As updated in our previous publication of The Digital Personal Data Protection Act, 2023 (“DPDP Act”) Series, Article II, the draft Digital Personal Data Protection Rules, 2025 (“Draft DPDP Rules”) has been published by the Ministry of Electronics and Information Technology (“MeitY”), on January 3, 2025 for stakeholders feedback by March 5, 2025.
While the Draft DPDP Rules will take some time to be promulgated along with the DPDP Act, one of the aspects in the Draft DPDP Rules that catches attention is that while the Data Fiduciary[1] is fully responsible for ensuring compliance with the DPDP Act and rules framed thereunder (including the Draft DPDP Rules), no specific mention is made with respect to the responsibilities and obligations of a Data Processor[2] as defined under the DPDP Act.
From a further reading of the DPDP Act and the Draft DPDP Rules, it would also not be misplaced to state that in a typical Data Centre service relationship, the Data Centre service provider (“DC Service Provider”) would be construed to be a Data Processor and the customer of the Data Centre (“DC Customer”) would be construed to be a Data Fiduciary, as defined in the DPDP Act. DC Customers would typically be corporate or institutions active in the BFSI space, technology companies, e-commerce companies or any other corporate that inter-alia deal in large scale of Personal Data (as defined under the DPDP Act).
Given this linkage between the Data Centre ecosystem and the data privacy regime in India, it is also important that the service level contracts entered by DC Service Provider with DC Customers (“DC Service Contracts”) is carefully drafted to pass the muster under the DPDP Act and the Draft DPDP Rules.
Some of the key nuances that would be relevant while segregating the roles and responsibilities between a Data Fiduciary and a Data Processor in a typical DC Service Contract are as follows:
1. Nature of DC Service Contract. The DC Service Contract should specifically record that such contract is being entered also in terms of the DPDP Act and rules framed thereunder. This is because the DPDP Act makes it mandatory for a Data Fiduciary that is using the services of a Data Processor to enter into a contract with such Data Processor. The Draft DPDP Rules also emphasize that such DC Service Contract should include appropriate security safeguard measures for dealing with Personal Data by the Data Processor.
2. Compliances with DPDP Act. As mentioned above, the DPDP Act and the Draft DPDP Rules provide for the Data Fiduciary to be responsible for and to ensure compliance with the DPDP Act and rules framed thereunder, notwithstanding any contract to the contrary. While there is no taking away from the fact that the DC Service Contracts would hold a DC Service Provider responsible for the services rendered under the DC Service Contract, the DC Customers would need to bear in mind that the implications of non-compliances under the DPDP Act, in any event, would be that of the DC Customers in their capacity as Data Fiduciaries. Given this, it would only be fair for a Data Fiduciary to insist specific indemnity protections from DC Service Provider in DC Service Contracts for liabilities arising on Data Fiduciary under the DPDP Act due to defaults of Data Processor. Schedule to the DPDP Act provides monetary thresholds to the liabilities of a Data Fiduciary for non-compliances under the DPDP Act and the liability of the Data Processor under the DC Service Contracts, as suggested above, could correspond to such monetary thresholds to reduce protracted negotiations between the parties. Parties to existing DC Service Contracts may also seek suitable revisions to already negotiated DC Service Contracts once the DPDP Act and Draft DPDP Rules are implemented, if such DC Service Contracts do not already cater to the exposure of DC Customers, as Data Fiduciary.
3. Monitoring.
3.1. Compliance Checklist. The DPDP Act, read with Draft DPDP Rules, lists out various compliance checkpoints for a Data Fiduciary that deals with Personal Data[3]. This includes protection of Personal Data in possession of the Data Fiduciary or under its control by taking reasonable security measures such as encryption, obfuscation, masking, etc., or retaining data logs for one year, unless required otherwise by law or notifying the Data Protection Board ("Board”) of any breach within the timeframe stipulated under the DPDP Act. Given that these compliances are to be ensured in a time bound manner, the DC Contract should provide for the Data Fiduciary and the Data Processor to agree for a compliance checklist specific to DPDP Act or a composite compliance checklist generic to compliances under all applicable laws, including DPDP Act. Such compliance checklist should be jointly and periodically monitored by executives of the Data Fiduciary and the Data Processor to avoid any lapses.
3.2. Personal Data Breach. The compliance checklist suggested above may not be sufficient in case of Personal Data Breach[4]. This is because, the Data Fiduciary is required to provide brief description of any Personal Data Breach to the Board immediately and also provide prescribed details to the Board within 72 hours from becoming aware of the Personal Data Breach. The regulator is likely to construe the knowledge of the Data Processor to be the knowledge of the Data Fiduciary since the Data Fiduciary is not only responsible for ensuring reasonable security safeguards for Personal Data that is in its possession or under its control but also for Personal Data that is under the possession or under control of a Data Processor undertaking data processing activities on behalf of the Data Fiduciary. Hence, the DC Service Provider, as the Data Processor, should agree in the DC Contract for sharing of complete and accurate information leading to a Personal Data Breach in a time bound manner enabling the compliance under DPDP Act by the Data Fiduciary.
3.3. Computer Emergency Response Team (CERT-In). Apart from the DPDP Act, Data Centres would also be obligated to report certain specific cyber incidents to the Indian Computer Emergency Response Team (CERT-In) within a tight timeline of 6 hours of either noticing the cyber incidents or being brought to notice about such incidents. This requirement of reporting within 6 hours is comparatively more stringent than the reporting timelines under similar regulations that apply in other jurisdictions such as Belgium, Germany, Spain, Italy, Singapore and Brazil. While drafting the DC Contract, the Data Processor and the Data Fiduciary should ensure that appropriate provisions are included for adherence to all ancillary laws related to data management and processing in addition to the DPDP Act.
4. Audit Rights. Central Government is yet to notify the Data Fiduciaries or class of Data Fiduciaries who would be categorized as Significant Data Fiduciary[5]. However, the DPDP Act read with the Draft DPDP Rules have prescribed higher and comparatively more stringent norms of compliances for Significant Data Fiduciary. This includes appointing Data Protection Officers, appointing independent data auditor to carry out data audits and also undertake periodic Data Protection Assessments. To ensure these compliances, the Significant Data Fiduciary would need reasonable assess to the Data Centre Service Provider’s premise time and again. While a typical DC Service Contract would respect assess rights of a Data Fiduciary, it is also critical for a DC Service Provider to ensure that such access is nuisance free and not adverse to the interest of co-located customers in the Data Centre premise. Hence, it becomes imperative for the DC Service Customer and the DC Service Provider to agree on norms for the DC Customer, as Data Fiduciary, to have access to the Data Centre premises.
5. Data localization laws. There are certain Indian laws that require the identified data to be retained in India typically referred to as data localization rules. As an example, the Reserve Bank of India vide its Notification dated April 6, 2018, with respect to ‘Storage of Payment System Data’, has directed all system providers to ensure that entire data relating to payment systems operated by them are stored in a system in India. This data should include the full end-to-end transaction details / information collected / carried / processed as part of the message / payment instruction. Further, the DPDP Act read with the Draft DPDP Rules also contemplates for the Central Government to formulate guidelines for transfer of Personal Data outside India. In this regard, it is relevant to note that a typical DC Service Contract would bind a Data Processor to process, transmit or transfer data as directed by the Data Fiduciary and would also restrict a Data Processor from modifying or otherwise ‘touching the data content’. Hence, it would only be fair that the Data Fiduciaries are obliged under the DC Service Contracts to ensure the following at the least, while issuing instructions to Data Processors under the DC Contract for transmitting or transferring relevant data from Data Centres:
5.1. Data (not limited to Personal Data) that is subject to specific data localization rules and regulations are not instructed to be transmitted or transferred in the manner that such data are likely to reach outside of India. This should be an important obligation of the Data Fiduciary under the DC Service Contract given that geographical boundaries are blurred on internet and in cloud computing world and there is limited surveillance that Data Processor would be able to ensure;
5.2. If any Personal Data that is not subject to any data localization rules, is proposed to be transferred outside India, then such transfer of Personal Data should be in connection with any activity related to goods or services offered by Data Fiduciary to Data Principals[6] in India as stated in the Draft DPDP Rules. Such transfer of data should also comply with other rules and regulations as may be prescribed by the Central Government under the DPDP Act read with Draft DPDP Rules and by any other regulators under any other applicable rules and regulations in India.
Authors’ view.
It is understood and well appreciated that the regulator has centralized the obligation of Personal Data protection to one party i.e. Data Fiduciary based on the seventh principle laid down in the Explanatory Statement to DPDP Bill, 2022. However, in our view, it would not vitiate or dilute this principle if the regulator could also consider framing rules under the DPDP Act that would need to be complied with by Data Processors while dealing with Personal Data, as Data Processors have in any case been recognized separately from Data Fiduciaries, under the DPDP Act. This approach will also be in line with the EU-GDPR (often regarded as the gold standard in data protection laws worldwide) which imposes specific obligations on a “Processor” which term is akin to Data Processor under the DPDP Act. These rules could act as guiding principles for the roles and responsibilities of Data Processors while dealing with Personal Data. This, in our view, is imperative given the spurt in new age technology service providers such as Data Centres, cloud services providers, Global Capabilities Centres and other service providers that may not otherwise fall within the ambit of any Personal Data protection regime.
Needless to say, views referred here are expressed on the assumption that the Draft DPDP Rules are promulgated in the form as notified by MeitY on January 03, 2025, or with minimal changes that are inconsequential to this article.
Please refer to our earlier articles namely DPDP Act Series and DPDP Act Series, Article I for further insight on the regulatory framework and regime prescribed by the Central Government for protection of Personal Data.
Authors:
Rajesh Pal, Partner
Meghna Punjabi, Senior Associate
[1] Section 2(i) of the DPDP Act - “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
[2] Section 2(k) of the DPDP Act - “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary.
[3] Section 2(t) of the DPDP Act - “Personal Data” means any data about an individual who is identifiable by or in relation to such data.
[4] Section 2(u) of the DPDP Act - “Personal Data Breach” means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
[5] Section 2(z) of the DPDP Act - “Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be notified by the Central Government under section 10 of DPDP Act (Additional obligations of Significant Data Fiduciary).
[6] Section 2(j) of the DPDP Act - “Data Principal” means the individual to whom the personal data relates and where such individual is— (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf.