Authors: Ms. Shubhi Ameriya (Associate Partner) and Ms. Mala Mehto (Principal Associate).
I. Introduction
M&A due diligence has historically been a document centric exercise. Data rooms traditionally functioned as repositories of contracts, licences, financial statements, and compliance records, with personal data appearing as incidentally embedded within those documents. The implicit assumption was that personal data formed part of the business assets and could be disclosed, transferred, and integrated without significant legal constraints.
The enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025(collectively referred to as “DPDPA”) fundamentally changes this approach. With full enforcement of DPDPA, expected in May 2027 (“DPDPA Regime”), personal data will no longer be a routine operational by-product; it will become a regulated legal subject governed by consent, purpose limitation, storage limitation, and fiduciary obligations.
Under the DPDP Act, the target company would be treated as a “Data Fiduciary”, and the acquirer as a “successor Data Fiduciary”. In the context of an acquisition, this means that the acquisition or ownership of a business will not automatically translate into lawful control or use of its personal data. Accordingly, where the acquirer intends to process personal data post-acquisition for a purpose different from that for which it was originally collected, fresh consent will be required for such processing.
As a result, the traditional data room would evolve into what may more accurately be described as a “consent room” where the focus shall no longer be on what data exists, but on whether such data was lawfully collected, whether it can be shared with a prospective acquirer, and whether it can continue to be used post-closing in the manner contemplated by the transaction.
II. Data as a Regulated Subject: The DPDPA Lens in M&A
Under the DPDP Act, personal data processing is permissible only where it is collected for a lawful purpose, supported by valid and affirmative consent (or a statutorily recognised legitimate use), and constrained by purpose and retention limitations.
Currently, it is not uncommon for sellers to upload payroll databases, customer lists, or statutory disclosure forms of directors, required under the Companies Act, 2013, containing personal data into data rooms without extensive scrutiny. Under the DPDPA Regime, however, such disclosure will itself constitute “processing” and will require compliance with DPDPA. This would require a pre-diligence review by the seller to verify whether appropriate notices were provided to data principals seeking their consent for the disclosure of personal data in connection with a sale or restructuring of the business.
This issue becomes particularly complex in relation to employee data. Section 7(i) of the DPDP Act permits processing of personal data for “certain legitimate uses,” including “purposes of employment.” A commonly advanced argument is that M&A due diligence forms part of a corporate restructuring intended to ensure continuity of employment and that, in a going-concern transaction, sharing payroll, performance, and benefits data with an incoming employer is necessary for the “purposes of employment” i.e., continuation of statutory and contractual obligations as the new employer needs this data to fulfil their future obligations (like calculating gratuity or continuing insurance).
While this argument has practical appeal, reliance on Section 7(i) of DPDA alone is risky for three main reasons:
- Purpose Limitation: The “purposes of employment” exception is generally interpreted to cover the current employer-employee relationship (e.g., processing for payroll, attendance, or other employment benefits). Sharing that data with a potential buyer (a third party) is a different purpose which may not fall squarely within the employment exception.
- Lack of Precedent: Unlike the GDPR, which has a broad “Legitimate Interests” clause (Article 6(1)(f)), the Indian DPDPA’s “Legitimate Use” list is exhaustive, not illustrative. If the DPDP Act intended to exempt M&A, it would have explicitly listed it in Section 17.
- Specific exemption in Section 17(1)(e): DPDP Act provided a specific exemption in Section 17(1)(e) for processing data in a scheme of compromise or arrangement or merger approved by a court. The presence of this express carve-out strongly suggests that private, non-court-mandated transactions such as share purchases or asset acquisitions are intended to comply with the standard consent framework.
In an M&A context, this raises a critical question: Does a change in control or ownership constitute a new purpose or result in a new data fiduciary? In many transactions, particularly those involving integration or expansion of data use, the answer is likely to be a “yes”.
III. Can Consent be embedded in Employment Contracts?
In the DPDPA Regime, the longstanding practice of embedding broad data processing consents within appointment letters or employment contracts will no longer be legally sustainable. The DPDP Act requires consent to be free, specific, informed, unconditional, and expressed through an unambiguous affirmative action. Given the inherent power imbalance in an employer-employee relationship, a consent embedded within a “take-it-or-leave-it” employment contract is unlikely to satisfy this standard.
To achieve true compliance, organisations must decouple data consent from the service contract. This necessitates a transition to a granular, tick-box framework where employees provide a clear affirmative action periodically for distinct processing activities, particularly for the sharing of their personal data during corporate restructuring or M&A due diligence.
IV. Practical Diligence Strategies: Redaction, Sampling, and Purpose-Limited Disclosure
DPDPA constraints are already reshaping diligence mechanics. Customer contracts and vendor purchase orders are increasingly being shared on a sample basis, with personal identifiers redacted. Under the DPDPA, redaction is no longer a matter of courtesy but a compliance requirement. Names of individual signatories, mobile numbers, and personal email addresses must be removed where they are not necessary for evaluating commercial risk.
Similarly, when employee payroll data is shared, anonymisation techniques such as the removal of employee names should be employed to ensure that the information cannot reasonably be linked to identifiable individuals.
V. Risk Allocation Under Transaction Documents
Representations and Warranties: Given the potential exposure under the DPDP Act, generic “compliance with laws” representations will no longer be sufficient in the DPDPA Regime. Buyers will have to seek targeted representations confirming that all personal data disclosed during due diligence was collected in accordance with valid notices under Section 5 of the DPDP Act and processed in compliance with DPDPA. The sellers should further represent that they have not received any notices, inquiries, or directions from the Data Protection Board of India and that there are no unresolved complaints pending.
Conditions Precedent: Under the DPDPA Regime, data protection readiness will become a condition to closing. Completion of a comprehensive data mapping audit, remediation of identified consent gaps, appointment of grievance officers, and implementation of security safeguards will become non-negotiable closing conditions in data-intensive transactions.
Indemnities and Caps: Given the scale of penalties under the DPDPA, data protection breaches would be carved out from general indemnity caps and, in some cases, can be treated as fundamental representations. Standalone data protection indemnities should be used to cover not only regulatory penalties but also remediation costs and loss of data utility arising from mandatory deletion of data.
VI. Penalties Under the DPDPA: Why they matter in M&A
The DPDP Act introduces one of the most stringent penalty frameworks in Indian regulatory law, with penalties of up to INR 250 (two hundred and fifty) crores per instance for certain non-compliance. In an M&A context, this significantly changes transaction risk, as pre-closing data non-compliance may crystallise into substantial post-closing liability once systems are integrated or data use is expanded.
VII. Transitional Compliance: Preparing for Full Operationalisation
Although the DPDPA is not yet fully operational, with phased enforcement expected to culminate in May 2027, buyers, sellers, and transaction advisors cannot afford to treat the interim period as a regulatory grace period. They must therefore begin aligning their diligence processes, disclosure practices, and transaction documentation with the DPDPA framework now. Early adoption allows stakeholders to familiarise themselves with consent-based data governance, reduce future remediation costs, and avoid disruptive changes once DPDPA is fully enforced.
VIII. Conclusion
The transition from data rooms to consent rooms reflects a deeper structural shift in Indian M&A practice. In the DPDPA Regime, personal data cannot be assumed to be freely transferable, and compliance cannot be treated as a post-closing exercise. Consent, purpose limitation, and fiduciary accountability now sit at the core of transaction risk analysis.
For dealmakers, this requires a rethink of how diligence is conducted, how transaction documents are drafted, and how post-closing integration is planned and executed. For lawyers, it offers an opportunity to reshape M&A practice at the intersection of corporate law, technology, and personal rights.
In the coming decade, the most valuable datasets will not be the largest ones, but those that are most legally defensible.
Disclaimer: This article represents our understanding and interpretation of the relevant laws as on the date hereof and is provided without expressing any opinion, advice, or recommendation. The interpretations set out herein are subject to change, and there can be no assurance that any regulator, authority, or judicial body will concur with or adopt a position consistent with our views expressed in this article. This article is furnished solely for academic and informational purposes and should not be construed as legal advice or relied upon for any purpose whatsoever.