M&A Privacy Due Diligence: Navigating DPDPA, GDPR, and CCPA Intersections
The landscape of mergers and acquisitions (M&A) is increasingly shaped by data, making privacy due diligence a non-negotiable component of any successful deal. For Indian businesses engaging in M&A, whether domestically or internationally, understanding the interplay between the Digital Personal Data Protection Act, 2023 (DPDPA), the European Union’s General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA) is paramount. This analysis anchors on the DPDPA and compares its implications for M&A due diligence against these key global frameworks.
Scope and Applicability for Acquirers
The DPDPA casts a wide net, applying to the processing of digital personal data within India, and extraterritorially to processing outside India if it relates to offering goods or services to data subjects in India (Section 3). In an M&A context, both the acquiring and target entities, if they are “persons” (Section 2(k)) and process personal data, become Data Fiduciaries. A critical Indian nuance is the concept of a “Significant Data Fiduciary” (SDF) under Section 10, designated based on factors like the volume and sensitivity of data processed, and risk to data subjects. Acquiring an SDF, or an entity that becomes an SDF post-merger, triggers enhanced obligations, including appointing a Data Protection Officer and conducting Data Protection Impact Assessments (DPIAs), which must be factored into due diligence.
In contrast, GDPR’s territorial scope (Article 3) applies to processing personal data of EU residents by controllers or processors established in the EU, or outside the EU if offering goods/services to EU residents or monitoring their behaviour. CCPA’s applicability (Section 1798.140(c)) is tied to specific revenue thresholds, volume of consumer data processed, or derivation of revenue from selling/sharing data of California residents. While GDPR applies broadly based on data subject location, and CCPA based on business size and data activities, DPDPA’s SDF designation introduces a unique, qualitative assessment that can significantly impact a target’s valuation and post-acquisition integration strategy, potentially making the Indian framework stricter for larger data-processing entities.
Lawful Basis and Consent Post-Acquisition
Under the DPDPA, the acquirer inherits the target’s obligations regarding the lawful processing of personal data. The bedrock is consent, which must be free, specific, informed, and unambiguous (Section 6). If the acquirer intends to process data for purposes not covered by the original consent, fresh consent may be required. While DPDPA provides for “legitimate uses” (Section 7) as an alternative to consent for certain purposes (e.g., employment, public interest), these are narrowly defined. The concept of “deemed consent” (Section 8) for specified purposes can also be relevant but requires careful interpretation in an M&A context for continued data processing.
GDPR similarly demands a lawful basis for all processing (Article 6). Consent (Article 7) is one, but “legitimate interests” (Article 6(1)(f)) is often a key basis in M&A, provided a legitimate interest assessment is performed and data subjects’ rights are not overridden. The principle of purpose limitation (Article 5(1)(b)) is critical: data collected for one purpose cannot simply be repurposed post-acquisition without a new lawful basis. CCPA, on the other hand, focuses less on affirmative consent for processing and more on the right to opt-out of the “sale” or “sharing” of personal information (Section 1798.120). While M&A transactions are generally exempt from “sale” if structured as a merger where the acquirer assumes the target’s privacy obligations (Section 1798.145(d)), the acquirer must still respect existing consumer choices. DPDPA’s emphasis on explicit consent and its more restricted “legitimate uses” framework can be seen as stricter than GDPR’s broader “legitimate interests” and CCPA’s opt-out model, potentially necessitating more granular consent mapping and re-papering during Indian M&A deals.
Cross-Border Data Transfers and Integration
DPDPA’s stance on cross-border data transfers (Section 16) is distinct. It allows the Central Government to restrict transfers to notified countries, but as of May 2026, specific rules detailing mechanisms akin to GDPR’s adequacy decisions or Standard Contractual Clauses (SCCs) are still anticipated. This creates a degree of uncertainty for Indian entities involved in global M&A, as the framework relies on future governmental directives rather than pre-defined legal instruments.
GDPR, conversely, has a highly prescriptive regime for international data transfers (Chapter V, Articles 44-50), requiring an adequacy decision (Article 45), SCCs (Article 46), Binding Corporate Rules (BCRs) (Article 47), or specific derogations. This often necessitates Transfer Impact Assessments (TIAs) to ensure data protection standards are maintained. CCPA does not directly regulate cross-border transfers in the same manner as GDPR or DPDPA (potentially will), focusing instead on consumer rights irrespective of data location. Consequently, DPDPA’s current framework for cross-border transfers is less defined and potentially more flexible (or uncertain) than GDPR’s robust and well-established mechanisms, while CCPA is largely silent on this aspect.
Data Subject Rights and Enforcement Risks
All three frameworks empower data subjects with rights that an acquirer must honour. DPDPA grants rights to access, correction, erasure, and grievance redressal (Sections 13-15), mandating a robust grievance redressal mechanism (Section 14). GDPR offers comprehensive rights including access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection (Articles 12-23). CCPA provides rights to access, deletion, and the right to opt-out of the sale or sharing of personal information (Sections 1798.100, 1798.105, 1798.120). While the core rights are similar, DPDPA is silent on data portability, a key right under GDPR (Article 20), making the Indian law potentially looser in this regard.
Regarding enforcement, DPDPA imposes substantial penalties, up to INR 250 crores for certain non-compliances (Section 33), enforced by the Data Protection Board of India (DPBI). The existing regulatory landscape, including RBI guidelines for regulated entities and the IT Rules, 2021 (e.g., Rule 3(1)(k) on data retention), further layers compliance requirements, particularly for financial sector M&A, potentially making the Indian framework stricter for these sectors. GDPR carries fines up to €20 million or 4% of global annual turnover (Article 83), while CCPA penalties can reach $7,500 per intentional violation (Section 1798.155) and includes a private right of action for data breaches (Section 1798.150). The DPDPA’s penalties are significant, comparable to GDPR’s in their deterrent effect, but the CCPA’s private right of action introduces a direct litigation risk not explicitly present in DPDPA.
Practical takeaway
For Indian businesses, General Counsels, and Data Protection Officers navigating M&A, proactive and comprehensive privacy due diligence is no longer optional. Begin with thorough data mapping of the target’s personal data assets, identifying the lawful basis for processing, and assessing the validity of consents under DPDPA. Develop a clear strategy for managing cross-border data transfers, anticipating the forthcoming DPDPA rules while adhering to existing GDPR and CCPA requirements for relevant data. Ensure that post-acquisition, your integrated systems can effectively respond to data subject rights requests across all applicable jurisdictions. Finally, factor in the potential for “Significant Data Fiduciary” designation and the interplay with sector-specific regulations like RBI guidelines, as these can add unique layers of complexity and risk to Indian M&A deals.