Data Protection in M&A Transactions

14 March 2022

Chinmay Verma

In today’s economy, data is the most valuable asset a company can possess. More importantly, in an increasingly global industry with a range of national and international legislations to take into account, protecting data and ensuring its security is vitally important during a merger or acquisition. Due diligence is the first and most important step when a privacy function gets engaged in a M&A transaction. During the due diligence process, queries may arise in relation to the target company’s data on its employees, directors, customers, clients etc. This further raises concerns regarding the manner or extent to which personal data may be shared, stored or processed.

Data Protection and Privacy Legislations for M&A in India

While the Personal Data Protection Bill, 2019 is yet to be enforced, the current law in force in India governing data protection is the Information Technology Act, 2000. Section 43A of the Act provides that when a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages to the person(s) so affected.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 have been framed under the IT Act, 2000. These rules are applicable on both, body corporates as well as individuals. They include the basics of an ideal data protection regime, for example, formulation of a privacy policy, taking consent of consumers prior to using their data, disclosing purpose for use of data, retaining the data for only so long as it is necessary to fulfil the purpose etc.

Moreover, there are sectoral regulations governing data protection like the entities that are engaged in the payments sector, these entities have to comply with the RBI’s Framework for Storage of Payments Systems Data to store data of consumers locally and in case they are required to transfer data abroad, they can only do it for a period of 24 hours and must also audit the operations of the foreign entity to which the transaction is outsourced.

Similarly, the E-Commerce Rules, 2020 prohibits taking of consent from consumers in the form of pre-ticked checkboxes. Likewise, the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of specific cyber-security incidents.

Impact of Privacy in M&A transactions

With the wave of data legislations coming into force, a target company’s compliance with data protection laws shall be assessed thoroughly as it can affect the value of the transaction. A major data breach or compromise can damage the global financial market, hurt smaller vendors in corporate ecosystems, and tarnish M&A transactions. In 2017, Verizon lowered its offer to buy Yahoo by USD 350 million after learning that 3 billion Yahoo accounts had been hacked1. Another example is the USD 123 million GDPR fine against Marriott International because of a data breach at Starwood Hotels before Marriott even acquired them, which had a huge impact on the transaction2. Whether acting as buyer or seller, companies should be aware of the sheer volume of personal data handled throughout an M&A transaction and the relevant data protection issues at each stage

Potential Privacy Risks in M&A

To identify the potential privacy risks, the buyer shall first understand the categories of personal data the target company processes, particularly, whether they process huge amounts of sensitive personal data or sensitive proprietary information as this type of data often requires additional layers of security and attention. Prior to further investigation, a holistic knowledge of the data protection laws applicable on the target company shall be analyzed. Be it GDPR, CCPA/CPRA or any other Data Protection (DP) law for that matter, compliance with the DP laws shall be evaluated.

As an acquirer it is also important to understand the role of third-party processors engaged with the target company and identifying the extent of international data transfers. Special attention shall be given towards any cloud providers involved and how and where the data is stored, as well as which contracts and data processing agreements have been concluded by the company.3

Most importantly it should be assessed whether the target company suffered any data breaches in the past, how they documented and mitigated the risks arising from such a breach, as well as how they dealt with the matter overall. It is important to assess the data breach event framework, which the target company may have in place, and whether that is compliant with the applicable DP law, along with the necessary procedures to document and explain the incident. Apart from past incidents, the potential level of risk shall also be assessed upon the vulnerability of IT systems in place. The target companies Information security policies and security controls which are used to keep the data secure shall be reviewed.

Moreover, it shall be ascertained whether the target company conducts regular risk assessments, and vulnerability and penetration testing of its systems. It shall also be seen whether employees have had adequate data privacy training, particularly those employees that handle personal data as part of their daily roles. Even though the target company’s documentation may be in order, it is vital to ensure that personnel are aware of these policies and procedures and are effectively implementing them in their daily operations.

Data Sharing using a Virtual Data Room

It is a common practice in M&A transactions for the parties and their advisors to exchange information about the target company during the due diligence process through a virtual data room (VDR).  Information and documentation which contain personal data may be required to be uploaded to this data room, for example, contracts of employment, customer contracts, etc.  This exchange of personal data would be deemed “processing” and as such must comply with the principles enumerated under the GDPR along with requirements under other applicable data protection laws.

To help ensure compliance with the data protection laws, a reputable VDR service provider shall be chosen. If required, a Data Protection Impact Assessment shall be conducted with appropriate technical and organisational measures in place. A proper Data Processing Agreement shall be entered into to direct the VDR service provider about their operations. Moreover, all the personal data which is to be uploaded and shared within the VDR shall be anonymized and fully redacted unless a valid legal basis applies and only the minimum amount of personal data or special category of personal data necessary for the specific purpose shall be uploaded and shared on the VDR platform. To ensure security of the information on this platform, the access controls to the VDR shall be restricted accordingly 4.


In order to tackle the issues regarding data privacy compliance obligations in a M&A transaction, due diligence shall be done with a holistic data privacy approach and the keeping in mind the following points:

  • A thorough understanding of the privacy exposure shall be obtained. If a business is noncompliant, the risk of privacy exposure must be built into the deal’s value. Any discount resulting from that risk will depend on the potential revenue earned from a customer’s data post-merger.
  • The deal structure shall include data privacy considerations. Companies should also map out what data is held, how it is processed, and what regulations the processing of this data must meet.
  • In any agreement, if the consent and data transfer agreements aren’t compliant with global or local DP regulations, the sale of data between the firms will be null and void post-merger. Further, both firms will have to ensure that customers are aware of the transaction and how data will be used in the merged entity.
  • Both parties shall integrate interrelated IT systems and migrate data after the deal is finalized to ensure business continuity and updates employees and partners on data privacy policies.5

Disclaimer: This article is the copyright of Reina Consulting LLP. It is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is viewed or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation. This information is not to be considered as legal advice or opinion and the firm shall not be liable for any action taken by the user, directly or indirectly, on the basis of such material.