Authored by Ms. Gargi Kapoor (Associate at Prakant Law Offices) & Ms. Maitri Khurana (Student at National Law University Odisha)<\/p>\n\n\n\n
Cloud computing is no longer a buzzword; it\u2019s the quiet backbone of everything we do online. From emails and photos to sensitive government data and financial transactions, it\u2019s all sitting somewhere in \u201cthe cloud.\u201d But as this dependency grows, so do the cracks in the contracts that underpin it.<\/p>\n\n\n\n
Let\u2019s be honest: most of us never read cloud service agreements. We click \u201cI agree,\u201d move the operations to AWS, Azure, or Google Cloud, and get on with our days. But these agreements, often dense, one-sided, and boilerplate determine what happens when things go wrong. And that\u2019s exactly where the problem begins.<\/p>\n\n\n\n
With the arrival of India\u2019s Digital Personal Data Protection Act, 2023 (\u201cDPDPA<\/strong>\u201d), the law now clearly spells out who\u2019s responsible for protecting personal data. It places that burden squarely on the Data Fiduciary, usually the business collecting or processing your information.[1]<\/a> Supporting the Data Fiduciary is the Data Processor, a third-party service provider like Cloud Service Providers (\u201cCSP<\/strong>\u201d) who process personal data on behalf of the fiduciary.[2]<\/a><\/p>\n\n\n\n But if the business (Fiduciary) is using a cloud provider to store or process your data, and the provider messes up, the business still takes the fall. Section 8 of the DPDPA makes it clear that a Data Fiduciary is liable for compliance even when the processing is carried out by a Data Processor on its behalf.[3]<\/a> CSP, the one with the actual control over your data infrastructure remains largely unaccountable unless the contract specifically makes them liable.[4]<\/a> And guess what? Most of these contracts don\u2019t.<\/p>\n\n\n\n They\u2019re drafted by the CSPs, not negotiated. They often allow the provider to change terms without notice. They limit or completely waive the CSP\u2019s liability for service disruptions or data breaches. Worse, they typically shift disputes to foreign jurisdictions, making it practically impossible for an Indian user or company to seek recourse.<\/p>\n\n\n\n So, under the current regime, the legal risk lies with the Data Fiduciary, but the operational control lies with the CSP. It\u2019s an accountability mismatch and DPDPA, while well-intentioned, hasn\u2019t resolved it.<\/p>\n\n\n\n Adding to the complexity is the subcontractors. Cloud services today are layered. Your data might be handled by a subcontractor in another country, or even passed along a chain of vendors you\u2019ve never heard of. Yet, as long as you (Data Principal) clicked \u201cagree,\u201d you\u2019re expected to know and control them all.<\/p>\n\n\n\n While DPDPA does allow for cross-border data transfers, regulating it by Section 16, and sector-specific regulators like the RBI impose their own rules (like storing payments data within India), [5]<\/a>these rules bring another challenge with the cost of compliance. Localization increases infrastructure costs, especially for Indian startups who depend on global cloud providers to scale quickly.[6]<\/a><\/p>\n\n\n\n This isn\u2019t just a tech issue, it\u2019s a legal and policy vacuum. The cloud has evolved, but our contracts haven\u2019t. If India is serious about digital sovereignty, privacy rights, and building a startup ecosystem that\u2019s both competitive and compliant, then the law needs to extend beyond just regulating data fiduciaries. It needs to reimagine cloud contracts.<\/p>\n\n\n\n This could mean mandating transparency about subcontracting, standardizing core terms around liability and jurisdiction, or even empowering regulators to issue model cloud agreements. But more than anything, it means recognizing that cloud providers aren\u2019t just vendors, they\u2019re critical infrastructure operators. And in a world where data is power, they can\u2019t be allowed to operate in legal grey zones. Because when the cloud goes wrong, someone has to be held accountable.<\/p>\n\n\n\n [1]<\/a> Section 2(i) of the DPDPA, a Data Fiduciary is any person or entity that determines the purpose and means of processing your personal data. On the other side of the relationship is the Data Principal (customer), the individual whose personal data is being collected, as defined under Section 2(j).<\/p>\n\n\n\n The DPDPA puts a duty on fiduciaries to process data only with the principal\u2019s free, informed, and unambiguous consent as per Section 6 and for lawful, specified purposes. It provides that the consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.<\/p>\n\n\n\n [2]<\/a> Section 2(k) of the DPDPA defines that a Data Processor is anyone who processes personal data personal data on behalf of a Data Fiduciary.<\/p>\n\n\n\n [3]<\/a> The Digital Personal Data Protection Act, 2023 \u00a78.<\/p>\n\n\n\n [4]<\/a> T Lynn, \u2018Dear Cloud, I Think We Have Trust Issues: Cloud Computing Contracts and Trust\u2019 in T Lynn, JG Mooney, L van der Werff and G Fox (eds), Data Privacy and Trust in Cloud Computing<\/em> (Palgrave Macmillan 2021).<\/p>\n\n\n\n [5]<\/a> Reserve Bank of India, \u2018Storage of Payment System Data\u2019.<\/p>\n\n\n\n
\n\n\n\n