M&A and Joint Venture Data Privacy in India

In every acquisition, the buyer inherits the target's compliance posture — including its non-compliance. Under the DPDPA, this inheritance carries specific financial consequences. If the target company obtained consent through mechanisms that do not satisfy Section 6 requirements, the entire consent base may be legally deficient. If the target processed children's data without verifiable parental consent under Section 9, the liability exposure extends to the buyer post-closing. If the target's vendor contracts do not contain valid Data Processing Agreements under Section 8(2), the buyer inherits a vendor governance gap that may trigger Board scrutiny. These are not theoretical risks — they are quantifiable exposures that directly affect enterprise value.

Joint ventures create an additional structural problem. The DPDPA does not recognise the concept of joint Fiduciaries. Unlike the GDPR, which explicitly addresses joint controllers under Article 26, the DPDPA assigns independent responsibilities to each Fiduciary. When a joint venture processes personal data where both partners influence the purpose and means of processing, the absence of a statutory joint-Fiduciary framework means that liability allocation must be achieved entirely through contract architecture. The JV agreement must define which partner is the Fiduciary for each processing activity, how Data Principal rights are fulfilled, how breach notifications are coordinated, and how regulatory liability is allocated. Without this contractual precision, both partners face overlapping exposure with no statutory mechanism to resolve it.

Privacy Due Diligence Framework

Pre-deal due diligence must examine the target's entire data processing ecosystem: consent mechanisms (Section 6 compliance), privacy notice adequacy (Section 5), security safeguard implementation (Section 8, Rule 6), vendor contract architecture (Section 8(2)), breach history and notification compliance, and Data Principal rights fulfilment records. The output is a privacy risk score that informs valuation and deal structuring.

Consent Transfer Architecture

Consent obtained by the target does not automatically transfer to the acquirer. The DPDPA requires that consent be given for specific purposes to specific entities. A change of control typically requires fresh consent notification or, at minimum, a transparent notice to Data Principals explaining the new processing entity. The deal must allocate responsibility for this consent refresh between buyer and seller.

Liability Allocation in Transaction Documents

Transaction documents must address pre-closing and post-closing privacy liability with specificity. Standard indemnity baskets are insufficient. The SPA or SHA should include specific representations regarding DPDPA compliance, survival periods aligned with regulatory limitation periods, and indemnity mechanisms that cover Board-imposed penalties, investigation costs, and remediation expenses.

Joint Venture Fiduciary Allocation

The DPDPA does not recognise joint Fiduciaries. The JV agreement must therefore assign Fiduciary status for each processing activity to one partner, define the other as a Processor where appropriate, establish contractual mechanisms for Data Principal rights coordination, and allocate breach notification responsibilities. This allocation directly determines regulatory exposure for each partner.

Post-Closing Compliance Integration

The acquirer must integrate the target's data processing operations into its own compliance framework within a defined timeline. This includes harmonising privacy notices, migrating consent records, aligning security safeguards with Rule 6, updating vendor contracts to reflect the new Fiduciary, and establishing unified breach notification protocols. The integration timeline should be specified in the transaction documents.

Valuation Impact Assessment

The data privacy compliance gap directly affects enterprise value. Quantifiable risk factors include: estimated cost of consent refresh campaigns, remediation of non-compliant vendor contracts, security infrastructure upgrades required for Rule 6 compliance, potential Board penalties for pre-closing violations, and the operational cost of the post-closing integration programme. These factors should be reflected in the price adjustment mechanism.

The Joint Venture Problem the DPDPA Did Not Solve

The DPDPA's silence on joint Fiduciaries is not an oversight — it reflects a deliberate architectural choice that assigns accountability individually rather than collectively. But this creates a practical problem for joint ventures where both partners influence the purpose and means of data processing. Consider a financial services JV between a foreign bank and an Indian technology company: the bank brings customer relationships and regulatory expertise; the technology partner builds the platform and processes transaction data. Both influence processing decisions. Under the GDPR, they would be joint controllers with an obligation to transparently determine respective responsibilities. Under the DPDPA, each is independently a Fiduciary for its own processing decisions — but the shared infrastructure means that a breach in one partner's domain may expose the other. The contract must resolve what the statute does not. Recommended architecture includes: clear Fiduciary assignment per processing activity, a joint privacy governance committee with defined authority, coordinated Data Principal rights fulfilment protocols, shared breach response playbooks with defined escalation paths, and mutual audit rights over shared processing infrastructure. Without this precision, the JV creates a liability overlap that neither partner can fully control and neither regulator will excuse.

Under the DPDPA, you do not merely acquire a company's data. You acquire its data privacy liabilities — every consent deficiency, every vendor gap, every unreported breach. The diligence that catches these before closing is the diligence that protects value.

Does consent transfer automatically to the acquirer in an M&A transaction?

No. Consent under the DPDPA is given for specific purposes to specific entities. A change of control typically requires either fresh consent or, at minimum, a transparent notice to Data Principals explaining the new processing entity. The deal documents should allocate responsibility for this consent refresh between buyer and seller and define the timeline for completion.

How does the DPDPA handle data privacy in joint ventures?

The DPDPA does not recognise joint Fiduciaries. Unlike the GDPR's Article 26 joint controller framework, each entity under the DPDPA bears independent Fiduciary responsibility. In joint ventures, the JV agreement must contractually assign Fiduciary status for each processing activity, define Data Principal rights coordination mechanisms, and allocate breach notification and regulatory liability between the partners.

What should data privacy due diligence cover in an Indian M&A transaction?

Due diligence should examine: Section 6 consent mechanism adequacy, Section 5 privacy notice compliance, Section 8 security safeguard implementation and Rule 6 alignment, Section 8(2) vendor contract architecture, breach history and notification compliance records, Data Principal rights fulfilment records, and any pending complaints or Board investigations. The output should quantify the compliance gap for valuation and liability allocation purposes.

Can pre-closing DPDPA liabilities be allocated to the seller?

Yes, through specific representations, warranties, and indemnities in the transaction documents. However, the Data Protection Board will hold the current Data Fiduciary — the post-closing entity — responsible for ongoing compliance. Transaction documents should include specific survival periods for privacy representations, indemnity mechanisms that cover Board penalties and remediation costs, and escrow or holdback provisions proportional to the identified privacy risk.

Get Your M&A Privacy Due Diligence Framework

Our Deal Privacy Toolkit includes a comprehensive due diligence checklist, consent transfer architecture template, JV Fiduciary allocation framework, and valuation impact assessment model — designed for foreign companies transacting in India.