India’s data protection landscape underwent a seismic shift with the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”), which received Presidential assent on August 11, 2023. The operationalization of this framework was completed on November 13, 2025, when the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025 (“Rules”). This legislation represents India’s first comprehensive data protection law and has profound implications for mergers and acquisitions (“M&A”) transactions across all sectors.
The DPDP Act and its accompanying Rules mark a fundamental shift in how personal data must be handled in corporate transactions. Unlike the previous fragmented regulatory framework under the Information Technology Act, 2000, this new regime creates a robust, consent-based data protection system that affects every stage of the M&A lifecycle, from initial due diligence through post-merger integration. Understanding these requirements has become critical for all stakeholders navigating India’s dynamic M&A market.
Overview of the DPDP Act and Rules framework
Legislative evolution and current status
The DPDP Act and its framework rests on seven core principles: consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. The Act applies exclusively to digital personal data and does not cover non-digital formats unless those records are subsequently digitized, distinguishing it from international laws like GDPR which apply to both digital and physical records.
The framework will become fully effective by May 13, 2027, through a phased implementation approach, giving businesses time to adapt their systems and processes. This phased rollout recognizes the significant operational changes required, particularly for data-intensive sectors and technology companies.
Key Definitions and Stakeholders
The DPDP Act introduces several critical concepts that shape its application to M&A transactions:
Data Principal: Any individual whose personal data is being processed. In M&A contexts, this includes employees, customers, vendors, contractors, suppliers, and business partners of both the target and acquiring companies.
Data Fiduciary: The entity that determines the purpose and means of processing personal data. In M&A transactions, both the seller (during due diligence) and the buyer (post-acquisition) typically act as Data Fiduciaries with distinct obligations.
Data Processor: An entity that processes personal data on behalf of a Data Fiduciary. Professional advisors, due diligence teams, and technology service providers often fall into this category during transactions.
Consent Manager: Entities registered with the Data Protection Board that help individuals manage their consents across different Data Fiduciaries, required to be incorporated in India and meet minimum net-worth and governance requirements.
Territorial application
The DPDP Act applies to data processed within Indian territory or, if processed outside, when connected with offering goods and services to individuals within India. This extraterritorial reach mirrors GDPR’s approach and ensures foreign acquirers engaging in Indian M&A transactions must comply with the Act regardless of where they are headquartered or where the data processing occurs.
Core requirements under the DPDP framework
Consent requirements
Consent is paramount under the Act and must be free, specific, informed, unconditional, and unambiguous, limited to what is necessary for the specified purpose. This represents a significant departure from practices where blanket consents were obtained or implied consent was assumed. Unlike GDPR, which offers multiple legal bases for processing including legitimate interests, the DPDP Act makes consent the primary mechanism for lawful processing.
For M&A transactions, this creates immediate challenges. When the target or seller shares personal data with the bidder or acquirer during due diligence, ensuring compliance with consent requirements outlined in Section 6 of the DPDP Act is imperative. This means that sharing employee records, customer databases, vendor contracts, and other documents containing personal data may require obtaining fresh consent from all Data Principals unless an exemption applies.
The practical implications are substantial. In a typical transaction involving thousands of employees and potentially millions of customers, obtaining individual consent for data sharing during due diligence could add significant time and cost to the deal process. It also creates uncertainty, as Data Principals could refuse consent, thereby limiting the buyer’s ability to conduct comprehensive due diligence.
Notice and Transparency Obligations
Data Fiduciaries must provide Data Principals with clear information about how their personal data will be used, including an itemized description of all personal data being processed, specified purposes, and a link to withdraw consent or file complaints with the Board. These requirements apply throughout the M&A lifecycle and necessitate clear communication strategies at each stage.
Data Fiduciaries must enforce security protocols including encryption and masking for all personal data in their possession or control, along with access control, access logging and monitoring, data backups, and methods for detecting unauthorized access. The Rules require these safeguards regardless of whether processing is conducted directly or through Data Processors.
However, Rule 6 fails to specify what type of safeguards are “reasonable,” only suggesting measures like encryption or virtual tokens as examples of possible data security measures. This ambiguity creates challenges during due diligence as parties must make judgment calls about whether existing security measures are adequate.
Data Breach Notification
Data Fiduciaries are required to report data breaches within 72 hours, with failure to disclose violations in a timely manner potentially resulting in penalties of up to INR 250 crores (approximately USD 27 million). Unlike some other jurisdictions, India requires reporting of all personal data breaches irrespective of their gravity or damage caused. This creates significant due diligence requirements as buyers must understand the target’s breach history and notification practices.
Cross-Border Data Transfers
Rule 14 of the DPDP Rules permits cross-border data transfers to jurisdictions outside India, except to those specifically restricted by the central government through notification. For SDFs, certain categories of personal data specified by the government must not be transferred outside India unless explicitly permitted, ensuring sensitive data remains within Indian jurisdiction. In cross-border M&A transactions, government consent may be necessary if the acquirer is from a blacklisted country.
Retention and Data Minimization
The DPDP framework mandates that personal data be retained only for as long as necessary to fulfill the purposes for which it was collected. For large platforms designated as SDFs, there is a specific three-year retention limit from the last user interaction. These requirements impact post-merger integration as combined entities must rationalize data retention policies and potentially purge historical data that exceeds permitted retention periods.
Impact on M&A Due Diligence
The DPDP Act fundamentally transforms due diligence practices in M&A transactions. Due diligence reports help the buyer identify data risks associated with the target company and potential obstacles in operating the business post-integration, with adequate data privacy measures essential for successful transactions.
Comprehensive Data Privacy Assessment
Data Inventory and Mapping: Creating a detailed inventory of all personal data held by the target, including data types, sources, purposes, processing activities, storage locations (on-premise or cloud), retention schedules, and third-party sharing arrangements. This provides the foundation for understanding compliance obligations and identifying gaps.
Consent Mechanisms Review: Evaluating how the target obtains, records, manages, and processes consents. This includes reviewing consent forms, privacy notices, cookie policies, and the infrastructure for managing consent withdrawal requests. Given the Act’s stringent consent requirements, inadequate consent mechanisms represent a material risk.
Data Processing Agreements: Examining all agreements with Data Processors, including cloud service providers, analytics vendors, marketing platforms, and other third-party processors. Significant focus should center on cloud service providers engaged, methods and locations of data storage, and the array of contracts and data processing agreements the company has in place.
Historical Compliance and Breaches: Reviewing the target’s compliance history under previous regulations and the DPDP framework, including any data breaches, regulatory investigations, enforcement actions, or pending complaints. During due diligence, it is recommended to request records of any data breaches, communication with authorities and data subjects, and information on disputes, regulatory actions, or criminal proceedings related to data protection matters.
Security Infrastructure Assessment: Evaluating the target company’s compliance with Rule 6 requires requesting details on technical and organizational measures for data protection, data security frameworks and concepts, and information about IT systems and infrastructure used. This technical assessment often requires specialized cybersecurity expertise.
Cross-Border Transfer Compliance: For companies with international operations or using foreign service providers, assessing compliance with cross-border transfer restrictions and understanding the locations where data is stored and processed.
Vendor Due Diligence: The scope of assessment has widened as the due diligence process includes assessing a company’s vendors as well, requiring companies to invest resources in building awareness and compliance among third-party vendors.
SDF Obligations: For targets that qualify as Significant Data Fiduciaries, verifying compliance with enhanced obligations including appointment of Data Protection Officers and auditors, conduct of annual Data Protection Impact Assessments, algorithmic due diligence, and retention limit compliance.
Consent Challenges in Due Diligence
Several approaches have emerged to address this challenge:
Anonymization and Redaction: The seller or target company can provide the buyer with redacted or anonymized data sets during due diligence, removing or masking identifying information so personal data becomes unrecognizable and falls outside the Act’s scope. However, this may not be suitable where detailed personal information is essential for evaluating assets or liabilities.
Data Sharing Agreements: Establishing specific terms and conditions governing data sharing between parties, clarifying roles and responsibilities, defining the scope and purpose of data access, and implementing technical and organizational security measures.
Representations and Warranties: The seller can offer assurances through detailed representations and warranties, affirming that the target complies with applicable data protection laws and has implemented adequate safeguards for personal data.
Court-Driven Restructuring: Any expense and time overrun in seeking fresh consent from Data Principals may be a significant consideration for transacting parties to adopt court-driven restructuring of technology companies instead of share or business acquisitions, as this route provides a consent exemption.
Phased Due Diligence: New market practices may emerge for undertaking diligence on technology companies in phases, or even post-deal consummation, with appropriate valuation adjustments post-closing to ensure no Data Principal consent violations occur.
Valuation Implications
The valuation of technology companies may be significantly affected by their historical non-compliance with the DPDP Act, with acquirers seeking more extensive representations and warranties from sellers. Data protection compliance—or lack thereof—has become a material factor in deal valuation. Companies with robust data governance frameworks, comprehensive consent mechanisms, and clean compliance histories command premium valuations, while targets with significant compliance gaps face valuation discounts or require extensive remediation as a condition to closing.
For data-driven businesses in sectors like fintech, edtech, healthtech, e-commerce, and social media, data assets constitute a substantial portion of enterprise value. The DPDP Act’s requirements directly impact the utility and transferability of these assets, making data compliance due diligence as critical as financial or legal due diligence.
Transaction Structuring Considerations
The DPDP Act influences the choice between share purchases and asset purchases. In share acquisitions, the buyer inherits the target’s entire data compliance posture, including historical liabilities, ongoing obligations, and potential penalties for past violations. This makes comprehensive due diligence and robust indemnification provisions essential.
In asset purchases, questions arise about data transferability. If customer databases, employee records, or vendor information constitute purchased assets, fresh consent may be required for the transfer. This is particularly relevant for business transfers such as slump sales where the entire business changes hands. Processing personal data of customers and vendors in such transfers requires consent, with the seller as Data Fiduciary needing to obtain consent before processing data and issue notices seeking fresh consent if necessary.
Confidentiality and Non-Disclosure Agreements
Modern confidentiality agreements in India place much greater emphasis on data privacy following implementation of the DPDP Act, outlining liabilities for data breaches and mandating adherence to data protection requirements. Confidentiality agreements, including NDAs, must be carefully structured to incorporate and address all relevant data privacy requirements between parties.
Key provisions in these agreements now include:
- Clear definitions of personal data and its permitted uses during due diligence
- Specification of security measures for protecting disclosed information
- Restrictions on onward disclosure and sub-processing
- Obligations to return or destroy data if the transaction does not proceed
- Liability frameworks for data breaches or unauthorized processing
- Specific acknowledgment of Data Fiduciary and Data Processor roles
Representations, Warranties, and Indemnities
Transaction documents must include comprehensive data protection representations and warranties. These typically cover:
- Compliance with the DPDP Act and Rules and all predecessor data protection regulations
- Validity and adequacy of consent mechanisms
- Completeness and accuracy of data inventories provided during due diligence
- Proper implementation of required security safeguards
- Timely notification of all data breaches
- Absence of pending or threatened regulatory actions or complaints
- Proper execution of data processing agreements
- For SDFs, compliance with enhanced obligations including DPIAs and audits
Significant monetary implications under the DPDP Act for non-compliance would result in broadly scoped indemnities to cover acquirers from unforeseen risks, such as data leaks, even absent any significant non-compliance by a target. These indemnities often include:
- Specific indemnification for data protection violations occurring before closing
- Coverage for penalties or fines imposed by the Data Protection Board
- Indemnification for claims by Data Principals arising from pre-closing processing
- Protection against costs of remediation for non-compliant practices
- Coverage for business disruption resulting from data protection enforcement actions
Given the Act’s substantial penalties—potentially up to INR 250 crores for certain violations—buyers increasingly require escrow arrangements or holdback provisions to secure indemnification obligations. The survival periods for data protection representations are typically extended beyond standard commercial provisions, often running for the full statute of limitations period.
Conditions Precedent and Closing Obligations
Conditions precedent might necessitate rectification of any non-compliance with relevant laws discovered during due diligence before finalization, such as the following:
- Obtaining necessary consents from Data Principals for data transfer
- Remediation of identified security vulnerabilities
- Implementation of required data processing agreements with vendors
- Registration with the Data Protection Board (if required)
- Appointment of Data Protection Officers for SDFs
- Completion of any pending Data Protection Impact Assessments
- Resolution of outstanding complaints or regulatory proceedings
For transactions involving restricted jurisdictions or government-blacklisted countries, obtaining necessary government approvals becomes a critical condition precedent.
Sector Specific Considerations
Sectors like edtech and gaming are significantly impacted as they need to obtain explicit consent for children below 18 years of age. Different sectors face unique DPDP challenges:
Financial Services: Fintech companies and financial institutions process highly sensitive financial data and face sector-specific regulations in addition to the DPDP Act. Cross-border data flows for payment processing, credit evaluation, and fraud detection require careful structuring.
Healthcare and Pharmaceuticals: Healthcare providers and healthtech platforms process sensitive health data requiring enhanced protections. Integration with electronic medical records systems and compliance with sector-specific regulations adds complexity.
Education Technology: Edtech platforms must navigate requirements around children’s data, including verifiable parental consent and enhanced security measures for protecting minors’ information.
Real Estate: The real estate sector processes extensive personal data including identity proofs, financial records, and biometric data for access control systems, making data protection compliance increasingly important despite traditional manual processes.
Post-Merger Integration Challenges
Data Governance Harmonization
Post-merger integration requires assessing all aspects of Data Governance operations, identifying commonalities and differences with other regulations, and considering the timeline and cost of compliance. Organizations often have limited visibility into their own data environments, making integration complex.
Key integration challenges include:
Policy Unification: Merging entities typically have different privacy policies, consent mechanisms, security protocols, and data retention practices. Creating unified policies that meet DPDP requirements while accommodating both businesses requires careful planning.
System Integration: Combining IT infrastructures, data repositories, consent management systems, and security frameworks while maintaining continuous compliance presents significant technical challenges. Organizations may have limited expertise in Data Governance or supporting IT applications/infrastructure to sanitize the data environment.
Data Minimization and Purging: Post-integration, the combined entity must rationalize data holdings, eliminate redundant data and purging information that exceeds retention limits. This is particularly important when one or both entities qualify as SDFs subject to three-year retention limits.
Employee Training and Change Management: Ensuring all personnel understand new data handling requirements, consent management processes, and security protocols across the integrated organization.
Consent Management Post-Closing
Following the merger, the combined entity may need to seek fresh consent from Data Principals if the purposes for which data was originally collected change or expand. This is particularly relevant when cross-selling products between the previously separate businesses or combining customer databases for marketing purposes. The operational burden of managing consent refresh campaigns across large customer bases can be substantial.
Role Definition and Accountability
Clearly defining Data Fiduciary and Data Processor roles within the integrated organization is essential. Where both merging entities previously acted as Data Fiduciaries for overlapping customer bases, determining how to structure responsibilities post-merger while maintaining clear accountability requires careful legal and operational design.
Data Localization and Cross-Border Integration
For international M&A transactions or mergers involving multinational operations, reconciling data localization requirements with global data flows presents challenges. If the combined entity includes foreign operations or uses foreign service providers, ensuring compliance with restrictions on cross-border transfers while maintaining operational efficiency requires sophisticated data architecture.
Penalties and Enforcement Risks
The DPDP Act establishes a substantial penalty framework that creates significant financial exposure in M&A contexts. The Schedule to the DPDP Act imposes a penalty of up to Rupees fifty crore for breach of any provision of the DPDP Rules. DPDP Act penalties can extend up to Rs 250 crores depending on factors like gravity and repetitive nature.
Specific violations carry designated penalties, including:
- Processing personal data without valid consent or legitimate purpose
- Failure to implement reasonable security safeguards
- Non-compliance with data breach notification requirements
- Failure to honor Data Principal rights (access, correction, erasure)
- Processing data of children without verifiable parental consent
- Retention of data beyond permissible periods
- Failure to appoint required Data Protection Officers (for SDFs)
- Non-conduct of required Data Protection Impact Assessments (for SDFs)
In M&A transactions, these penalties create direct financial exposure that can materially impact deal economics. Buyers acquiring non-compliant targets may face inherited liability for pre-closing violations, even with indemnification provisions, as the Data Protection Board may hold the post-acquisition entity accountable regardless of contractual arrangements between buyer and seller. This risk underscores the importance of thorough due diligence and robust remediation of identified issues before closing.
Comparative Perspective: DPDP Act vs. GDPR
While the DPDP Act draws inspiration from GDPR, there are several important distinctions:
Scope of Application: The DPDP Act applies exclusively to digital personal data while GDPR covers both digital and physical records. This narrower scope provides some relief but creates complications where data exists in both formats.
Legal Bases for Processing: GDPR provides six legal bases for processing including consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The DPDP Act makes consent the primary basis, with limited exemptions for specific legitimate purposes. This difference significantly impacts operational flexibility.
Sensitive Data: Unlike GDPR, which includes special categories of personal data requiring enhanced protections, the DPDP Act applies uniformly to all types of digital personal data without additional controls on sensitive data.
Data Protection Officers: GDPR requires DPOs for public authorities and entities engaged in large-scale processing or systematic monitoring. The DPDP framework requires all SDFs to appoint DPOs, rather than all entities meeting certain criteria.
Cross-Border Transfers: GDPR requires adequacy decisions or appropriate safeguards for data transfers outside the EU. The DPDP Act permits transfers to all jurisdictions except those specifically blacklisted by the government, creating a simpler but potentially less protective framework.
Enforcement: GDPR enforcement occurs through national supervisory authorities in each member state. India has a single Data Protection Board for the entire country, potentially creating more uniform enforcement but also a potentially higher volume of cases for a single entity.
These differences mean that multinational companies conducting M&A in India cannot simply apply their GDPR compliance frameworks but must develop India-specific approaches tailored to the DPDP Act’s unique requirements.
For Sellers and Target Companies
Proactive Compliance: Companies anticipating a sale or investment should undertake comprehensive DPDP compliance reviews well before marketing themselves. Demonstrating robust compliance can positively influence valuation and reduce deal friction.
Data Audit and Cleanup: Conduct thorough data audits to identify all personal data holdings, purge data that is no longer needed or has exceeded retention limits, and ensure all retained data is properly documented with valid consents and legitimate purposes.
Documentation: Maintain comprehensive records of all data processing activities, consent mechanisms, security measures, Data Processor agreements, and breach notifications. Well-organized documentation significantly streamlines due diligence.
Consent Refresh: Where consent mechanisms are outdated or inadequate, conduct consent refresh campaigns before entering sale processes. This eliminates a major due diligence red flag and potential deal obstacle.
Vendor Management: Ensure all Data Processors have appropriate contracts in place that meet DPDP requirements. Address any gaps or non-compliant vendors before beginning sale processes.
Insurance: Consider obtaining cyber liability and data breach insurance to mitigate potential liabilities and make the target more attractive to buyers.
For Buyers and Investors
Early Privacy Assessment: In preparation for a transaction, it is essential to kickstart discussion with a thorough privacy risk assessment to identify potential data privacy implications, followed by comprehensive review of existing data privacy policies.
Specialized Expertise: Engage data protection specialists as part of the due diligence team. DPDP compliance assessment requires specialized technical and legal expertise beyond traditional due diligence capabilities.
Risk-Based Approach: Tailor the scope and depth of data privacy due diligence to the nature of the target’s business. Data-intensive businesses in technology, financial services, healthcare, and e-commerce warrant more extensive review than businesses with minimal data processing.
Contractual Protection: Insist on comprehensive representations, warranties, and indemnities covering all aspects of DPDP compliance. Structure escrows or holdbacks to secure indemnification obligations given the magnitude of potential penalties.
Integration Planning: Begin planning for post-merger data integration early, identifying potential conflicts between the parties’ data practices and developing strategies to harmonize them while maintaining continuous compliance.
Emerging trends and future outlook
As the DPDP framework matures and enforcement begins, several trends are likely to emerge in the M&A landscape:
Increased Valuation Impact: Data privacy compliance will become an increasingly significant factor in company valuations, with premiums for companies demonstrating strong compliance and discounts for those with gaps or liabilities.
Standard Market Practices: Industry-standard approaches to consent management in due diligence, data sharing protocols, and integration methodologies will develop as stakeholders gain experience with the framework.
Technology Solutions: Consent management platforms, automated data mapping tools, and privacy-enhancing technologies will become standard components of M&A readiness and due diligence processes.
Insurance Markets: Cyber liability and data breach insurance products will evolve to specifically address M&A-related exposures, potentially becoming standard risk management tools in transactions.
Regulatory Guidance: The Data Protection Board will likely issue guidance on M&A-specific issues, potentially including exemptions or simplified processes for certain transaction types.
Cross-Border Considerations: As India’s data protection regime matures, questions of adequacy determinations with other jurisdictions and mutual recognition frameworks may impact cross-border M&A activity.
Sector-Specific Rules: Additional rules or guidance may emerge for specific sectors with unique data protection challenges, further differentiating due diligence requirements by industry.
The Digital Personal Data Protection Act, 2023, and its accompanying Rules represent a watershed moment for M&A transactions in India. The framework transforms data protection from a peripheral compliance issue to a central consideration in deal structuring, due diligence, valuation, and integration planning. The Act’s stringent consent requirements, substantial penalty framework, and broad application to virtually all corporate transactions create both risks and opportunities for M&A participants.
For buyers, the DPDP Act necessitates more sophisticated due diligence incorporating technical assessments, consent mechanism reviews, and comprehensive evaluation of data governance frameworks. Transaction documents must include more extensive data protection provisions, with robust indemnification mechanisms to protect against the Act’s substantial penalties. Post-merger integration must prioritize data compliance, ensuring the combined entity operates within the new regulatory framework.
As India’s data protection regime matures with implementation progressing toward full effectiveness by May 2027, stakeholders must remain vigilant to evolving enforcement practices, regulatory guidance, and market standards. The intersection of data protection and M&A represents a dynamic area requiring continuous attention from legal, technical, and business advisors.
This article is intended solely for general informational and knowledge dissemination purposes and does not constitute legal advice. The content should not be relied upon as a substitute for professional legal counsel. Readers are encouraged to seek independent legal advice tailored to their specific circumstances. Neither the firm nor the author accepts any responsibility for any actions taken based on the information provided herein. For any information or clarification, please get in touch with us as at anupam@aplawchambers.in
