Data PrivacyData Processors in India’s Data Privacy Era: Hidden Risks and Contractual Lacuna

INTRODUCTION

Implementing India’s Digital Personal Data Protection Act, 2023 (DPDP Act) marks a significant development in the country’s data governance framework. It has introduced a new regulatory paradigm for data protection, focusing on protecting individuals’ digital privacy, introduced concepts like Data Fiduciary, Data Processor, consent-based processing, and cross-border data transfers under government conditions. The DPDPA creates new compliance requirements and regulatory changes, especially for organisations that process data on behalf of others, i.e., Data Processors.

While Data Fiduciaries have been the focus of much attention, the Data Processor, which takes care of the personal data on behalf of the fiduciaries, has not been sufficiently analysed. This shortcoming introduces serious legal, operational, and contractual risks. These lacunae pose serious risks for Data Fiduciaries, making it necessary to address them through carefully drafted Data Processing Agreements.

KEY RISKS ASSOCIATED WITH DATA PROCESSORS

As Data Fiduciaries increasingly delegate personal data handling tasks to specialised service providers, the role of Data Processors has become central to the practical realisation of data protection objectives. Identifying and understanding the key risks associated with Data Processors is crucial for organisations aiming to create robust data protection structures and protect their legal and operational interests in a rapidly digitizing economy.

1. Lack of direct Accountability

The DPDP Act does not impose direct obligations on Data Processors. All responsibilities lie with Data Fiduciary, even if the Processor is at fault. The Data Protection Board of India is empowered to penalise Fiduciaries for failures without direct action against processors. This implies that fiduciaries, even those with limited control over processors, are bound to bear full risk.

2. Fewer Security Obligations on Processors

Although the DPDP Act mandates the use of “reasonable security safeguards”, it does not explicitly define what constitutes reasonableness. The absence of specific security standards leads to inconsistencies across processors. Sometimes, Data Processors enforce weak security measures, increasing the risk of unauthorised data access, breaches and non-compliance.

3. No Mandated Contractual Clauses

Firstly, we need to understand a Data Processing Agreement. It is a legally binding document that outlines the rights and obligations of Data Fiduciaries and Processors regarding the processing of personal data. The DPDP Act talks about the responsibility of the Data Fiduciary in ensuring that the data is processed only for lawful and specified purposes. However, the lack of contractual clauses or model standard contractual clauses create contractual ambiguity.

4. Unclear Cross-Border Processing Rules

While the DPDP Act permits cross-border transfers, the mechanism itself is not specified. Processors located outside India might not actively comply with Indian laws, introducing significant risks regarding data sovereignty, regulatory jurisdiction, and enforcement concerns.

5. Sub-Processing Without Transparency

Sub-Processing occurs when a Data Processor outsources part or all of the processing task to another third party, called a Sub-Processor. Currently, the DPDP Act fails to specify explicit requirements related to sub-processing. This creates a regulatory blind spot as the Data Fiduciary may not even know that personal data is being shared further downstream.

6. Enforcement Uncertainties

The Data Protection Board of India is still establishing its operational procedures. There are also penalty structure concerns where the DPDP Act provides for significant penalties but the criteria for determining penalties specific to Data Processors is missing. Compliance complexity also occurs where there are potential conflicts between sectoral regulators and the Data Protection Board.

CONTRACTUAL LACUNA: WHAT IS MISSING IN INDIAN DPAS

Although the DPDP Act seeks to establish a framework for lawful data processing, its silence on the specific contractual obligations mentioned below between the Data Fiduciaries and Data Processors has created significant vulnerabilities. The agreements between the two are key in deciding the liability in case of a breach, and they are effective for risk allocation and compliance assurance. Identifying and understanding these missing clauses is necessary for managing the legal and operational risks arising from outsourced data processing.

1. Security Standards: Contracts often mention generic terms like “adequate security” or “reasonable safeguards” without:

• Defining specific technical standards (e.g., ISO 27001, encryption)
• Detailing periodic audits or vulnerability assessments. In the absence of detailed requirements, proving negligence or contractual breach in the event of any data breach becomes difficult, weakening the enforcement of data security responsibilities.2

2. Breach Notification Obligations: There is no standard breach notification timeline, unlike global frameworks, which usually has a 72-hours timeline. No escalation flow or defined roles in case of a breach, creates a risk where the Data Fiduciary may not even know about a breach until it is too late, and non-compliance with DPDP breach reporting duties may result in penalties even if the breach has happened at the processor’s end.

3. Sub-Processor Clauses: Indian DPAs frequently do not require Data Processors to seek the consent of the Fiduciary before engaging sub-processors. The absence of such clauses permits the delegation of data without verification of the authenticity of the third party. This creates a considerable risk for the fiduciaries as the data might get compromised due to a lack of security standards.

4. Audit and Compliance Rights: Contracts don’t often allow Data Fiduciaries to audit the Processor’s systems or policies. There is no mention of audit logs, access controls, or compliance reports, making it more challenging for Data Fiduciaries to verify if the data is processed legally and securely.

5. Data Retention Clauses: DPDP Act fails to clarify what happens to personal data when the contract ends. There are no specific timelines or methods mentioned for data deletion. The risk lies in data being retained indefinitely and secured inefficiently, clearly violating the data minimisation and storage limitation principles.

6. Indemnity and Liability Clauses: There is no clear statement that the Processor is financially responsible if their actions cause a breach or violation. The Processor is not obligated to pay any penalties imposed by the Data Protection Board of India, compensation to affected individuals, or legal fees or litigation costs. In this case, Data Fiduciaries are left financially exposed from everywhere. The entire purpose of risk allocation in DPAs is undermined.

7. Cross-Border Data Processing and Jurisdiction Clauses: There is no Standard language to regulate where and how personal data can be stored/transferred internationally. It creates a risk where data may be transferred to jurisdictions with poor privacy protections.

8. Undefined Force Majeure Provisions: Many agreements lack specific force majeure provisions addressing data privacy incidents.

AMLEGALS REMARKS

India’s data privacy landscape represents a distinct intersection in the domain of digital governance in the country. In reviewing the relevant context, it appears that there is a precarious equilibrium of responsibilities, liabilities and operational prerequisites that require strategic attention.

The DPDP Act sets forth the building blocks of data protection, yet significant distance separates the statute’s objectives from operational realities. While implementing DPDP Act’s compliance controls, Data Processors face a plethora of contextual factors as constraints. Cumulative gaps such as vague terminology imposed on “reasonable security practices”, “due technical defense mechanisms” and “adequate organizational measures” remain, pragmatic gaps that pose a risk to the efficient implementation of data privacy within an organisation.

– Team AMLEGALS assisted by Mr. Vansh Dhingra (Intern)