When Data Travels but Liability Does Not: Structuring Cross-Border SaaS Contracts Under India’s DPDP Act

Introduction

Under Indian data protection law, personal data does not lose its regulatory gravitas just because it is stored on a remote server. When data travels across borders so does liability – and in many cases it comes back to the Indian entity that determined why the data was being processed in the first place.

In cross-border SaaS and cloud transactions, commercial practice for a long time has been that the risk can be outsourced as well as infrastructure. The Digital Personal Data Protection framework breaks that assumption. While the processing of data in the offshore situation is usually legal, there is a serious level of regulatory accountability on the data fiduciary in India. This creates a structural tension between the exposure of regulatory and the contractual allotment of risk, one which traditional technology contracts are ill-equipped to handle.

This article examines in what way DPDP liability should be contractually allocated in cross-border SaaS and cloud arrangements, based on actual cases of enforcement, and established doctrinal principles, and translates these into legally defensible drafting solutions.

Jurisdiction as A Function of Control Rather Than Territory

The DPDP Act is effectively distributing responsibility according to control over purpose and means of processing. Jurisdiction over the processing of personal data is not determined by the physical location of servers or other infrastructure, but rather by the location of the decision-making authority over personal data. Where an Indian entity decides on the purpose of processing or where there is control by way of contractual instructions, the regulatory jurisdiction will continue to attach to the entity, even if the processing is taking place outside India.

This regulatory logic is in line with mature enforcement approaches across the world and provides a clear signal: outsourcing processing does not outsource accountability.

Case Studies

Regulatory authorities have affirmed this principle in concrete terms on numerous occasions. In the case of British Airways plc, the UK Information Commissioner’s Office imposed a large sum in monetary penalty following a cyberattack during which customer data was compromised that was processed via third-party systems. Liability was fixed on British Airways as controller, in spite of the involvement of external vendors. Emphasis was laid on the fact that the use of contractual delegation does not remove the responsibility of compliance with the statute.

Similarly, in Marriott International Inc., liability was imposed due to weaknesses in a reservation system that was acquired through a corporate transaction. The breach predated the acquisition, but Marriott was penalised for not undertaking appropriate due diligence and putting in place suitable measures after the acquisition. The existence of legacy systems and 3rd-party arrangements did not weaken the controller’s obligations.

In Clearview AI Inc., European regulators claimed jurisdiction and issued corrective orders in spite of the fact that the company’s infrastructure is outside of the European Union. Enforcement was based on functional control of personal data that relate to EU residents. There was no defence in physical distance.

Although these cases originated under the GDPR, the doctrinal reasoning is very similar to the one in India’s DPDP framework. To regulators, it is the entity with decision-making powers and consumer interface that they are after, and not the entity buried within technical supply chains.

The Gap in The Contracts of Indian SaaS And Cloud Deals

Despite this regulatory clarity, many of the Indian SaaS and cloud contracts are still based on the pre-DPDP contracts. These agreements often limit vendor liability to nominal amounts, do not include indemnity for regulatory penalties, consider sub processors an internal vendor issue, and do not provide for cross-border transfer restrictions. Under DPDP, this type of drafting is no longer commercially or legally sustainable.

The DPDP regime makes the regulatory orders, remediation directions and penalties foreseeable consequences of processing failures. Contracts that do not address these outcomes create disproportionate risk for Indian customers while protecting vendors from the consequences of their operational choices.

Allocating DPDP Risk: A Principled Approach

A clear differentiation between operational error and regulatory vulnerability is the basis for the allocation. While regulatory authority is still going to be applied to the Indian data fiduciary as a matter of law, the economic cost of breach of compliance can and should be contractually shifted when causation falls on the vendor or its sub processors.

Where personal data breaches occur due to the vendor’s systems, security architecture or cloud infrastructure it is left to the vendor to take primary responsibility through indemnities covering regulatory costs, costs of remediation and defence costs. This responsibility should extend to all of the sub processors, and the liability of the vendor should not be mitigated in any way even though the vendor should be fully liable for the acts and omissions of its sub processor. Such allocation is both consistent with established international practice, and is also consistent with commercial reality.

Regulatory fines and enforcement directions are areas where particular attention is needed. Blanket exclusions of fines from indemnities lose all meaning in terms of risk allocation. A better defensible position is to carve out fines, penalties and compliance costs out of the liability caps where they are due to vendor or sub processor fault, while retaining caps for losses due to the customer’s processing instructions or policy decisions.

Contracts must also plan for regulatory change. The DPDP Act’s negative list system allows for sudden cross-border transfer prohibitions. Therefore, vendors should be required by contract to uphold and carry out data migration or localisation plans within specified timeframes and facilitate a smooth transition without compromising the customer’s compliance posture. Absent such provisions, Indian entities can possibly be faced with sudden and expensive compliance obligations with no contractual recourse.

A Cautionary Illustration

The Kaseya ransomware attack in 2021 was an example of the domino effect of vulnerabilities in managed service providers throughout customer ecosystems. Although customers weren’t at fault operationally, they were subject to regulatory scrutiny, business disruption and battles over the cost of remediation. The incident exposed one of the weaknesses in technology contracts repeatedly seen: addressing supply chain security as a technical risk, rather than as a legal liability.

Under DPDP enforcement, similar cases will challenge Indian contracts where accountability is not clearly imposed across sub processor chains.

Conclusion

In a DPDP compliant contractual framework, the drafting of priorities and regulatory strategy is a match. Agreements should make clear what roles are fiduciaries and which ones are processors, and have clear sub processor agreements, and have vendor cooperation in data-principal requests and regulatory investigations. To ensure that security failure and compliance breach lead to massive compensation including for regulatory action where necessary, rules on liability need to be aligned with blame, not convenience. Contractual agreements should include cross-border contingency planning, audit and cooperation arrangements and insurance backed risk transfer, rather than the generic limitation clauses.

Cross-border SaaS contracting under the DPDP regime is a thing of the past-technical architecture and boilerplate risk allocation. It is a regulatory foresight exercise. Indian regulators are going to seek accountability where there is control, not where there are servers. Contracts that do not reflect this reality will have Indian entities exposed to the costs of compliance for failures they did not operationally cause while vendors will be insulated from risks that they commercially created.

In the DPDP era, the allocation of data-protection risk is not a choice and can be and should be defended. It is the difference between legal outsourcing and regulatory exposure by design.

Author:– Nitya Verma, in case of any queries please contact/write back to us at support@ipandlegalfilings.com or   IP & Legal Filing.

REFERENCES

1. Digital Personal Data Protection Act 2023 (India)
   Ministry of Electronics and Information Technology, Government of India
   https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
2. Digital Personal Data Protection Act 2023, s 16 (Cross-Border Transfer of Personal Data)
   https://dpdpa.com/dpdpa2023/chapter-4/section16.html
3. Taxmann, ‘Cross-Border Data Transfers under the DPDP Act’ (Taxmann Blog, 2023)
   https://www.taxmann.com/post/blog/cross-border-data-transfers-under-the-dpdp-act
4. Latham & Watkins LLP, ‘India’s Digital Personal Data Protection Act, 2023: Comparison with GDPR’ (Client Alert, 2023)
   https://www.lw.com/admin/upload/SiteAttachments/Indias-Digital-Personal-Data-Protection-Act-2023-vs-the-GDPR-A-Comparison.pdf
5. Information Commissioner’s Office (UK), ‘ICO fines British Airways £20 million for data breach’ (16 October 2020)
   https://ico.org.uk/action-weve-taken/enforcement/british-airways/