (1) (z) of the 2012 Regulations redefined venture capital funds as an ‘alternative investment fund’. which “invests in unlisted securities of start-ups, emerging or early-stage venture capital undertakings mainly involved in new products, new services, technology or intellectual property right based activities or a new business model.” This definition included angel funds within its meaning as well.
As per both, the 1996 Regulations as well as the 2012 Regulations, the registration of all venture capital funds with the Board has been made compulsory. The 2012 Regulations mandate obtaining a certificate of registration to act as an Alternative Investment Fund within 6 months from the date on which the Regulations come into effect. The 2012 Regulations also offer relief from this compliance to companies, trusts and body corporates that had been previously registered and operating as per the 1996 Regulations, given that they do not intend on expanding their corpus or existing scheme and are planning on winding up once their initial scheme comes to an end. In case they intend to do the contrary, they are permitted to re-register through an application in the form of Form A of the Regulations with the fee as specified.
The Registration of Alternative Investment Funds can be done in either of three categories. Category I Alternative Investment Funds include start-ups and early stage ventures, SMEs, social venture funds and other infrastructures that the government considers socially or economically viable. At least ⅔ of the investable funds of a Category I Alternative Investment Fund should be invested in either of the following:
- Equity shares or equity linked instruments of a venture capital undertaking, or
- Listed companies or companies proposed to be listed on a SME Exchange, or
- SME segment of an exchange
Further, not more than ⅓ of the investable funds should be invested in the following:
- An IPO of a venture capital undertaking whose shares are proposed to be listed,
- Debt or debt instrument of a venture capital undertaking in investment has already been done through equity or contribution towards partnership interest
- Preferential allotment of equity shares or equity linked instruments of a listed company with a lock in period of one year,
- The equity shares or equity linked instruments of a financially weak company or a sick industrial company,
- Special purpose vehicles which are created solely for the purpose of promoting investment under the 2012 Regulations
Category III Alternative Investment Funds include infrastructures that require complex and diverse trading strategies and need leverage in the form of investments. It is important for such funds to disclose information related to their total leverage or borrowing as well as its main source to their investors as well as the Board.
Category II Alternative Investment Funds include infrastructures that fall in neither Category I nor Category III, and do not require leverage. These funds invest mainly in unlisted invitee companies and in units of other Alternative Investment Funds, depending on the placement memorandum. They can invest in Category I as well as Category II of Alternative Investment Funds.
The main due diligence pertaining to Alternative Investment Funds arises at the time of their registration as per the Regulations. This due diligence is primarily done by the Board itself. In case a company wishes to register as an Alternative Investment Fund, the Board shall examine its Memorandum of Association and ascertain that it is permitted to deal with Alternative Investment Fund. The Board also ensures that the company is set up under Central or State Legislation.
In the registration of a trust as an Alternative Investment Fund, the Board examines the trust deed (which must be in the form of a deed) and ensures that the trust is registered under the Registration Act of 1908.
In case a limited liability partnership seeks registration under the 2012 Regulations, the Board has to ensure that it is duly incorporated and its partnership deed is duly filed with the Registrar as per the Limited Liability Partnership Act, 2008.
The Board shall inspect the objective of the investment, targeted investors, proposed corpus, the style and management of the investment, the tenure of the scheme as well as fitness of Manager and Sponsor as per SEBI Intermediary Regulations, 2008.
The latest 2021 Amendment to the Alternative Investment Fund Regulations also suggests the need for due diligence in the process of decisions taken by the investment committee of the Registered Funds. The investment committee, which is headed by the aforementioned Manager, needs to act in good faith and be made accountable for all its actions to safeguard the interests of the investors as well as the Fund. One of the suggested methods of due diligence was disclosure of conflict of interest before the Manager whenever the need for the same arises. In the near future, more of such accountability-generating measures are awaited and expected from SEBI.
What are mergers and acquisitions?
The term ‘mergers and acquisitions’ has gained a fair amount of popularity recently in India, though neither of the terms are defined anywhere. However, the term ‘amalgamation’ has been defined in the Income Tax Act as a merger of two or more companies to form one company. In common terms, a merger is the process of combining two or more companies into one single business, with their assets, liabilities and all other responsibilities being summed up under one head.
The term ‘acquisition’ is analogous with a takeover, and it means the purchase of assets or objects or of one company by another. An acquisition can take place through acquiring of shares or of assets and liabilities, in both a friendly or a hostile manner. The company carrying out the acquisition is called the acquiring company and the company being acquired is called the target company. The following are the different types of acquisitions in India:
- Share Deal: This is when the acquiring company buys all the shares of the target company
- Asset Deal: This is when the acquiring company buys all the assets of the target company
- Slump Sale: This is when the assets and liabilities of the target company are transferred to the acquiring company and the target company itself is sold for a lump sum.
Mergers and acquisitions have become one of the fastest ways for companies to gain a competitive advantage over one another in the highly competitive industry out there. While in mergers, two or more companies merge or combine into one, in case of acquisition, the companies continue to exist individually, while one company acquires a majority or all of the securities or assets of the target company. Mergers and acquisitions are mainly governed by the Companies Act, 2013, the SEBI Act of 1992 in India.
Regulatory Provisions related to Mergers and Acquisitions
Before a merger occurs, the proposal for the same must be sanctioned by the National Company Law Tribunal. The approval of 75% of the company’s shareholders and creditors will be required for the same. Any objections to the merger may be made by any person holding more than 10% of the shares in the company or by creditors whom the company owes more than 5% of its total outstanding debt. For a fast-track merger, the company must receive no-objections from the
Registrar of Companies, the Regional Directors and the Official Liquidators and approval from more than 90 percent of the total shareholders and creditors.
The SEBI Act of 1992 has several regulations under it, such as the Substantial Acquisition of Shares and Takeover of 2011, Issue of Capital and Disclosure Requirements (ICDR) of 2018 etc. The Takeover Regulations are applicable to all except listed companies and make it an obligation for companies to make a public announcement announcing an open offer in case of acquiring shares under certain circumstances. The ICDR Regulations further specify that companies undergoing a merger or acquisition must comply with the Listing Obligations and Disclosure Requirements.
The Competition Act 2002 (Competition Act), read with the Competition Commission of India (Procedure in regard to the transaction of business relating to combinations) Regulations 2011 (Combination Regulations) also provide for a notification to the Competition Commission of India before any merger or acquisition transaction is completed. Any combinations that cause an adverse impact on the markets of India are prohibited by the aforementioned laws as well.
In every merger or acquisition, due diligence holds a significant amount of importance and the same was highlighted in the cases of Bank of America as well as Dai-Ichi Sankyo-Ranbaxy.
In the case of Bank of America, in 2008, Bank of America acquired Countrywide Financial for approximately 4 billion USD. Countrywide Financial used to have subprime securities, which were worth much less than they were evaluated to be. They did not even have a market value but the financial institutions that held their subprime mortgages, due to years of oversight, were unable to value these securities, so they estimated their worth to be a lot more. As a result, all entries made in the books of account of Countrywide Financials were bogus. Even the conductors of due diligence on behalf of Bank of America failed to recognize this, and later realized that the purchase was not just 4 billion USD, but also liabilities worth over 40 billion USD.
Similarly, Dai-Ichi Sankyo documented the acquisition price of Ranbaxy to be 3.6 billion USD, when in reality it was 4.6 billion USD. Dai-Ichi Sankyo was not aware of one FDA Investigation that took place in Ranbaxy, which led to shutting down of one of its plants. Due to this oversight, it suffered huge losses in the future.
While due diligence is not a mandate under Indian law, the Courts have often interpreted SEBI Regulations to mean the same. In the case of Nirma Industries and anr. v. Securities Exchange Board of India ((2013) 8 SCC 20), the Supreme Court cited the SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 1997, and said that investor companies must ensure proper due diligence is carried out before any investment is made in a target company.
A letter of intent or a term sheet must be released first, which shall define what type of a merger or acquisition it shall be, whichever it might be. Then, usually, the method used as a starting point of gathering information is either one of the following:
- The Data Room Method
- The Questionnaire Method
In the data room method, due diligence is conducted at a large scale and the acquiring company is given a huge amount of data by the target company. In the questionnaire method, the scope of due diligence is limited significantly. The target company is sent a questionnaire by the acquiring company, which is expected to be filled by its legal counsels and other key managerial persons. On the basis of these answers, the legal counsels create a due diligence report and further negotiations may be initiated forthwith.
The rest of the method is the same as discussed in the latter part of this article. Both the companies form due diligence teams. Due diligence is conducted on operational, financial and legal levels. With the increase in popularity of intellectual property assets, intellectual property due diligence has gained a lot of importance as a separate type of due diligence too. In case of acquisitions, a Share Purchase Agreement or an Asset Purchase Agreement shall be signed between both the parties, depending on the type of acquisition taking place. The integration may then take place.
Importance of due diligence in investments in Venture Capital Funds and Mergers and Acquisitions
Venture capitalists find performance of due diligence necessary because it helps them identify an actual profitable investment opportunity. Through due diligence, they can ensure that the company that they are investing in is compliant with all relevant laws and is not burdened by some debt or heavy loss that the owners have been trying to hide or bury under hefty paperwork. The due diligence performed in the early stages of the investment in a venture capital is mostly business diligence but at a later stage, legal and financial diligence become a very important part of the due diligence being performed.
For quite the same reason as venture capitalists, companies undergoing a merger or an acquisition prefer to perform thorough due diligence. While, due diligence in case of venture capital funds is usually done only by the investors, in case of mergers and acquisitions, it is done by both the acquirer and the target company.
An outline of the process of due diligence
There is no defined methodology to go about performing due diligence. But the entire process can be divided into three steps:
- Client interview
- Effective due diligence pertaining to the transaction at hand
- Information Gathering
- Disclosures by the Target
- Interview of the Management of the Target
- Examination of public records
- Information Gathering
- The Triple Eye
The data accumulated from this exercise can be categorised to fall into one of the following groups:
- Organisational or business structure of the target company
- Financial aspect of the company
- Ownership of assets, both tangible and intangible
- Human Resources of the company
- Business Strategy of the company
- Legal barriers or issues to overcome for the transaction to succeed
Step 1- Terms of due diligence: The Client interview is an interrogative session between the two parties and their attorneys during which there is a completely honest and open discussion about their current goals and situation and their aim for the future if the transaction succeeds. The client interview helps the attorneys streamline the important details pertaining to the transaction, which saves both companies time and money. With the help of the data extracted from the client interview, the attorneys can create a whole roadmap for the investigation. Once the basic information is gathered and all other doubts resolved, the plan to go about the due diligence established through client interview shall come into force. The first step in due diligence pertaining to the transaction at hand shall be deciding the terms of due diligence, closely followed by an analysis of all the data disclosed by the company seeking the venture capital fund or the target company or the selling company (as the case may be) itself. If it finds any of the queries of the investor or the acquiring company or the buyer (as the case may be) reveal some confidential information, it may request the signing of a NDA or non-disclosure agreement. A holistic interview with the Management of the Target also provides substance to all the other information collected. The Management may include accountants, legal counsels, key managerial persons etc.
Step 2- Operational due diligence: Operational due diligence is the examination of the customer base, operational and business structure of the company. Details pertaining to the same are gathered and documented.
Step 3- Financial due diligence: Financial due diligence is the examination of financial statements of the company. These may include the tax returns, bank statements, profit and loss sheets and balance sheets.
Step 4- Legal due diligence: Legal due diligence pertains to the analysis of payment of taxes, documentation of any pending litigation, any remaining dues or payments etc.Legal due diligence experts are expected to pay special attention to the following:
- All statutory and governmental approvals required
- Understanding the organisation of the target company
- Identifying shareholders and other authorities and how much of a say do they have in the transaction taking place
- Ascertaining whether the permits and licenses that the target company already has require any further approvals in the case of an acquirer taking over
- Getting rid of any liabilities or obligations on the target company
Step 5- External investigation: After an internal investigation, research using external sources becomes necessary. Public records that are maintained by the Government serve as the main source of data for the same. Public records are dynamic in nature and can be obtained from registries and record rooms. The investor or the acquiring company or the buyer may even go to the extent of engaging a Triple Eye. Independent Investigative Intelligence or the Triple Eye are focussed investigators that work within the boundaries of law and ethics to decipher information that is passively concealed or buried deep under. Triple Eye investigators must be engaged with the consent of the company seeking the venture capital or the target company or the seller, or their involvement may bring in legal complications.
Step 6- Due Diligence Report: After all this data is thoroughly analyzed, the attorneys engage in due diligence review and report. The report contains details of financial matters, organisational and business structure, assets and liabilities of the company, other commercial contracts, its tangible and intangible rights, pendente lite matters and tax and anti-competition issues. This list is not exhaustive and the report may contain any other relevant matters as well.
While COVID-19 has all of us in a tight grip, professionals are facing procedural hurdles related to due diligence as well. Due to the lockdown, there has been very limited movement due to which on-site visits as well as one of the methods of initial investigating, the data room method, have gone almost entirely extinct. Methods like digital data rooms are gaining more popularity. In the end, it may be concluded that not having set due diligence procedures is probably for the better. Different companies operate differently and their goals and objectives for the future or for seeking venture capital or undergoing a merger or acquisition might vary significantly and therefore, it makes more sense for them to deal with it in a personalised manner. The creation of the due diligence team must be done with utmost care because their actions might determine the fate of the company.