India's Data Sharing Agreement:A Comprehensive Guide to Data Protection and Non-Disclosure Agreements under India Digital Personal Data Protection Act

What is a Data Sharing Agreement?

A Data Sharing Agreement (DSA) is a legally binding contract between two or more parties that outlines the terms and conditions under which data will be shared. DSAs are typically used when businesses need to share data with each other in order to collaborate on projects, provide services to customers, or improve their products and services. In short, a DSA will cover the requirements as stated in section 8 paragraph 2 of the Indian DPDPA. 

According to India DPDPA, contracts are required for all data sharing activities, regardless of whether the data is being shared within India or outside of India.

When do we need a contract or DSA under India DPDPA?

A contract is required whenever a business (Data Fiduciary) is sharing personal data with another party (Data Processor), regardless of whether the other party is located in India or outside of India. This includes sharing personal data with third-party vendors, partners, or other businesses.

Here are some specific examples of when a contract is required under the DPDPA:

• A business that uses a cloud computing service to store customer data needs to enter into a DSA with the cloud computing provider.
• A business that uses a third-party data analytics company to analyze customer data needs to enter into a DSA with the data analytics company.
• A business that partners with another business to jointly market or sell products or services needs to enter into a DSA with the partner business.
• A business that is acquiring another business needs to enter into a DSA with the business that it is acquiring.
• A business that is transferring personal data outside of India needs to enter into a DSA with the entity that will be receiving the data.

Even if a business is not required to enter into a contract under the DPDPA, it may still be beneficial to do so.

Why do we need a DSA?

In general, the purpose of a DSA is to ensure that data is shared in a responsible and ethical manner. DSAs typically include provisions that specify the following:

• The types of data that can be shared
• The purpose for which the data is being shared
• The security measures that must be taken to protect the data
• The retention period for the data
• The process for deleting the data when it is no longer needed

DSAs can also include provisions that address other important issues, such as:

• Intellectual property rights
• Liability for data breaches
• Dispute resolution

Why are contracts or DSAs important in India?

Valid contracts are necessary to process data on behalf of the Data Fiduciary. Therefore, DSAs are important in India for a number of reasons. First, they help businesses to comply with the DPDPA. The DPDPA requires businesses to obtain consent from individuals before collecting, using, or sharing their personal data. A DSA can help businesses to obtain and document consent from individuals before sharing their data with other businesses.

Second, DSAs can help businesses to mitigate legal risks. The DPDPA imposes a number of obligations on businesses that collect and process personal data. For example, businesses must implement appropriate security measures to protect personal data and must delete personal data when it is no longer needed.

Third, DSAs can help businesses to build trust with their customers and partners. By entering into a DSA, businesses are demonstrating their commitment to protecting the privacy of their customers' data. This can lead to increased customer loyalty and improved relationships with partners.

Key elements of a DSA in India

The India DPDPA does not clearly prescribe what each processing contract shall contain. It states only that there must be a valid contract.

However, the GDPR does specifiy what a well-drafted DSA should include, thus we list these elements here:

• Parties: The DSA should clearly identify the parties who are sharing the data.
• Purpose: The DSA should specify the purpose for which the data is being shared.
• Types of data: The DSA should specify the types of data that can be shared.
• Security: The DSA should specify the security measures that must be taken to protect the data. This may include measures such as encrypting the data, storing it on secure servers, and limiting access to the data to authorized personnel.
• Retention: The DSA should specify how long the data can be retained by the receiving party.
• Deletion: The DSA should specify how the data should be deleted when it is no longer needed.
• Audit: The DSA should include an audit clause that allows the disclosing party to audit the receiving party's compliance with the terms of the DSA.
• Consent: The disclosing party must obtain consent from the data subject before sharing their personal data with the receiving party.
• Data localization: Certain types of personal data must be stored in India. DSAs must take into account these data localization requirements.
• Cross-border data transfers: If the DSA involves the transfer of personal data outside of India, the disclosing party must ensure that the transfer is compliant with the PDPA. This may involve entering into a data transfer agreement with the receiving party.

For a more in-depth look at a sample DSA, you can checHowever, the GDPR does specifiy what a well-drafted DSA should include, thus we list these elements here:

Best practices for drafting DSAs in India

When drafting a DSA, in addition to the standard clauses, consider the following:

1. Data Sharing Agreements should clearly and specifically state the types of data being shared, the purpose for sharing, and whether the data is public or personal. Public data is available to the public and has negligible security and protection requirements. Personal data is subject to stricter data protection and security requirements, and cannot be shared without the subject's prior permission.
2. Example clause:
3. Purpose of the Agreement: This Agreement facilitates the submission of data to Company X for the creation, use, and maintenance of a system of integrated social, health, and educational data concerning citizens of Country Z. The data will be used to obtain a more complete understanding of service needs, service gaps, and the impact of services.
4. Data Sharing: [Subject] agrees to allow the disclosure of personally identifiable information to the entities shown in Exhibit A to this Agreement, provided that (i) appropriate consent or authorization has been obtained from the individual or the individual's parent or guardian, and (ii) role-based access control is assigned as specified in Exhibit A.
5. The data sharing period must be clearly stated in the Agreement, along with the duration for which the other party can use the data and what will happen to the shared data after termination, whether it will be returned or destroyed.
6. Example clause:
7. Term: This Agreement shall be in effect for five years from the Effective Date unless terminated earlier in accordance with the Termination clause. The parties may renew the Agreement by mutual decision after the Term ends.
8. Termination: Either party may terminate this Agreement by giving thirty (30) days' written notice to the other party. Upon termination, the parties shall, upon request, (1) delete all data containing personally identifiable information obtained under this Agreement, and (2) certify in writing within ten (10) business days that all copies of the data stored on cloud-based or local servers, backup servers, backup media, or other media have been permanently erased or destroyed.

Do I need DSAs for my business under India DPDA?

Yes, you need to have a valid contract or DSA for your business under the India DPDA if you collect, use or share personal data with third parties. In particular, if you are a data processor, you need to enter into a valid contract or DSA with the data controller. While the Indian DPDPA does not specify what the valid contract should contain, a DSA may include the terms and conditions of personal data sharing, such as the purpose of data sharing, the types of data being shared, the security measures that the recipient of the data must implement, the retention period, and the deletion procedure.

What is the difference between a DSA and a Non-Disclosure Agreement?

A Non-Disclosure Agreement (NDA) is a legally binding contract that obligates the parties to keep confidential any information that is shared between them. NDAs are typically used when businesses need to share confidential information with each other, such as trade secrets or proprietary data. As per a relationship of confidentiality, at least one of the parties must not disclose any information without permission. In other terms, NDA is a contract that prohibits one from sharing any information.

The key difference between a DSA and an NDA is that a DSA specifically addresses the sharing of data. DSAs typically include more detailed provisions about the types of data that can be shared, the purpose for which the data is being shared, and the security measures that must be taken to protect the data.

What is the difference between a DSA and a MOU?

A Memorandum of Understanding (MOU) is a legal document that can be used to govern the relationship between two or more parties. MOUs are typically used to outline the general principles or terms of a relationship between two or more parties. MOUs may include provisions about the goals of the relationship, the roles and responsibilities of each party, and the procedures that will be used to resolve disputes.

DSAs and MOUs are both useful tools for governing relationships between two or more parties. However, it is important to choose the right document for the specific situation. If the relationship is complex or involves the sharing of sensitive data, a DSA is typically the better choice. If the relationship is less complex and does not involve the sharing of sensitive data, an MOU may be sufficient.

Government departments and other public bodies like regulators, law enforcement bodies may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data-sharing agreement.

What is India Digital Personal Data Protection Act 2023?

The Digital Personal Data Protection Act 2023 (DPDPA) is the primary data protection law in India. The DPDPA was passed by the Indian Parliament in August 2023 and is expected to come into force in 2024.

The DPDPA is a comprehensive law that covers the collection, use, storage, disclosure, and transfer of personal data. The DPDPA also gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data.

The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. However, there are certain exemptions for certain types of businesses, such as government agencies and businesses that process data for national security purposes.

Personal data and non-personal data under India DPDPA

DPDPDA defines personal data as "any data about an individual who is identifiable by or in relation to such data". This includes any data that can be used to directly or indirectly identify an individual, such as their name, address, phone number, email address, IP address, biometric data, or financial information.

Non-personal data is any data that does not identify an individual. This may include data such as aggregated data, anonymized data, or de-identified data.

The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. This includes businesses that operate in India, businesses that target Indian customers, and businesses that transfer personal data outside of India.

The DPDPA imposes a number of obligations on businesses that collect, use, or store personal data. These obligations include:

• Obtaining consent from individuals before collecting, using, or sharing their personal data
• Implementing appropriate security measures to protect personal data
• Deleting personal data when it is no longer needed
• Providing individuals with access to their personal data
• Allowing individuals to correct or delete their personal data

The DPDPA also imposes a number of restrictions on the transfer of personal data outside of India. Businesses that transfer personal data outside of India must ensure that the receiving entity complies with the DPDPA's data localization requirements.

Difference between personal and non-personal data

The key difference between personal and non-personal data is that personal data can be used to identify an individual, while non-personal data cannot. Personal data is typically more sensitive than non-personal data, and businesses need to take additional precautions to protect personal data.

Key Features of the DPDPA

The DPDPA includes the following key features:

• Consent: The DPDPA requires businesses to obtain consent from individuals before collecting, using, or storing their personal data.Consent must be free, specific, informed, and unambiguous.
• Data localization: The DPDPA requires certain types of personal data to be stored in India. This includes sensitive personal data,such as biometric data and financial data.
• Data sharing: The DPDPA restricts the sharing of personal data with third parties. Businesses can only share personal data with third parties if they have obtained consent from the data subject or if the sharing is necessary for the purpose for which the data was collected.
• Data subject rights: The DPDPA gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data.
• Enforcement: The DPDPA establishes a Data Protection Authority to enforce the provisions of the law. The Data Protection Authority has the power to investigate complaints, issue orders to businesses, and impose fines.

Future rules under India DPDP Phase 2 may introduce stricter conditions for cross‑border data sharing and localization.

Benefits of the DPDPA

The DPDPA is expected to provide a number of benefits to individuals and businesses in India. For individuals, the DPDPA will give them greater control over their personal data and help to protect their privacy. For businesses, the DPDPA will provide clarity on the rules for data protection and help them to build trust with their customers. Staying ahead of India DPDP Phase 2 requirements will help ensure that your data‑sharing agreements remain compliant as the framework evolves.

Are there other data protection laws in India?

Personal Data Protection Bill, 2019

The current India DPDPA overwrites the draft PDP Bill, which encompass different forms of personal data and its protection with a centralized data protection authority or regulator. It widens the rights of an individual with respect to their personal data and its protection. There are penalties outlined in the bill for non-compliance as well. The application of the draft bill is extraterritorial in its nature and would also make foreign organizations liable for any breach of personal data of the subjects if a reasonable nexus is being established between the foreign organization and the subject with respect to a breach of personal data.

Digital Information Security in Healthcare Act, 2017

Like every other sector, even the health sector has been digitized. With applications ranging from online consultation, medicine delivery and laboratory tests, the personal health data of the subjects are all over the internet and is prone to the risk of the privacy breach.

Digital Information Security in Healthcare Act (‘DISHA’) when enacted would be India’s first Health Data specific legislation and will come with provisions governing the storage and exchange of health data of the subjects. Stricter privacy and security programme for digital health data and with a central and a state-level regulatory authority for the enforcement and adjudication of the same.

Non-Personal Data Governance Framework

This would elaborate on the different types of Non-Personal Data that may be collected and stipulate what private and public rights are associated with it. There would be a separate regulatory body to regulate the data sharing process of such data and private entities are exempted from any such transfer. 

Conclusion

DSAs are essential tools for businesses that share data in India. By entering into a well-drafted DSA, businesses can ensure that data is shared in compliance with the DPDPA and other applicable laws and regulations. This will help businesses to mitigate legal risks, build trust with their customers and partners, and protect the privacy of data subjects.