INDIA Law and Practice Contributed by: Raj Ramachandran, Varun Sriram, Krutamana Pisipati, Aadhitya Logeshen and Abheejit V, JSA
7.2 Primary Securities Market Regulators The primary securities market regulator for M&A trans- actions involving listed entities in India is the SEBI. In a recent change, the RBI is also providing certain inbound merger approvals. Approval from the National Company Law Tribunal would otherwise be required for merger transactions that do not satisfy the con- ditions for a fast-track merger. Parties would factor in a specific time period for obtaining the necessary approvals in the documents they executed between themselves. There are also other sector-specific regulators (such as the Competition Commission of India and the Insurance Regulatory and Development Authority) whose approval may be required, depending on the nature and sector of the business operations of the entities involved. 7.3 Restrictions on Foreign Investments In India, 100% foreign direct investment (FDI) is per- mitted under the automatic route in many sectors. However, there are important exceptions, inter alia, including sectors such as gambling and betting busi- nesses; real estate businesses; trading in transferable development rights; manufacturing of tobacco prod- ucts; agriculture; atomic energy; and others, where FDI is either prohibited or allowed only through the government approval route. Additionally, several sec- tors have FDI caps or regulatory restrictions requiring prior approval. Investments from countries sharing land borders with India or where the beneficial owner is from such countries are permitted only with govern- ment approval, reflecting national security considera- tions. All investments made through the direct route require the prescribed filings under applicable foreign exchange regulations. The Government of India con- tinues to liberalise the FDI regime, as exemplified by the 2025 budget, which increased the insurance sec- tor FDI cap to 100% and proposed a similar increase to 49% for public sector banks. Investors should refer to the latest consolidated FDI Policy and Non-Debt Instruments Rules for sector-specific details and con- ditions.
Depending on the nature of the proposed business activity, it can take 8-12 weeks to obtain approval. The DPDP Act is the principal statute for data protec- tion and personal data processing in India. With the notification of the DPDP Rules, the DPDP Act is now in effect. The DPDP Rules clarify obligations for data fiduciaries, consent processes, breach notification, cross-border transfers and “significant data fiduci- ary” obligations. Key requirements under the DPDP Act’s framework include clear, independent notices and purpose-specific consent processes, data-local- isation triggers, strong security safeguards such as encryption and contractual controls with data pro- cessors, and strict, time-bound breach reporting to both affected data principals (ie, those individuals to whom the personal data relates) and the data protec- tion board and penalties. Large entities are required to comply with defined data retention timelines, includ- ing mandatory deletion within three years of a user’s last interaction and a 48-hour erasure notice require- ment. The regime also introduces the framework for consent managers (ie, those persons registered with the Data Protection Board of India), mandating regu- lated intermediaries to manage consent flows while maintaining fiduciary duties, interoperability and con- flict-free operations. All of the above are likely to impact technology M&A deals, especially for companies handling large vol- umes of personal data. The DPDP Rules implement a staggered approach in relation to the effective date of various provisions and this is a critical factor for global compliance planning: • The establishment of the Data Protection Board of India and its operational procedures took place with immediate effect on 14 November 2025. • The framework for the registration and detailed obligations of consent managers to act as a point of contact to enable a data principals to give, manage, review and withdraw consent, comes into force a year later on 13 November 2026. • The core compliance duties, including notice, security safeguards, breach intimation, significant data fiduciary obligations, and data principal rights, begin to apply 18 months later on 13 May 2027.
152 CHAMBERS.COM
Powered by FlippingBook