How the DPDP Rules, 2025 impact M&A transactions: Compliance, risks, and penalties

On January 3, 2025, the Union Ministry of Electronics and Information Technology introduced the draft Digital Personal Data Protection (DPDP) Rules, 2025 (“DPDP Rules”), developed under the framework of the Digital Personal Data Protection Act, 2023.

This article analyzes  the potential impact of these Rules on mergers and acquisitions (“M&A”) transactions in India. The importance for M & A Transactions to be compliant with the DPDP Rules is compounded by the fact that the Schedule to the Digital Personal Data Protection Act,2023 (“DPDP Act”)  imposes a penalty of upto Rupees fifty crore for a breach of any provision of the DPDP Rules.

The DPDP Act identifies two key stakeholders: (1) the Data Fiduciary, which is any entity or individual that independently or jointly determines the purpose and method of processing the data and is subject to specific compliance requirements and penalties and(2) the Data Principal, referring to the individual whose personal data is being processed.

In the M & A context, the Data Principal refers to the individuals whose personal data is involved in the transaction, such as employees, customers, vendors, contractors, suppliers, and business partners of the target company. During the M & A transaction, the seller company is likely to be the Data Fiduciary, as it has control over the personal data of its stakeholders that is handed over to the acquirer 
company during the Due Diligence process. 

Compliance Challenges faced during M & A Transactions in relation to the draft DPDP Rules

Obtaining Consent 
M&A transactions typically involve managing substantial volumes of personal data belonging to the target company. During due diligence, the buyer often examines information related to data subjects, such as employees, customers, vendors, contractors, suppliers, and business partners (Data Principals).

If the seller or target company discloses this personal data during the process, compliance with the consent requirements outlined in Rule 3 of the DPDP Rules is necessary. Rule 3 of the DPDP Rules provides that consent in the form of notice must be obtained by the Data Fiduciary to the Data Principal must be clear and mention the specific purpose of the processing. This requirement can complicate the transaction for several reasons. 

First, the sheer volume of data subjects involved may make the process logistically cumbersome and time-consuming. Second, issuing notices and securing consent might alert stakeholders to the potential transaction prematurely, potentially causing unrest among employees or uncertainty among customers and business partners.

Finally, there is the risk that some data subjects may withhold consent, limiting the seller’s ability to share critical information with the buyer, thereby affecting the thoroughness of the due diligence process.
To mitigate risks associated with having to obtain consent from Data Principals and to provide  the buyer with confidence, the seller can offer assurances through detailed representations and  warranties, affirming that the target company complies with applicable data protection laws and has implemented adequate safeguards for personal data.Another option for the seller or target company is to provide the buyer with redacted or anonymized data sets during due diligence.

By removing or masking identifying information, the personal data becomes unrecognizable, thus falling outside the scope of the Data Protection Act. This approach allows the buyer to assess the data's value and relevance without triggering the need for consent from the data subjects. However, this method may not be suitable for all types of data or transactions, particularly where detailed personal information is essential for evaluating the target company’s assets or liabilities.

“Reasonable” Security Safeguards 
Under Rule 6 of the DPDP Rules . A Data Fiduciary is required to protect personal data by implementing “reasonable” security safeguards to prevent breaches.However, Rule 6 fails to specify what type of safeguards are “reasonable”. Rule 6 does suggest certain measures like encryption or using virtual tokens but these measures are only suggested as examples of possible data security measures.

To evaluate the target company's compliance with the Rule 6 of the DPDP Rules , it is recommended to request the following information during the due diligence process: details on the technical and organizational measures in place to ensure data protection, data security frameworks, and concepts; information about the IT systems and infrastructure used; records of any data breaches, along with communication with relevant authorities and data subjects; and information on any disputes, regulatory actions, or criminal proceedings related to data protection matters.

Cross Border Data Transfers
Lastly, Rule 14 of the DPDP Rules permit the transfer of personal data outside India by a Data Fiduciary subject to requirements set by the Central Government. For foreign buyers involved in an M&A transaction with an Indian target company, it is essential for the Central Government to publish these requirements. This will provide clear guidance on how the buyer can ensure compliance with the DPDP Rules when transferring personal data, facilitating a smooth and legally compliant transaction.

Conclusion
In conclusion, the complexities of obtaining consent from Data Principals, ensuring data security, and adhering to cross-border data transfer rules require careful planning and execution. A smooth and well-managed process for handling personal data in M&A transactions will not only ensure compliance with the DPDP Rules but also create a more attractive environment for foreign investors. By addressing data protection concerns effectively, both buyers and sellers can minimize legal risks, enhance trust, and foster  transparency.

The writer is  a Corporate Lawyer based in Mumbai and an alumnus from King’s College London and National Law University, Delhi. He can be contacted via email at Vinayak.Sankaranarayanan470@gmail.