Indonesia’s new Personal Data Protection Law (“PDP Law”) is the country’s first comprehensive law to govern personal data protection in both electronic systems and non-electronic systems. However, until the necessary implementing regulations are issued, it remains to be seen just how the PDP Law will be implemented or its impact on M&A transactions.
On the face of it, the PDP Law requires corporate Personal Data Controllers (defined in the law as any person, public entity, or international organization acting individually or jointly in determining the objectives and exercising control over the processing of personal data) to notify the relevant Personal Data Subjects (defined as every individual to whom the personal data is attached) before and after conducting an M&A transaction. This notification may be carried out by way of direct notification to the Personal Data Subjects or via a public announcement through the mass media, whether electronically or non-electronically. The timeline for the announcement is still uncertain, pending the issuance of the necessary implementing regulation.
Corporate entities must also abide by the general requirements under the PDP Law that may be triggered during the M&A transaction. The PDP Law requires Personal Data Controllers to maintain the confidentiality of personal data and to supervise each party involved in processing personal data that is under the control of the Personal Data Controller.
Handling Personal Data During Due Diligence Process
During the due diligence process, corporate Personal Data Controllers must be aware of the existence of personal data that may or may not be disclosed to third parties involved in the due diligence. This may include employee information, consumer information, and third-party information that may be identifiable to a specific individual. The corporate Personal Data Controller would have to obtain the consent of the relevant Personal Data Subjects before disclosing such information.
Personal Data Subjects may exercise their right to refuse for their personal data to be processed during the M&A transaction, in which case the corporate Personal Data Controller would be obliged to erase the personal data relating to the concerned Personal Data Subjects.
Importantly, Article 56 of the PDP Law requires the Personal Data Controller to ensure that at least one of the conditions for cross-border transfers is met before allowing personal data to be transferred abroad. These conditions are:
a. the existence of an adequate or higher level of personal data protection in the recipient’s county than that stipulated in the PDP Law;
b. the existence of an adequate level of binding personal data protection; or
c. the obtainment of the consent of the Personal Data Subject for the cross-border data transfer.
Prior to the issuance of the PDP Law, before conducting a cross-border data transfer, Personal Data Controllers were required to notify the Ministry of Communication and Informatics before and after the transfer. Whether a similar obligation will apply for cross-border data transfers during M&A transactions under the PDP Law will depend on the provisions of the implementing regulation that has yet to be issued.
Tips for Buyers/Sellers in M&A Transactions with Cross-Border Data Flows
As mentioned above, cross-border data flows are only allowed if at least one of the conditions under Article 56 of the PDP Law is met. Accordingly, both buyers and sellers, when they act as Personal Data Controller, are required to ensure said conditions.
Specifically for the seller and buyer, the following tips may be considered during a due diligence exercise for that involves cross-border data flows.
For the Seller
- Ensure that it adequately notifies the relevant individuals that their data could be shared with potential buyers as part of an M&A transaction.
- Ensure that the terms and conditions of access to the data and data room are sufficient.
- Ensure that the entity hosting the data room, as a Personal Data Processor (defined in the PDP Law as any person, public entity, or international organization acting individually or jointly in processing personal data on behalf of the Personal Data Controller), has provided sufficient safeguards to ensure that the data is protected (i.e., only data that is necessary and relevant is uploaded; personal data is redacted/anonymized to reduce the risk).
For the Buyer
- Evaluate the existence of information security policies and procedures to determine whether the seller has appropriate procedures in place to address its handling and use of the personal information collected in accordance with the PDP Law.
- Identify any disclosures or representations made to third parties. Assess whether there has been any disclosure made to a third party and the steps taken to make such disclosure.
- Understand the seller’s history of data breaches and security incidents, complaints, as well as any previous correspondence with the regulators.
By properly ensuring and evaluating the adequacy of the personal data protection framework for the seller’s processing activities, the buyer and seller can better ascertain the terms for representations and warranties, as well as any pre- and post-closing conditions to allow adequate and appropriate personal data protection in the M&A transaction. Lawyers involved in a transaction need to ensure that the above information is obtained from the Personal Data Provider and should incorporate this into their letter of appointment.
Questions About the PDP Law and M&A Transactions
The PDP Law is a new law that requires implementing regulations for the provisions to be practicably enforced. Most of these provisions will be further regulated in a government regulation or regulations. Until then, one can only rely on the best practices available and, when possible, clarification from the government.
Nonetheless, the following points may be relevant in M&A transactions and will require further explanation in the implementing regulations for the PDP Law:
a. Timeline to provide notification to Personal Data Subjects. Article 48 of the PDP Law requires a corporate Personal Data Controller to provide notification to Personal Data Subjects before and after conducting an M&A transaction. However, there is no exact time frame for when such notification must be provided.
b. Lawful basis of personal data processing. Unlike the previous personal data framework, the PDP Law recognizes “legitimate interest” as a basis for personal data processing. The current wording of the provision only requires a Personal Data Controller to balance the Data Controller’s interests and the Personal Data Subject’s rights when processing personal data under such basis. However, the criteria that must be met before personal data can be processed in an M&A transaction under the legitimate interest basis is unclear.
c. Notification and demonstration of compliance for cross-border data transfer. It is still unclear whether a cross-border data transfer will require notification to the regulators or how the corporate Personal Data Controller shall demonstrate that the offshore transfer of Personal Data has complied with the conditions set under Article 56 of the PDP Law.