No Data, No Deal? The DPDP Act’s impact on Indian M&A

Introduction 

The Digital Personal Data Protection Act, 2023 (‘DPDP Act’) has altered how mergers and acquisitions are evaluated in India. What was once a routine ‘IT diligence’ item has now become a central driver of deal risk, valuation, and even deal viability in some cases.

In every merger and acquisition (‘M&A’) transaction, there is exchange of personal information belonging to customers, employees, vendors, and other stakeholders. This exchange is integral to the transaction and starts as early as the stage where the buyer or targets are being identified and extends until the deal closes- or sometimes, even post-closing. For instance, during due diligence, a buyer who evaluates an e-commerce company may seek access to customer databases to assess repeat purchase behavior, geographic spread, and marketing effectiveness. Under the DPDP Act, sharing such identifiable customer data without valid consent or anonymization could expose the seller to compliance risks even before the deal is signed. Therefore, proper handling, sharing, storage, dealing, disclosure and transfer of such data is central to all M&A transactions and any lapses in these aspects may have severe implications on the usability of such data. This may cause loss of value or even result in the transaction falling apart. That’s the risk today’s M&A transactions face and businesses now must rethink and pivot in their data handling processes during transactions.

At its core, the DPDP Act introduces a rights-based framework — meaning individuals have stronger control over their personal data, and companies have greater responsibility in how they use it.

In this article we have tried to break down a few aspects of the DPDP Act which need to be considered and accounted for during the lifecycle of an M&A transaction.

Before we dive in deeper, it would be pertinent to understand the 3 key participants when dealing with personal data, who are: the data principal (individual whose data is to be used), the data fiduciary (person who determines the purpose and means of processing personal data) and the data processor (person processing personal data on behalf of the data fiduciary). 

M&A Transactions

As data (including personal data) is one of the core assets of any company, almost all M&A transactions would have an element of personal data being handled, collected, stored, processed or transferred. Hence, going forward from 13 May 2027, a rigorous health check of the processes adopted by the company to safeguard the personal data will become critical under the DPDP Act.

All M&A transactions will be subject to stringent obligations and compliance requirements under the DPDP Act, except for certain types of corporate restructuring such as (a) scheme of compromise/ arrangement/ merger/ amalgamation of two or more companies; (b) reconstruction of a company by way of demerger; (c) transfer of undertaking of one or more companies to another company; (d) division of one or more companies, or; (e) any transaction approved by the court or tribunal or other authority competent to do so by any law for the time being in force (collectively, ‘Exempted M&A Transactions’).

While Exempted M&A Transactions are not subject to stringent compliance requirements under the DPDP Act, any data fiduciary involved in such transactions will have to enter into valid data processing agreements with any data processor it uses. For instance, in a court-approved merger between two listed companies, employee and customer data may automatically vest with the merged entity. However, if payroll processing is outsourced to a third-party vendor, a data processing agreement must still govern how that vendor handles such data. Data fiduciaries will also have to ensure the accuracy, completeness and consistency of data while processing any personal data. Additionally, the data fiduciary is required to take reasonable safeguards to protect personal data including organizational and technical measures as may be prescribed.

What are the obligations under the DPDP Act?

This directs us to the next question – what should companies do under the DPDP Act if personal data is being used or dealt with in an M&A transaction which is not an Exempted M&A Transaction? 
 

1. Lawful purpose: Data fiduciaries would need a lawful purpose and consent of the data principal for using or processing their personal data. Such purpose for usage also must be clearly mentioned while obtaining the consent. 
2. Consent: The data intended to be collected, processed, stored, handled, dealt in, disclosed or transferred should be obtained from the data principal after seeking their valid consent. The consent has to be sought by giving the reason for such collection. 
3. Specific purpose: Once the purpose is declared and consent obtained, the personal data cannot be used for any other purpose unless specific consent for such other usage is obtained separately.
4. Validity: The personal data can be retained only for a specific period as may be required by law, or till such time the purpose is fulfilled. Once the purpose has been served, the data has to be erased. In a failed transaction scenario, any personal data shared during diligence must be deleted by the prospective buyer once the deal is called off, unless retention is legally justified.
5. Breach: In case of breach, the data fiduciary will have to immediately notify the affected data principal as well as the Data Protection Board regarding such breach. 
6. Data Processors: In the event a data fiduciary intends to engage a data processor to process the personal data on their behalf, the data fiduciary would need to enter into a valid contract with such data processor. For example, if a target company uses a cloud-based HR platform, the acquirer must review whether the vendor agreement meets DPDP requirements before continuing the arrangement post-acquisition.
    

Why does this matter? 

Businesses undertaking M&A Transactions now must ensure at least the following: 
 

• More careful planning during due diligence and data sharing stage. Safeguards need to be put in place to ensure that access to personal data is available only to select people. 
• Maintain access logs for data rooms through which personal data is being shared and disable unauthorized external transfer through means like downloads and screenshots.
• Transparent and clear communication on what data is being collected, the purpose of use, retention period, etc. 
• Obtain all relevant consents from the data principals. Where consent already exists, re-check if the purpose covers the new requirement and any new consent will be required. 
• Have records of the processes followed and consent taken. 
• Put in place stronger compliance checks. 
• Have clear accountability assigned on who would be responsible for each aspect of how the data is handled. 
• Data minimization, i.e., sharing only the personal data strictly necessary and relevant and using anonymized data as much as possible.
• Erase data that is no longer required after the closing of a transaction. 
   

The Challenge!

M&A deals move fast, and data protection compliance requires precision. As data flows throughout the life of a transaction, a practical balance must be struck. For instance, while a buyer may want detailed customer-level data early in diligence, the seller may initially provide anonymized or aggregated datasets and only share identifiable data at a later stage once deal certainty increases. Companies will have to come up with practical solutions and have clear guidelines set out before the transaction commences. 

The change that will be 

Business can undertake certain measures to ensure that the DPDP Act compliance requirements are met: implementing adequate safeguards; conducting continuous training and sensitization of deal teams about what constitutes personal data and the importance of proper handling of the same; using clean teams during diligence and negotiation stages; identification in advance of relevant data to be shared; sharing data on need-only basis; adopting controlled and protected modes to share personal data; data mapping and consent validation audits.

We are likely to see more transactions being structured based on business reliance on personal data, acquirers needing to undertake consent procurement post-closing to align with the purposes for which they will use the data, and implementation of data localization strategies. We also expect transaction documents to have more representations and indemnities specific to personal data and compliance with the DPDP Act, pre-closing remediation action items to ensure compliance, and privacy related price adjustment linked to the usability of the personal data that may be acquired. 

Going forward, preparedness will be key. 

[The first author is a Partner, second is an Associate Partner, while other two are Associates in Corporate and M&A practice at Lakshmikumaran & Sridharan Attorneys]