Authored by Ms. Gargi Kapoor (Associate at Prakant Law Offices) & Ms. Maitri Khurana (Student at National Law University Odisha)
Cloud computing is no longer a buzzword; it’s the quiet backbone of everything we do online. From emails and photos to sensitive government data and financial transactions, it’s all sitting somewhere in “the cloud.” But as this dependency grows, so do the cracks in the contracts that underpin it.
Let’s be honest: most of us never read cloud service agreements. We click “I agree,” move the operations to AWS, Azure, or Google Cloud, and get on with our days. But these agreements, often dense, one-sided, and boilerplate determine what happens when things go wrong. And that’s exactly where the problem begins.
With the arrival of India’s Digital Personal Data Protection Act, 2023 (“DPDPA”), the law now clearly spells out who’s responsible for protecting personal data. It places that burden squarely on the Data Fiduciary, usually the business collecting or processing your information.[1] Supporting the Data Fiduciary is the Data Processor, a third-party service provider like Cloud Service Providers (“CSP”) who process personal data on behalf of the fiduciary.[2]
But if the business (Fiduciary) is using a cloud provider to store or process your data, and the provider messes up, the business still takes the fall. Section 8 of the DPDPA makes it clear that a Data Fiduciary is liable for compliance even when the processing is carried out by a Data Processor on its behalf.[3] CSP, the one with the actual control over your data infrastructure remains largely unaccountable unless the contract specifically makes them liable.[4] And guess what? Most of these contracts don’t.
They’re drafted by the CSPs, not negotiated. They often allow the provider to change terms without notice. They limit or completely waive the CSP’s liability for service disruptions or data breaches. Worse, they typically shift disputes to foreign jurisdictions, making it practically impossible for an Indian user or company to seek recourse.
So, under the current regime, the legal risk lies with the Data Fiduciary, but the operational control lies with the CSP. It’s an accountability mismatch and DPDPA, while well-intentioned, hasn’t resolved it.
Adding to the complexity is the subcontractors. Cloud services today are layered. Your data might be handled by a subcontractor in another country, or even passed along a chain of vendors you’ve never heard of. Yet, as long as you (Data Principal) clicked “agree,” you’re expected to know and control them all.
While DPDPA does allow for cross-border data transfers, regulating it by Section 16, and sector-specific regulators like the RBI impose their own rules (like storing payments data within India), [5]these rules bring another challenge with the cost of compliance. Localization increases infrastructure costs, especially for Indian startups who depend on global cloud providers to scale quickly.[6]
This isn’t just a tech issue, it’s a legal and policy vacuum. The cloud has evolved, but our contracts haven’t. If India is serious about digital sovereignty, privacy rights, and building a startup ecosystem that’s both competitive and compliant, then the law needs to extend beyond just regulating data fiduciaries. It needs to reimagine cloud contracts.
This could mean mandating transparency about subcontracting, standardizing core terms around liability and jurisdiction, or even empowering regulators to issue model cloud agreements. But more than anything, it means recognizing that cloud providers aren’t just vendors, they’re critical infrastructure operators. And in a world where data is power, they can’t be allowed to operate in legal grey zones. Because when the cloud goes wrong, someone has to be held accountable.
[1] Section 2(i) of the DPDPA, a Data Fiduciary is any person or entity that determines the purpose and means of processing your personal data. On the other side of the relationship is the Data Principal (customer), the individual whose personal data is being collected, as defined under Section 2(j).
The DPDPA puts a duty on fiduciaries to process data only with the principal’s free, informed, and unambiguous consent as per Section 6 and for lawful, specified purposes. It provides that the consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
[2] Section 2(k) of the DPDPA defines that a Data Processor is anyone who processes personal data personal data on behalf of a Data Fiduciary.
[3] The Digital Personal Data Protection Act, 2023 §8.
[4] T Lynn, ‘Dear Cloud, I Think We Have Trust Issues: Cloud Computing Contracts and Trust’ in T Lynn, JG Mooney, L van der Werff and G Fox (eds), Data Privacy and Trust in Cloud Computing (Palgrave Macmillan 2021).
[5] Reserve Bank of India, ‘Storage of Payment System Data’.
[6] Justice B.N. Srikrishna Committee, White Paper on Data Protection Framework for India (27 November 2017).