Privacy Concerns in Data Driven Mergers: An Analysis


“Ts’ui Pe must have said once: I am withdrawing to write a book. And another time: I am withdrawing to construct a labyrinth. Every one imagined two works; to no one did it occur that the book and the maze were one and the same thing.”

-Jorge Luis Borges, The Garden of Forking Paths

As per Domo Business Cloud, roughly around 2.5 quintillion bytes of data are created every day. The Internet of Things, or the “IOT”, is leading the data collection sphere by facilitating the collection and more accurate comprehension of both online and offline data through inter-device collection of data. Stored data grows at a speed which is five times faster than the speed of the growth of the world economy. A McKinsey and Co. survey, gives astonishing insights into the relevance of data in modern business profitability. Organizations employing customer analytics show a 23 times higher chance to outperform competitors in customer-acquisition, and a 19% higher chance to achieve above average profitability.

With reference to certain Key Performance Indicators, the comparison between entities employing intensive customer analytics and their competitors may be denoted by the following:

Further, Mergers and Acquisitions in India Inc. defied the global downward trends and soared to $126.09 billion across 1,185 deals in 2022.

On the 24th of August, 2017, the unanimous verdict of a nine-judge bench of the Supreme Court of India, in Justice K.S. Puttaswamy vs. Union of India, referred to Articles 14, 19, and 21 of the Constitution of India to hold that the Constitution guarantees a fundamental right to privacy to each individual. Hon’ble Mr. Justice Sanjay Kishan Kaul in his separate concurring judgement, while dealing with privacy and technology in the aforesaid case, noted the ease of access to information due to technological development. Justice Kaul went on to recognise that such right to privacy under the Constitution may be exercised against state and non-state actors, and an exercise against the latter, may require legislative intervention. Hon’ble The Now Chief Justice of India, Justice Dhananjaya Yeshwant Chandrachud observed the role of state and non-state actors in regulating the social life of an Individual and the bearing of the same upon the privacy of an Individual.

In view of the aforesaid constitutional philosophy and the fact that collecting, utilizing and dealing in data has become a virtual necessity of a business for continued survival, certain regulatory concerns and obligations arise in merger transactions, specifically in relation to the personal data of the target audiences, carried by the merging entities.


A contravention of personal data privacy laws may take place in a situation where a third-party gains access to such data as a result of such a transaction. EU Directive 95/46/EC of October 24, 1995 primarily governs the relationship between the entity sharing such data in the M&A transaction (data controller), the entity receiving such data as a part of the transaction (data recipient), and the entity whose data is being transferred pursuant to such transaction (data subject).

In view of the above, the Directive sets out certain requisites for data to be shared. The following three conditions may be highlighted in light of an M&A transaction:

  • Legitimate interest of the data controller or the data recipient, provided this is not incompatible with the interests or the fundamental rights and liberties of the data subject: The said may be understood as a classic balancing of interests. Abiding by the said condition, one may arrive at an understanding that only such data of their subjects is to be shared between parties to an M&A transaction as is required to successfully consummate such a transaction.
  • Consent of the data subject: It is an outright logistical impossibility to obtain the consent of such subjects in even the most midsized M&A transactions since the number of individuals present in each class in such a transaction, i.e., controller-recipient-subject, renders a entity specific approach to the consent condition impractical. Rather, a method involving a focus on the nature of the data being shared to decide the extent of consent to be obtained may be a more conducive approach. The sharing of ‘sensitive data’ may be a critical situation requiring a strict compliance of the consent condition.
  • Performance of a contract with the data subject: The instant condition may be viewed in light of the legitimate interest set out above. If it becomes a critical condition, to share such data of the subjects, in order to achieve the objectives of the contract set between the recipient and the controller, in such a situation, a data transfer may be warranted as a part of an M&A transaction.

It is pertinent to note that it remains a common practice for jurisdictions to require a clause to be present in the agreement between the data controller and the data subject, outlining the fate of such data of the subjects.


The Yahoo-Verizon deal remains the posterchild of the rippling implications of a data breach while entering a transaction. While Yahoo’s internet business was to be sold at $4.83 billion, the same was reduced to $4.48 billion as a consequence of data breaches affecting an approximate of 3 billion accounts.

Further, in light of said breaches, in addition to Yahoos settlement with the affected stakeholders amounting to a total of $117.5 million, Verizon itself had to agree to pitch in $306 million towards strengthening the entity’s data privacy infrastructure and also agreed for quadruple staffing in the area compared to that of Yahoo’s.


There exists no other term for the age-old battle between the Separatists versus the Integrationists when dealing with any debate involving data privacy and competition law. While some argue that the two areas need to operate in their watertight domains, there exists a view that offers for data privacy and competition law concerns to be addressed collectively. The changing business and technological landscapes have stripped competition regulators of the liberty to recuse themselves from data privacy arguments, especially in mergers involving heavily data driven entities. The Competition Act, 2002 in its statement of object and reasons, deploys the phrase, “ protect the interests of consumers..”. Pari Materia terms may be seen in global competition legislations, and it is here that the paradox and perhaps the answer to it, are given birth. The technological and macro-economic landscape requires that a wider interpretation be attached to the word, ‘interest’, i.e., for it to be interpreted in a manner beyond a mere monetary sense and to include individual concerns of data privacy in a merger transaction. The CCI recognised the same in its January 2021 Market Study Report on the Telecom Sector in India. The report, while dealing with the inherent conflict between enabling user access and protecting personal data, noted that privacy can take the form of ‘non-price competition’, and dominant players may abuse their position in the sector to employ abusive privacy policies. Furthermore, the Commission was of the view that competition analysis must focus on the extent to which a user may ‘freely consent’ to any privacy policy offered by an entity.

The Commission’s philosophy in the said report manifested itself as a litigation action, with the CCI ordering a suo moto investigation into the privacy policy introduced by ‘WhatsApp’, as the same was observed to be imposing unfair terms.


The Competition (Amendment) Act, 2023 and the Digital Personal Data Protection Act received presidential assents on 11th April, 2023 and 11th August, 2023 respectively. The consequences of their nuptials remain to be seen but the future looks like that of most marriages, challenging but happy. The Competition (Amendment) Act brings in a change in the threshold criteria to set off competition law actions. While the law earlier envisaged a situation where the competition machinery was put into action on the basis of a fiscal valuation or an asset-based threshold, the Amendment Act (through section 6) has included the criteria of transaction value. The act defines “value of transaction” as follows:

“Value of transaction” includes every valuable consideration, whether direct or indirect, or deferred for any acquisition, merger or amalgamation.

As per the Amendment Act, where the value of any transaction exceeds INR. 2000 crores, the same would be treated as a combination under Section 5 of the Act.

The definition thus opens the scope for user data becoming an operative factor in setting off competition law actions. This is because data driven mergers may not involve brick and mortar assets or other conventional business assets such as production capacity, supply chain or intellectual property, and the real weight of the transaction may lie in the user data that is being acquired through the transaction.

The said Amendment protects the citizens from a chink in the armour in the data protection regime of the country. The Digital Personal Data Protection Act, 2023 through Section 7(a) provides for deemed consent, and also through Section 17 suspends various protective provisions in the event of a merger, while allowing data exchange for the same. The problem arises when the concept of deemed consent meets the merger clauses in the Act. Under the Act, deemed consent befalls under it a negative checklist, i.e., only those usages of data are restrained that are specifically prohibited by the data principal. Thus, all other usages are impliedly permitted. Further, deemed consent cannot be withdrawn and thus, user privacy, may be capitalised on, by the parties to a merger.

In such state of affairs, the Competition (Amendment) Act, 2023 through the ‘value of transaction’ concept, allows the competition commission to step in and ensure a protected and user-friendly data market.


In the year 2012, the Group of Experts on Privacy published a report that dealt with a systematic framework to serve as the foundation for a Privacy Act for India. The report recognises a Co-Regulatory Enforcement Regime as one of the salient features of such suggested framework. The report recommended a system of co-regulation, by ensuring compliance of the Act through Self-Regulating Organisations (SROs) acting under the supervision of the Privacy Commissioner. The logic behind the approach is straightforward; such SROs possess industry specific knowledge which may be facilitate a more curated and accurate compliance of the Act. Further, such SROs carry the element of influence and technical capacity required by such an industry, in order to spread industry specific privacy awareness in both the Industrial and the Public domain. The spirit of the SRO’s will be put to test under the mechanism introduced by the Digital Personal Data Protection Act, 2023.

Even though the Data Protection Board of India envisaged to be established under Chapter V of the Digital Personal Data Protection Act, 2023 is yet to be established, the integrity and independence of the board is already under the scanner due to speculations regarding undue government influence. The actions of the board in discharge of its mandate and its interaction with the CCI shall be decisive in determining the strength of the data protection regime in the realm of mergers.

Pursuant to the same, a successful fusion of ideologies behind competition law and data protection law is required as the two can no longer operate solely in their independent domains. Data privacy concerns must be considered by the Competition Commission of India and the term ‘public interest’ must be attached a wider connotation by the Commission, to accommodate data privacy as a relevant factor, especially in mergers involving heavy exchange of data.

(This post has been authored by Kartikay Puneesh, a final year law student at Vivekananda Institute of Professional Studies, New Delhi.)

CITE AS: Kartikay Puneesh, ‘Privacy Concerns in Data Driven Mergers: An Analysis’ (The Contemporary Law Forum, 09 September 2023) <> date of access.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.