Data Privacy Due Diligence in India M&A: The DPDPA Dimension

Mergers, acquisitions, and joint ventures involving Indian entities now carry a distinct data privacy risk dimension under DPDPA. Section 8(8) creates a post-cessation obligation — a former Data Fiduciary retains DPDPA responsibilities even after divesting the business. Section 8(2)'s non-delegable processor responsibility means the acquiring entity inherits processor governance obligations. Penalties under the Schedule (up to Rs 250 Cr) represent a quantifiable contingent liability that must be assessed in deal valuation. For private equity funds, strategic acquirers, and joint venture partners evaluating India targets, DPDPA due diligence is no longer a compliance add-on — it is a price-determining factor.

The due diligence framework must examine six DPDPA-specific domains. First, consent validity — does the target have auditable consent records for all processing activities? Invalid or absent consent means the acquiring entity inherits unlawful processing. Second, notice adequacy — do the target's Section 5 notices cover all actual processing purposes? Gaps between notice and processing create immediate non-compliance upon acquisition. Third, processor contract completeness — are all processor relationships governed by contracts meeting Rule 6 requirements? Fourth, breach history and response adequacy — has the target experienced breaches, and were they notified per Section 8(6) and Rule 7? Unreported breaches are ticking time-bombs for acquirers. Fifth, children's data compliance — if the target processes under-18 data, is there verifiable parental consent infrastructure? Sixth, cross-border transfer architecture — does the data flow structure comply with Section 16 and sectoral localisation requirements?

The Share Purchase Agreement (SPA) or Asset Purchase Agreement (APA) must include DPDPA-specific representations and warranties. The seller should warrant: (a) all processing is based on valid consent or legitimate use under Section 7, (b) Section 5 notices are adequate and current, (c) all processor contracts comply with Section 8(2) read with Rule 6, (d) no unreported breaches exist, (e) no pending or threatened Board proceedings under Section 27, (f) children's data processing complies with Section 9 and Rules 10-12, and (g) no SDF notification or inquiry is pending. The indemnity should cover: Board penalties, Data Principal claims, consent remediation costs, breach notification expenses, and processor contract renegotiation costs. Consider an escrow mechanism for DPDPA-specific contingent liabilities — penalties up to Rs 250 Cr under the Schedule make this a material risk allocation issue.

The acquiring entity should execute a 90-day post-close DPDPA integration plan. Days 1-30: Audit all inherited consent records against Section 6 requirements; identify and remediate invalid consents. Days 31-60: Renegotiate all processor contracts to name the acquiring entity as Data Fiduciary with DPDPA-specific terms; update sub-processor registers; align breach notification chains. Days 61-90: Harmonise privacy notices across the combined entity; implement unified rights request processing; establish combined grievance redressal mechanism under Section 13 read with Rule 8. The integration plan must also address technology systems — CRM, HR, finance, and marketing platforms must be assessed for DPDPA compatibility. Data migration between seller and buyer systems requires fresh notice and consent validation.

DPDPA introduces quantifiable privacy risk into deal valuation. The penalty schedule creates a maximum exposure of Rs 250 Cr for specified contraventions. But the real valuation impact comes from four operational costs: (1) consent remediation — if the target has defective consent architecture, the cost of obtaining fresh consent from the entire user base (abandonment rate typically 20-40% for re-consent campaigns). (2) Processor contract renegotiation — India IT outsourcing contracts are typically 3-5 years; mid-term renegotiation carries premium pricing. (3) Technology investment — DPDPA-compliant consent management, rights fulfilment, and breach detection platforms carry implementation costs. (4) Organisational change — DPO appointment, privacy team establishment, Board reporting mechanisms. These costs should be reflected in the deal price through either a purchase price adjustment or an indemnity holdback.