How India's M&A Landscape Will Be Reshaped By The Digital Personal Data Protection Rules, 2025

1. Introduction: Data as the New Deal Driver in Indian M&A

In the contemporary digital economy, personal data has emerged as one of the most valuable corporate assets. Businesses today collect, process, store and monetise vast volumes of personal data relating to customers, employees, vendors, users and partners. In several technology-driven sectors, such as e-commerce, fintech, SaaS, healthtech, edtech, AI and digital platforms, data is not merely incidental to the business; it is the business.

Against this backdrop, mergers and acquisitions (M&A) in India are undergoing a structural shift. Traditionally, M&A due diligence focused on financials, contracts, litigation, regulatory approvals and tax exposures. Data protection and privacy considerations were often treated as ancillary compliance issues. That position is no longer tenable.

With the enactment of the Digital Personal Data Protection Act, 2023 (DPDP Act) and the imminent notification of its Rules, personal data governance has moved to the centre of transaction risk assessment. The DPDP Act introduces a comprehensive consent-based processing framework, stringent fiduciary obligations, enhanced rights for individuals (data principals), and one of the most severe penalty regimes in Indian commercial law. These developments have direct and far-reaching implications for how M&A transactions are structured, diligenced, negotiated and integrated.

This article analyses how Indian M&A will be impacted by the DPDP Act and its Rules, examining deal structuring, data sharing during diligence, contractual allocation of risk, cross-border data transfers, employee data processing and post-merger integration. It also offers practical insights for acquirers, sellers, private equity investors, founders and general counsels navigating India's evolving data protection regime.

2. India's Data Protection Journey: From Fragmented Compliance to a Unified Regime

Before the DPDP Act, India did not have a standalone, comprehensive data protection statute. Data protection obligations were scattered across multiple legal instruments, most notably Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. These provisions imposed limited obligations on "body corporates" handling sensitive personal data and were largely compensation-oriented rather than rights-based.

Sector-specific regulations further complicated the landscape. The Reserve Bank of India's data localisation mandates for payment system operators, SEBI's cybersecurity guidelines, IRDAI's data governance norms for insurers, and telecom data retention rules created a fragmented compliance ecosystem. From an M&A perspective, data protection diligence often amounted to verifying whether basic IT security policies existed and whether any major data breaches had been reported.

This fragmented framework changed fundamentally following the Supreme Court's landmark decision in Justice K.S. Puttaswamy v. Union of India, which recognised privacy as a fundamental right under Article 21 of the Constitution. The judgment laid the constitutional foundation for comprehensive data protection legislation and underscored the need for proportionality, purpose limitation and accountability in data processing.

The DPDP Act, enacted in August 2023, represents India's first unified statutory framework governing the processing of digital personal data. Its implementation marks a paradigm shift with direct consequences for corporate transactions and restructuring.

3. Overview of the Digital Personal Data Protection Act, 2023

The DPDP Act seeks to balance two competing objectives: protecting individuals' rights over their personal data and enabling lawful data processing for legitimate business purposes. It applies to all digital personal data collected online or offline and subsequently digitised, as well as to certain extra-territorial processing where goods or services are offered to individuals in India.

Unlike the earlier regime, the DPDP Act does not distinguish between "sensitive" and "non-sensitive" personal data. Any data that identifies or relates to an identifiable individual qualifies as personal data. This broad definition significantly expands the universe of data subject to compliance in M&A transactions.

The Act introduces three principal actors. The data principal is the individual whose data is processed. The data fiduciary determines the purpose and means of processing and bears primary compliance responsibility. The data processor processes personal data on behalf of a data fiduciary. In addition, the government stated it may notify certain entities as Significant Data Fiduciaries (SDFs) based on volume, sensitivity and risk factors, subjecting them to enhanced compliance obligations such as appointing a Data Protection Officer and conducting periodic audits.

Processing of personal data under the DPDP Act is anchored in a consent-notice framework, supplemented by limited grounds for "legitimate use", including employment-related processing. The Act also introduces rights for data principals, obligations relating to data accuracy, security safeguards, breach notification, erasure and grievance redressal.

From an M&A perspective, the most consequential aspect of the DPDP Act is its enforcement architecture. The Data Protection Board of India is empowered to impose penalties of up to ₹250 crore per contravention for failures such as inadequate security safeguards or non-reporting of personal data breaches. This dramatically alters the risk calculus for acquirers inheriting historical non-compliance.

4. The DPDP Rules: Why Their Enactment Matters for M&A

With the notification of the Digital Personal Data Protection Rules on 14 November 2025, the DPDP Act has transitioned from a largely enabling statute to an operational compliance regime. The Rules now provide binding clarity on critical implementation aspects, including prescribed consent frameworks, breach notification timelines, grievance redressal mechanisms, data retention and deletion standards, and conditions governing cross-border transfers of personal data.

For mergers and acquisitions, the notified Rules materially reshape transaction planning and execution. Acquirers must now factor in clearly defined compliance obligations while conducting data due diligence, assessing legacy data practices, and planning post-closing integration. Transitional compliance costs, remediation requirements, and the practical feasibility of harmonising differing data governance frameworks across group entities have become immediate and quantifiable considerations. Sellers, particularly those operating in data-intensive and technology-driven sectors, are subject to enhanced scrutiny of historical data handling practices, many of which may have been commercially acceptable earlier but may no longer meet the standards mandated under the DPDP Rules.

The operationalisation of the DPDP regime also has a direct impact on transaction documentation. Risk allocation provisions, representations and warranties, indemnity structures, and conditions precedent are increasingly being drafted with specific reference to DPDP compliance. Further, long-stop dates and closing timelines in data-centric transactions are now being calibrated to account for regulatory remediation and alignment with the notified Rules, making data protection compliance a central deal variable rather than a peripheral legal consideration.

5. Statutory Exemptions for M&A under the DPDP Act

One of the most debated provisions of the DPDP Act from an M&A standpoint is Section 17(1)(e), which provides a limited exemption from certain obligations where personal data processing is necessary for a court or tribunal, approved scheme of merger, amalgamation, demerger or reconstruction.

This exemption does not create a blanket carve-out for all M&A transactions. It applies narrowly to schemes approved by a competent authority under law, such as schemes under Sections 230-232 of the Companies Act, 2013. Importantly, even in such exempted transactions, obligations relating to data security safeguards and accountability of data fiduciaries continue to apply, as do provisions governing cross-border data transfers.

By contrast, contractual acquisitions, including share purchases, asset purchases and slump sales executed without court approval, do not fall within this exemption. In such transactions, the full rigour of the DPDP Act applies to all processing activities undertaken during due diligence, negotiation and integration.

This distinction has significant structuring implications. In data-heavy deals, parties may increasingly evaluate whether a court-approved scheme offers regulatory efficiency from a data protection perspective, notwithstanding longer timelines and procedural complexity.

6. Data Sharing During M&A: Who Is the Data Fiduciary?

M&A transactions involve extensive sharing of personal data throughout their lifecycle. During due diligence, sellers disclose employee records, customer databases, vendor contracts, KYC documentation and sometimes sensitive operational data through virtual data rooms. Advisers such as lawyers, auditors and consultants also access this data.

Under the DPDP Act, disclosure and review of personal data constitutes "processing". Determining who acts as a data fiduciary and who acts as a data processor is therefore critical. Typically, the seller or target company acts as a data fiduciary when disclosing personal data. The acquirer may simultaneously assume the role of an independent data fiduciary when processing the data for its own decision-making. Professional advisers generally function as data processors.

This multi-fiduciary environment creates overlapping compliance obligations. Each fiduciary remains independently responsible for ensuring lawful processing, adequate security safeguards and compliance with consent or legitimate use requirements. As a result, M&A documentation must clearly articulate roles, purposes of processing and limitations on use to mitigate regulatory exposure.

7. Virtual Data Rooms and Data Minimisation Obligations

Virtual data rooms (VDRs) have become indispensable to modern M&A. However, under the DPDP Act, indiscriminate uploading of personal data into VDRs poses material compliance risks. Data minimisation and purpose limitation principles require parties to share only what is strictly necessary for evaluating the transaction.

In practice, this necessitates anonymisation, redaction and aggregation of personal data wherever feasible. Access controls must be role-based, audit logs must be maintained, and VDR service providers must be engaged under robust data processing agreements that align with DPDP obligations.

Conducting a data protection impact assessment prior to large-scale data sharing is increasingly emerging as a best practice, particularly in transactions involving consumer platforms, fintechs or healthcare businesses.

8. Pre-Transaction Phase: Privacy Risk as a Deal-Shaping Factor

In the pre-transaction phase, privacy risk assessment is no longer optional. Acquirers must evaluate whether the target's data practices comply with existing and forthcoming DPDP requirements, identify gaps and estimate remediation costs. This assessment often influences valuation, transaction structure and integration strategy.

Confidentiality agreements and NDAs must be revisited to incorporate DPDP-aligned data protection clauses, including restrictions on onward sharing, data retention obligations and breach notification protocols. Early engagement between legal, IT and compliance teams is essential to ensure alignment between commercial objectives and regulatory constraints.

9. Due Diligence Under the DPDP Act

Data protection due diligence has become a standalone workstream in Indian M&A. Buyers are increasingly seeking detailed disclosures on categories of personal data processed, consent mechanisms, third-party processors, cross-border data flows, historical breaches and regulatory interactions.

In asset and business transfers, consent complexities become particularly acute. In transactions such as slump sales, customer and vendor data may not automatically transfer without lawful basis. While the DPDP Act permits certain processing under legitimate use, the contours of this exception are narrow and fact-specific.

To manage these risks, parties often rely on data sharing agreements, transitional processing arrangements and representations and warranties covering DPDP compliance. Indemnities for historical non-compliance are becoming more prominent, especially where the target operates in highly regulated data environments.

10. Employee Data in M&A Transactions

Employee personal data occupies a unique position under the DPDP Act. The Act recognises employment-related processing as a legitimate use, allowing employers to process employee data without explicit consent for purposes such as payroll, benefits administration and risk mitigation.

In M&A transactions, disclosure of employee data to prospective buyers is often necessary for workforce planning and harmonisation of employment terms. While legitimate use may justify such disclosures, employers must still adhere to data minimisation principles, maintain accuracy and provide appropriate notices.

Post-closing, acquirers must update employee privacy notices, align retention policies and ensure that inherited data practices meet DPDP standards. Failure to do so can expose the merged entity to regulatory scrutiny and employee grievances.

11. Signing and Closing: Data Protection as a Condition Precedent

At signing, transaction documents increasingly include detailed data protection representations, covenants and conditions precedent. Buyers may require targets to remediate identified compliance gaps, obtain fresh consents or restructure data processing arrangements prior to closing.

Data transfer agreements governing the exchange of personal data between entities must be finalised to ensure continuity of lawful processing. In cross-border transactions, parties must also evaluate whether international data transfers comply with sector-specific localisation mandates and forthcoming DPDP Rules on jurisdictional restrictions.

12. Post-Transaction Integration and Ongoing Compliance

Post-closing integration presents some of the most complex DPDP challenges. Harmonising disparate data governance frameworks, consolidating IT systems and aligning privacy policies require careful sequencing and oversight. Acquirers must ensure that personal data inherited from the target is processed only for lawful purposes and retained no longer than necessary.

The obligation to report personal data breaches promptly to the Data Protection Board and affected individuals underscores the importance of robust incident response mechanisms during integration. Inadequate integration planning can transform historical compliance gaps into ongoing regulatory liabilities.

13. Conclusion: DPDP as a Structural Force in Indian M&A

The Digital Personal Data Protection Act, 2023 represents a watershed moment for India's corporate and transactional landscape. By elevating data protection from a peripheral compliance issue to a core governance obligation, the DPDP Act fundamentally reshapes how M&A transactions are evaluated and executed.

With penalties reaching up to ₹250 crore for serious contraventions, data protection risk now sits alongside tax, regulatory and litigation exposure in deal decision-making. As the DPDP Rules come into force, Indian M&A will increasingly reward organisations that embed privacy-by-design principles into their transaction strategies.

For acquirers, early and rigorous data protection diligence is no longer optional. For sellers, proactive compliance can enhance valuation and deal certainty. In India's evolving digital economy, successful M&A will depend not only on financial and strategic alignment but also on the ability to navigate the complex intersection of data, privacy and regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.