Explore the intricacies of data sharing in India, focusing on compliance with the Digital Personal Data Protection Act 2023 (DPDPA). Learn about the importance of Data Sharing Agreements (DSAs) and discover key elements, best practices, and legal considerations for businesses. Ensure responsible and ethical data sharing while mitigating legal risks with this comprehensive guide.
India is one of the fastest-growing digital economies in the world. With over 1.4 billion internet users, India is a treasure trove of data for businesses. However, the collection, use, and disclosure of data in India is subject to a number of laws and regulations.
Explore more privacy compliance insights and best practices
One of the key laws that governs data sharing in India is the Digital Personal Data Protection Act 2023 (DPDPA). The DPDPA requires businesses to obtain consent from data subjects before collecting or using their personal data. The DPDPA also imposes certain restrictions on the transfer of personal data outside of India.
In order to share data in compliance with the DPDPA, businesses should enter into a contract. In particular, section 8 paragraph 2 of the Act clearly states: “A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity related to the offering of goods or services to Data Principals only under a valid contract.”
This can be covered with data sharing agreements (DSAs). DSAs are legally binding contracts that govern how data is shared between two or more parties. A well-drafted DSA will help businesses to ensure that data is shared in a responsible and ethical manner, mitigate legal risks, and build trust with their customers and partners.
A Data Sharing Agreement (DSA) is a legally binding contract between two or more parties that outlines the terms and conditions under which data will be shared. DSAs are typically used when businesses need to share data with each other in order to collaborate on projects, provide services to customers, or improve their products and services. In short, a DSA will cover the requirements as stated in section 8 paragraph 2 of the Indian DPDPA.
According to India DPDPA, contracts are required for all data sharing activities, regardless of whether the data is being shared within India or outside of India.
A contract is required whenever a business (Data Fiduciary) is sharing personal data with another party (Data Processor), regardless of whether the other party is located in India or outside of India. This includes sharing personal data with third-party vendors, partners, or other businesses.
Here are some specific examples of when a contract is required under the DPDPA:
Even if a business is not required to enter into a contract under the DPDPA, it may still be beneficial to do so.
In general, the purpose of a DSA is to ensure that data is shared in a responsible and ethical manner. DSAs typically include provisions that specify the following:
DSAs can also include provisions that address other important issues, such as:
Valid contracts are necessary to process data on behalf of the Data Fiduciary. Therefore, DSAs are important in India for a number of reasons. First, they help businesses to comply with the DPDPA. The DPDPA requires businesses to obtain consent from individuals before collecting, using, or sharing their personal data. A DSA can help businesses to obtain and document consent from individuals before sharing their data with other businesses.
Second, DSAs can help businesses to mitigate legal risks. The DPDPA imposes a number of obligations on businesses that collect and process personal data. For example, businesses must implement appropriate security measures to protect personal data and must delete personal data when it is no longer needed.
Third, DSAs can help businesses to build trust with their customers and partners. By entering into a DSA, businesses are demonstrating their commitment to protecting the privacy of their customers' data. This can lead to increased customer loyalty and improved relationships with partners.
The India DPDPA does not clearly prescribe what each processing contract shall contain. It states only that there must be a valid contract.
However, the GDPR does specifiy what a well-drafted DSA should include, thus we list these elements here:
For a more in-depth look at a sample DSA, you can checHowever, the GDPR does specifiy what a well-drafted DSA should include, thus we list these elements here:
When drafting a DSA, in addition to the standard clauses, consider the following:
Yes, you need to have a valid contract or DSA for your business under the India DPDA if you collect, use or share personal data with third parties. In particular, if you are a data processor, you need to enter into a valid contract or DSA with the data controller. While the Indian DPDPA does not specify what the valid contract should contain, a DSA may include the terms and conditions of personal data sharing, such as the purpose of data sharing, the types of data being shared, the security measures that the recipient of the data must implement, the retention period, and the deletion procedure.
A Non-Disclosure Agreement (NDA) is a legally binding contract that obligates the parties to keep confidential any information that is shared between them. NDAs are typically used when businesses need to share confidential information with each other, such as trade secrets or proprietary data. As per a relationship of confidentiality, at least one of the parties must not disclose any information without permission. In other terms, NDA is a contract that prohibits one from sharing any information.
The key difference between a DSA and an NDA is that a DSA specifically addresses the sharing of data. DSAs typically include more detailed provisions about the types of data that can be shared, the purpose for which the data is being shared, and the security measures that must be taken to protect the data.
A Memorandum of Understanding (MOU) is a legal document that can be used to govern the relationship between two or more parties. MOUs are typically used to outline the general principles or terms of a relationship between two or more parties. MOUs may include provisions about the goals of the relationship, the roles and responsibilities of each party, and the procedures that will be used to resolve disputes.
DSAs and MOUs are both useful tools for governing relationships between two or more parties. However, it is important to choose the right document for the specific situation. If the relationship is complex or involves the sharing of sensitive data, a DSA is typically the better choice. If the relationship is less complex and does not involve the sharing of sensitive data, an MOU may be sufficient.
Government departments and other public bodies like regulators, law enforcement bodies may enter into a memorandum of understanding with each other that includes data sharing provisions and fulfils the role of a data-sharing agreement.
The Digital Personal Data Protection Act 2023 (DPDPA) is the primary data protection law in India. The DPDPA was passed by the Indian Parliament in August 2023 and is expected to come into force in 2024.
The DPDPA is a comprehensive law that covers the collection, use, storage, disclosure, and transfer of personal data. The DPDPA also gives individuals certain rights over their personal data, such as the right to access their data, the right to have their data corrected or deleted, and the right to withdraw consent for the processing of their data.
The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. However, there are certain exemptions for certain types of businesses, such as government agencies and businesses that process data for national security purposes.
DPDPDA defines personal data as "any data about an individual who is identifiable by or in relation to such data". This includes any data that can be used to directly or indirectly identify an individual, such as their name, address, phone number, email address, IP address, biometric data, or financial information.
Non-personal data is any data that does not identify an individual. This may include data such as aggregated data, anonymized data, or de-identified data.
The DPDPA applies to all businesses that collect, use, or store personal data, regardless of their location. This includes businesses that operate in India, businesses that target Indian customers, and businesses that transfer personal data outside of India.
The DPDPA imposes a number of obligations on businesses that collect, use, or store personal data. These obligations include:
The DPDPA also imposes a number of restrictions on the transfer of personal data outside of India. Businesses that transfer personal data outside of India must ensure that the receiving entity complies with the DPDPA's data localization requirements.
The key difference between personal and non-personal data is that personal data can be used to identify an individual, while non-personal data cannot. Personal data is typically more sensitive than non-personal data, and businesses need to take additional precautions to protect personal data.
The DPDPA includes the following key features:
The DPDPA is expected to provide a number of benefits to individuals and businesses in India. For individuals, the DPDPA will give them greater control over their personal data and help to protect their privacy. For businesses, the DPDPA will provide clarity on the rules for data protection and help them to build trust with their customers.
The current India DPDPA overwrites the draft PDP Bill, which encompass different forms of personal data and its protection with a centralized data protection authority or regulator. It widens the rights of an individual with respect to their personal data and its protection. There are penalties outlined in the bill for non-compliance as well. The application of the draft bill is extraterritorial in its nature and would also make foreign organizations liable for any breach of personal data of the subjects if a reasonable nexus is being established between the foreign organization and the subject with respect to a breach of personal data.
Like every other sector, even the health sector has been digitized. With applications ranging from online consultation, medicine delivery and laboratory tests, the personal health data of the subjects are all over the internet and is prone to the risk of the privacy breach.
Digital Information Security in Healthcare Act (‘DISHA’) when enacted would be India’s first Health Data specific legislation and will come with provisions governing the storage and exchange of health data of the subjects. Stricter privacy and security programme for digital health data and with a central and a state-level regulatory authority for the enforcement and adjudication of the same.
This would elaborate on the different types of Non-Personal Data that may be collected and stipulate what private and public rights are associated with it. There would be a separate regulatory body to regulate the data sharing process of such data and private entities are exempted from any such transfer.
DSAs are essential tools for businesses that share data in India. By entering into a well-drafted DSA, businesses can ensure that data is shared in compliance with the DPDPA and other applicable laws and regulations. This will help businesses to mitigate legal risks, build trust with their customers and partners, and protect the privacy of data subjects.
