February 20, 2024

India's Data Sharing Agreement: A Comprehensive Guide to Data Protection and Non-Disclosure Agreements under India Digital Personal Data Protection Act

Explore the intricacies of data sharing in India, focusing on compliance with the Digital Personal Data Protection Act 2023 (DPDPA). Learn about the importance of Data Sharing Agreements (DSAs) and discover key elements, best practices, and legal considerations for businesses. Ensure responsible and ethical data sharing while mitigating legal risks with this comprehensive guide.

India is one of the fastest-growing digital economies in the world. With over 1.4 billion internet users, India is a treasure trove of data for businesses. However, the collection, use, and disclosure of data in India is subject to a number of laws and regulations.

One of the key laws that governs data sharing in India is the Digital Personal Data Protection Act 2023 (DPDPA). The DPDPA requires businesses to obtain consent from data subjects before collecting or using their personal data. The DPDPA also imposes certain restrictions on the transfer of personal data outside of India.

In order to share data in compliance with the DPDPA, businesses should enter into a contract. In particular, section 8 paragraph 2 of the Act clearly states: “A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to the offering of goods or services to Data Principals only under a valid contract.”
This can be covered with data sharing agreements (DSAs). DSAs are legally binding contracts that govern how data is shared between two or more parties. A well-drafted DSA will help businesses to ensure that data is shared in a responsible and ethical manner, mitigate legal risks, and build trust with their customers and partners.

What is a Data Sharing Agreement?

A Data Sharing Agreement (DSA) is a legally binding contract between two or more parties that outlines the terms and conditions under which data will be shared. DSAs are typically used when businesses need to share data with each other in order to collaborate on projects, provide services to customers, or improve their products and services. In short, a DSA will cover the requirements as stated in section 8 paragraph 2 of the Indian DPDPA. 

According to India DPDPA, contracts are required for all data sharing activities, regardless of whether the data is being shared within India or outside of India.

When do we need a contract or DSA under India DPDPA?

A contract is required whenever a business (Data Fiduciary) is sharing personal data with another party (Data Processor), regardless of whether the other party is located in India or outside of India. This includes sharing personal data with third-party vendors, partners, or other businesses.

Here are some specific examples of when a contract is required under the DPDPA:

  • A business that uses a cloud computing service to store customer data needs to enter into a DSA with the cloud computing provider.
  • A business that uses a third-party data analytics company to analyze customer data needs to enter into a DSA with the data analytics company.
  • A business that partners with another business to jointly market or sell products or services needs to enter into a DSA with the partner business.
  • A business that is acquiring another business needs to enter into a DSA with the business that it is acquiring.
  • A business that is transferring personal data outside of India needs to enter into a DSA with the entity that will be receiving the data.

Even if a business is not required to enter into a contract under the DPDPA, it may still be beneficial to do so.

Why do we need a DSA?

In general, the purpose of a DSA is to ensure that data is shared in a responsible and ethical manner. DSAs typically include provisions that specify the following:

  • The types of data that can be shared
  • The purpose for which the data is being shared
  • The security measures that must be taken to protect the data
  • The retention period for the data
  • The process for deleting the data when it is no longer needed

DSAs can also include provisions that address other important issues, such as:

  • Intellectual property rights
  • Liability for data breaches
  • Dispute resolution

Why are contracts or DSAs important in India?

Valid contracts are necessary to process data on behalf of the Data Fiduciary. Therefore, DSAs are important in India for a number of reasons. First, they help businesses to comply with the DPDPA. The DPDPA requires businesses to obtain consent from individuals before collecting, using, or sharing their personal data. A DSA can help businesses to obtain and document consent from individuals before sharing their data with other businesses.

Second, DSAs can help businesses to mitigate legal risks. The DPDPA imposes a number of obligations on businesses that collect and process personal data. For example, businesses must implement appropriate security measures to protect personal data and must delete personal data when it is no longer needed.

Third, DSAs can help businesses to build trust with their customers and partners. By entering into a DSA, businesses are demonstrating their commitment to protecting the privacy of their customers' data. This can lead to increased customer loyalty and improved relationships with partners.

Key elements of a DSA in India

The India DPDPA does not clearly prescribe what each processing contract shall contain. It states only that there must be a valid contract.

However, the GDPR does specifiy what a well-drafted DSA should include, thus we list these elements here:

  • Parties: The DSA should clearly identify the parties who are sharing the data.
  • Purpose: The DSA should specify the purpose for which the data is being shared.
  • Types of data: The DSA should specify the types of data that can be shared.
  • Security: The DSA should specify the security measures that must be taken to protect the data. This may include measures such as encrypting the data, storing it on secure servers, and limiting access to the data to authorized personnel.
  • Retention: The DSA should specify how long the data can be retained by the receiving party.
  • Deletion: The DSA should specify how the data should be deleted when it is no longer needed.
  • Audit: The DSA should include an audit clause that allows the disclosing party to audit the receiving party's compliance with the terms of the DSA.
  • Consent: The disclosing party must obtain consent from the data subject before sharing their personal data with the receiving party.
  • Data localization: Certain types of personal data must be stored in India. DSAs must take into account these data localization requirements.
  • Cross-border data transfers: If the DSA involves the transfer of personal data outside of India, the disclosing party must ensure that the transfer is compliant with the PDPA. This may involve entering into a data transfer agreement with the receiving party.

The GDPR does specify what a well-drafted DSA should include, thus we list these elements here:

Best practices for drafting DSAs in India

When drafting a DSA, in addition to the standard clauses, consider the following:

  1. Data Sharing Agreements should clearly and specifically state the types of data being shared, the purpose for sharing, and whether the data is public or personal. Public data is available to the public and has negligible security and protection requirements. Personal data is subject to stricter data protection and security requirements, and cannot be shared without the subject's prior permission.
  2. Example clause:
  3. Purpose of the Agreement: This Agreement facilitates the submission of data to Company X for the creation, use, and maintenance of a system of integrated social, health, and educational data concerning citizens of Country Z. The data will be used to obtain a more complete understanding of service needs, service gaps, and the impact of services.
  4. Data Sharing: [Subject] agrees to allow the disclosure of personally identifiable information to the entities shown in Exhibit A to this Agreement, provided that (i) appropriate consent or authorization has been obtained from the individual or the individual's parent or guardian, and (ii) role-based access control is assigned as specified in Exhibit A.
  5. The data sharing period must be clearly stated in the Agreement, along with the duration for which the other party can use the data and what will happen to the shared data after termination, whether it will be returned or destroyed.
  6. Example clause:
  7. Term: This Agreement shall be in effect for five years from the Effective Date unless terminated earlier in accordance with the Termination clause. The parties may renew the Agreement by mutual decision after the Term ends.
  8. Termination: Either party may terminate this Agreement by giving thirty (30) days' written notice to the other party. Upon termination, the parties shall, upon request, (1) delete all data containing personally identifiable information obtained under this Agreement, and (2) certify in writing within ten (10) business days that all copies of the data stored on cloud-based or local servers, backup servers, backup media, or other media have been permanently erased or destroyed.
  9. The Agreement should specify whether the data is for limited or unlimited use, and whether it can be stored, protected, and transmitted. The Agreement should also state whether the receiving party can use the data for a single purpose only, or whether it can be used repeatedly as needed. Additionally, the Agreement should specify whether the receiving party can share the data with other third parties, subsidiaries, or affiliates, and to what extent.
  10. Example clause:
  11. Data Use: Company X and Organization Y will be joint custodians of the raw and linked data sets and will be responsible for complying with all conditions for use and for establishing and maintaining security arrangements as specified in this Agreement to prevent unauthorized access.
  12. Data Storage and Protection: Unless otherwise stated or modified in this Agreement, Company X and Organization Y shall manage, link, and store data as specified in Exhibit C to this Agreement.
  13. Data Sharing: Company X will not use Confidential Information for any purpose other than the purposes specified in this agreement. Company X and Organization Y will fully cooperate with [Subject] in the event that an adult individual or the parent or guardian of a minor under 18 years old requests to review their personally identifiable information disclosed to Company X and/or Organization Y by [Subject] or wishes to revoke their consent to data sharing with the Company X and/or Organization Y. [Subject] will notify the Camden Coalition and CFS in the event it obtains written consent for data sharing with the Company X and Organization Y, a revocation of consent to share data with the Company X and Organization Y, or a request to review personally identifiable information stored by the Camden Company X and Organization Y from an adult or parent/guardian of a minor under 18 years old.
  14. Third-Party Sharing: [Subject] will not release any data it receives as a result of its participation in this Agreement to any third parties not specifically authorized to have access to such data under this Agreement.
  15. The type of data being shared sets the tone for the entire agreement. For example, if the data is personally identifiable and highly restricted, it should be subject to intense scrutiny and safeguards. Conversely, anonymous information will require fewer safeguards.
  16. Example clause:
  17. Data Security and Confidentiality: The Provider will provide the Data in a sufficiently secure manner, and the Parties will handle all Data in accordance with applicable data protection laws and keep the Data confidential.
  18. Recipient as Data Controller: With respect to the Data, the Recipient will be considered a separate data controller under applicable data protection laws for the processing of the Data for the Recipient's research plan.
  19. Recipient's Technical and Organizational Measures: The Recipient will implement appropriate technical and organizational measures to meet the requirements for data controllers under applicable data protection laws.
  20. Notification of Personal Data Breach: If the Recipient becomes aware of a personal data breach, the Recipient will promptly notify the Provider. In such a case, the Parties will fully cooperate to remedy the personal data breach, fulfill statutory notification obligations promptly, and cure any damages. The term "personal data breach" refers to Articles 33 and 34 of the GDPR.
  21. Subject Withdrawal of Consent: If the Subject withdraws their consent to the use of the Data, the Provider will supply the Recipient with sufficient information, and the Recipient will immediately cease all use of the relevant Data and delete all copies of the relevant Data. Upon request from the Provider, the Recipient will confirm in writing the complete deletion of the Data.
  22. Provider as Data Controller: The Provider will be the data controller of the Data under the GDPR until the moment the Data is provided to the Recipient.
  23. Data protection provisions should be twofold: (1) protecting data and security through storage and transmission clauses, and (2) protecting trade secrets and other IP rights with a separate clause that clearly states ownership during and after the contract, as well as how the receiving party can use the disclosing party's IP rights.
  24. Example clause:
  25. All rights, titles, and interests in Subject Data remain the property of Subject. The Provider has no intellectual property rights or other claims to Subject Data that is hosted, stored, or transferred to and from the products or cloud services platform provided by Provider, or to Subject's Confidential Information. The Provider will cooperate with Subject to protect Subject's intellectual property rights and Subject Data, and will promptly notify Subject if it becomes aware of any potential infringement of those rights in accordance with this Agreement.
  26. Data subjects must always consent to their personal data being shared, and the extent of sharing and use must be agreed upon. Any deviation from the agreed-upon sharing constitutes a breach of contract.
  27. Example clause:
  28. Provider Responsibilities: The Provider is responsible for obtaining the Subject's permission and authorization before using or disclosing any of the Subject's personal data to the Recipient.
  29. The cost of sharing data should be addressed in the Data Sharing Agreement, depending on the amount of data, its format, and availability. For example, who will bear the cost of storage devices, data copying, and data transfer?
  30. Example clause:
  31. Data Sharing Costs: The Recipient shall bear the cost of storage devices, data copying, and data transfer for the 50 TB of digital data provided by the Provider.
  32. Even in cases where data sharing is required, it should not be shared if:
  33. - The disclosing party does not own the intellectual property rights.
  34. - The subjects have opted out of data sharing.
  35. - The data is embargoed or restricted by pre-existing agreements.
  36. - The data is involved in litigation.
  37. The Liability clause should clearly specify the consequences for parties that breach any contractual obligations, such as disclosing data to unauthorized parties.
  38. Sample clause:
  39. Provider agrees to monitor and maintain its data security measures, and to notify and cooperate with the Recipient if there is any unauthorized access or breach of data. Provider will defend and indemnify the Recipient from any third-party claims arising from Provider's breach of this clause, except to the extent caused by the Recipient's own actions.

Do I need DSAs for my business under India DPDA?

Yes, you need to have a valid contract or DSA for your business under the India DPDA if you collect, use or share personal data with third parties. In particular, if you are a data processor, you need to enter into a valid contract or DSA with the data controller. While the Indian DPDPA does not specify what the valid contract should contain, a DSA may include the terms and conditions of personal data sharing, such as the purpose of data sharing, the types of data being shared, the security measures that the recipient of the data must implement, the retention period, and the deletion procedure.

What is the difference between a DSA and a Non-Disclosure Agreement?

A Non-Disclosure Agreement (NDA) is a legally binding contract that obligates the parties to keep confidential any information that is shared between them. NDAs are typically used when businesses need to share confidential information with each other, such as trade secrets or proprietary data. As per a relationship of confidentiality, at least one of the parties must not disclose any information without permission. In other terms, NDA is a contract that prohibits one from sharing any information.

The key difference between a DSA and an NDA is that a DSA specifically addresses the sharing of data. DSAs typically include more detailed provisions about the types of data that can be shared, the purpose for which the data is being shared, and the security measures that must be taken to protect the data.

What is the difference between a DSA and a MOU?

A Memorandum of Understanding (MOU) is a legal document that can be used to govern the relationship between two or more parties. MOUs are typically used to outline the general principles or terms of a relationship between two or more parties. MOUs may include provisions about the goals of the relationship, the roles and responsibilities of each party, and the procedures that will be used to resolve disputes.

DSAs and MOUs are both useful tools for governing relationships between two or more parties. However, it is important to choose the right document for the specific situation. If the relationship is complex or involves the sharing of sensitive data, a DSA is typically the better choice. If the relationship is less complex and does not involve the sharing of sensitive data, an MOU may be sufficient.

Government departments and other public bodies like regulators, law enforcement bodies may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data-sharing agreement.

What is India Digital Personal Data Protection Act 2023?

The Digital Personal Data Protection Act 2023 (DPDPA) is the primary data protection law in India. The DPDPA was passed by the Indian Parliament in August 2023 and is expected to come into force in 2024.

The DPDPA is a comprehensive law that covers the collection, use, storage, disclosure, and transfer of personal data. The DPDPA also gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data.

The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. However, there are certain exemptions for certain types of businesses, such as government agencies and businesses that process data for national security purposes.

Personal data and non-personal data under India DPDPA

DPDPDA defines personal data as "any data about an individual who is identifiable by or in relation to such data". This includes any data that can be used to directly or indirectly identify an individual, such as their name, address, phone number, email address, IP address, biometric data, or financial information.

Non-personal data is any data that does not identify an individual. This may include data such as aggregated data, anonymized data, or de-identified data.

The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. This includes businesses that operate in India, businesses that target Indian customers, and businesses that transfer personal data outside of India.

The DPDPA imposes a number of obligations on businesses that collect, use, or store personal data. These obligations include:

  • Obtaining consent from individuals before collecting, using, or sharing their personal data
  • Implementing appropriate security measures to protect personal data
  • Deleting personal data when it is no longer needed
  • Providing individuals with access to their personal data
  • Allowing individuals to correct or delete their personal data

The DPDPA also imposes a number of restrictions on the transfer of personal data outside of India. Businesses that transfer personal data outside of India must ensure that the receiving entity complies with the DPDPA's data localization requirements.

Difference between personal and non-personal data

The key difference between personal and non-personal data is that personal data can be used to identify an individual, while non-personal data cannot. Personal data is typically more sensitive than non-personal data, and businesses need to take additional precautions to protect personal data.

Key Features of the DPDPA

The DPDPA includes the following key features:

  • Consent: The DPDPA requires businesses to obtain consent from individuals before collecting, using, or storing their personal data.Consent must be free, specific, informed, and unambiguous.
  • Data localization: The DPDPA requires certain types of personal data to be stored in India. This includes sensitive personal data,such as biometric data and financial data.
  • Data sharing: The DPDPA restricts the sharing of personal data with third parties. Businesses can only share personal data with third parties if they have obtained consent from the data subject or if the sharing is necessary for the purpose for which the data was collected.
  • Data subject rights: The DPDPA gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data.
  • Enforcement: The DPDPA establishes a Data Protection Authority to enforce the provisions of the law. The Data Protection Authority has the power to investigate complaints, issue orders to businesses, and impose fines.

Benefits of the DPDPA

The DPDPA is expected to provide a number of benefits to individuals and businesses in India. For individuals, the DPDPA will give them greater control over their personal data and help to protect their privacy. For businesses, the DPDPA will provide clarity on the rules for data protection and help them to build trust with their customers.

Are there other data protection laws in India?

Personal Data Protection Bill, 2019

The current India DPDPA overwrites the draft PDP Bill, which encompass different forms of personal data and its protection with a centralized data protection authority or regulator. It widens the rights of an individual with respect to their personal data and its protection. There are penalties outlined in the bill for non-compliance as well. The application of the draft bill is extraterritorial in its nature and would also make foreign organizations liable for any breach of personal data of the subjects if a reasonable nexus is being established between the foreign organization and the subject with respect to a breach of personal data.

Digital Information Security in Healthcare Act, 2017

Like every other sector, even the health sector has been digitized. With applications ranging from online consultation, medicine delivery and laboratory tests, the personal health data of the subjects are all over the internet and is prone to the risk of the privacy breach.

Digital Information Security in Healthcare Act (‘DISHA’) when enacted would be India’s first Health Data specific legislation and will come with provisions governing the storage and exchange of health data of the subjects. Stricter privacy and security programme for digital health data and with a central and a state-level regulatory authority for the enforcement and adjudication of the same.

Non-Personal Data Governance Framework

This would elaborate on the different types of Non-Personal Data that may be collected and stipulate what private and public rights are associated with it. There would be a separate regulatory body to regulate the data sharing process of such data and private entities are exempted from any such transfer. 

Conclusion

DSAs are essential tools for businesses that share data in India. By entering into a well-drafted DSA, businesses can ensure that data is shared in compliance with the DPDPA and other applicable laws and regulations. This will help businesses to mitigate legal risks, build trust with their customers and partners, and protect the privacy of data subjects.

Start your Free Trial