India’s digital economy is among the fastest growing in the world.

Home to over 1.4 billion internet users, India is a data treasure for companies.   

However, several laws and regulations in India govern data collection, use, and disclosure.   

The Digital Personal Data Protection Act 2023 (DPDPA) is one of India’s primary laws controlling data sharing.   

Before collecting or using a data subject’s personal information, businesses are required by the DPDPA to obtain the subject’s consent.   

The DPDPA also enforces certain limitations on transferring personal data outside of India.  

A contract should be signed for businesses to share data per the DPDPA.   

As explicitly stated in section 8, paragraph 2 of the Act, “A Data Fiduciary may engage, appoint, use, or otherwise involve a Data Processor to process personal data on its behalf for any activity relating to the offering of goods or services to Data Principals only under a valid contract.”   

Data-sharing agreements (DSAs) can address this.   

DSAs are legally enforceable agreements that regulate data sharing between two or more parties.   

A carefully composed DSA can help companies minimize legal risks, ensure data is processed responsibly and ethically, and foster trust with their partners and customers.  

This post will help you understand the nuances of data sharing in India, emphasizing compliance with the Digital Personal Data Protection Act of 2023 (DPDPA). Discover the significance of Data Sharing Agreements (DSAs), their essential components, best practices, and business-related legal considerations.   

With the help of this ultimate guide, you can minimize legal risks and ensure ethical and responsible data sharing.  

What is a Data Sharing Agreement?  

A Data Sharing Agreement (DSA) is a legally enforceable contract that specifies the terms and conditions for sharing data between two or more parties.   

DSAs tend to be used to work together on projects, offer services to customers, or enhance their offerings.   

To put it briefly, a DSA will fulfill the conditions listed in Indian DPDPA section 8, paragraph 2.   

According to the India DPDPA, contracts are necessary for any data-sharing activity, whether the data is being shared inside or outside India.  

When is a contract or a DSA required under DPDPA?  

Whether the other party is based in India or elsewhere, a contract is necessary anytime a business (Data Fiduciary) shares personal data with another party (Data Processor).   

This includes disclosing personal information to partners, businesses, or third parties.  

The following are a few specific situations where the DPDPA requires a contract:  

• A DSA must be signed between a company and a cloud computing provider if it uses the service to store customer information.  
  
• When a business analyzes consumer data through a third-party data analytics company, it must sign a DSA with the data analytics company.  
  
• A business must sign a DSA with the other company it partners with to jointly market or sell products or services.   
  
• A business that acquires another business must sign a DSA with its acquisition.
    
• A Data Sharing Agreement (DSA) must be signed by a company sharing personal data outside India and the organization receiving the data.  

A business may benefit from entering into a contract under the DPDPA even if it isn’t required.  

Need of Data Subject Agreement  

A DSA’s primary goal is to ensure data is shared ethically and responsibly. Generally, DSAs have provisions that outline the following:   

• The types of data can be shared  
  
• The purpose behind sharing the data  
  
• The safety measures that need to be followed to protect the data
     
• The duration of the data’s retention   
  
• The procedure for deleting data that is no longer required   

DSAs may also contain provisions addressing additional significant concerns like:   

• Rights to intellectual property   
• Liability for breaches in data   
• Resolution of disputes  

Importance of DSAs in India  

Valid contracts are required to process data on behalf of the Data Fiduciary.   

DSAs are, therefore, important in India for a variety of reasons.   

• Compliance with DPDPA  

They help businesses in complying with the DPDPA.   

Before collecting, using, or disclosing an individual’s data, enterprises are required by the DPDPA to get that individual’s consent.   

Businesses that wish to share customer data with other organizations can get help from a DSA in obtaining and documenting consent from individuals.   

• Mitigating legal risks  

DSAs help companies in mitigating their legal risks.   

Many requirements are placed on companies that collect and use personal data under the DPDPA.   

Businesses must, for example, put in place the proper security measures to protect customer information and discard it when it’s no longer required.  

• Enhanced customer relationships  

DSAs can help companies by earning the trust of their customers and partners. Businesses demonstrate their dedication to protecting the privacy of their customers’ data by signing a DSA.  

This may result in greater client loyalty and stronger relationships with business partners.  

Elements of a DSA in India  

The specific requirements for each processing contract are not specified in the India DPDPA. All it says is that there needs to be a valid contract.  

Nonetheless, the GDPR does outline the elements that a well-written DSA must have, so we’ve included them here:  

• Parties: The data-sharing parties should be identified in the DSA.  
  
• Purpose: The DSA should state the intention behind the data sharing.  
  
• Data types: The types of data that can be shared should be specified in the DSA.  
  
• Security: The safety measures that need to be taken to protect the data should be outlined in the DSA. This may include limiting authorized workers’ access to the data, storing it on secure servers, and encrypting it.  
  
• Retention: The DSA should specify the maximum time the receiving party can retain the data.  
  
• Deletion: When data is no longer required, the DSA should outline how it should be deleted from the company’s database.  
  
• Audit: A clause allowing the disclosing party to audit the receiving party’s compliance with the DSA’s requirements must be included in the agreement.  
  
• Consent: The disclosing party must get the data subject’s consent before providing the receiving party with the data subject’s personal information.  
  
• Localization of data: Some categories of personal information must be kept in India. DSAs must consider these constraints for data localization.  
  
• Cross-border data transfers: The disclosing party shall ensure that any personal data transferred under the DSA complies with the PDPA if it involves transferring personal data outside India. This may include signing a data transfer contract with the recipient.  

Does your business need a DSA under India DPDPA?  

If your company collects, uses, or shares personal data with third parties, you must have a valid contract or DSA under the India DPDA.   

You must sign a valid DSA or contract with the data controller, specifically if you are a data processor.   

Even though the Indian DPDPA does not specify what should be included in a valid contract, a DSA may consist of the terms and conditions of sharing personal data, such as the purpose for sharing, the types of data being shared, the security measures that the recipient of the data must implement, the retention period, and the deletion procedure.  

Difference between a DSA and a Non-Disclosure Agreement  

A legally enforceable non-disclosure agreement (NDA) requires the parties to keep confidential information disclosed between them.   

When companies need to share confidential information such as trade secrets or proprietary data, NDAs are usually used.   

One of the parties to a confidentiality relationship must abstain from disclosing any information without permission.   

Put simply, NDAs are agreements that forbid disclosing any information.   

The primary distinction between a DSA and an NDA is that a DSA covers data sharing. DSA usually contains more specific provisions regarding the types of data that can be shared, the purpose behind the sharing, and the security measures that should be taken to protect the data from any breach.  

Difference between a DSA and a MOU  

A legal document that can be used to regulate the relationship between two or more parties is a Memorandum of Understanding (MOU).   

MOUs are commonly used to outline a partnership’s general principle or terms involving two or more parties.   

MOUs may contain: 

• Provisions that address the objectives of the partnership. 
  
• Each party’s obligations. 
  
• The techniques by which disagreements will be settled.   

Both MOUs and DSAs are helpful instruments for managing relationships between two or more parties.   

However, selecting the appropriate document for the given circumstances is crucial.   

A DSA is usually preferable in complex relationships or when disclosing sensitive information is involved. An MOU can be used if the relationship is less intricate and does not involve sharing sensitive data.    

Government agencies and other public organizations, such as law enforcement agencies and regulators, may collaborate through memorandums of understanding that serve as both a data-sharing agreement and a document containing data-sharing provisions.  

Conclusion  

For companies in India that share data, DSAs are essential.   

Businesses can ensure data is shared in compliance with DPDPA and other relevant laws and regulations by entering a well-drafted DSA.   

This will help companies reduce legal risks, foster trust with partners and customers, and protect data subjects’ privacy.