Third-party May Breach, The Fiduciary Pays: Indemnity Clause as the Only Risk Allocation Tool

Written by Varad Tiwari of Hidayatullah National Law University, Raipur

1. Introduction

The Digital Personal Data Protection Act, 2023 (‘DPDP Act’) is India’s first comprehensive statute governing the collection, use, and sharing of personal data. Enacted to enable Data Principals (‘DPs’), being individuals to whom personal data relates, to exercise meaningful control over how their data is processed, the DPDP Act places consent at the core of lawful processing. Such consent must be “free, specific, informed, unconditional, and unambiguous” , and must be confined to clearly stated purposes. The DPDP Act centralises statutory accountability in the Data Fiduciary (‘DF’), defined as the entity that determines the purpose and means of processing personal data.

At the same time, data sharing is integral to the modern digital economy. DFs routinely share personal data with vendors, cloud service providers, analytics firms, payment intermediaries, and other commercial counterparties. Data-sharing contracts form the legal infrastructure enabling such transfers, specifying permissible uses, imposing restrictions, and allocating risk. In practice, these contracts are indispensable for most data-driven business models.

This blog examines the tension between the DPDP Act’s consent-based liability framework and the realities of contractual data sharing. It argues that while the act permits delegation of data processing, it does not permit delegation of statutory responsibility. As a result, DFs remain exposed to regulatory liability for downstream misuse of data by third parties. Against this backdrop, the post explains why breach-of-contract remedies are poorly suited to manage DPDP-related regulatory exposure and why indemnity clauses emerge as a necessary private-law response.

2. Data Processors and Third Parties under the DPDP Act

   
   

Before examining consent and liability under the DPDP Act, it is important to clarify the difference between a data processor and a third party, since the act’s responsibility framework depends on this distinction. The DPDP Act defines a data processor as a person who “processes personal data on behalf of the Data Fiduciary.” The phrase “on behalf of” is deliberate and signals that the processor acts under the instructions of the DF and for the DFData Fiduciary’s purposes, rather than independently. The intent of the legislature is clear from the wording of this definition. The data processor is an entity that comes into existence when it processes data for the purpose that the DF approaches it for. However, there is no explicit restriction on the data processor to only process data for which the data fiduciary has hired them for.

Furthermore, the act does not separately define a ‘third party’. In practice, the term is used broadly to describe any entity with whom personal data is shared. Such entities may receive data to assist the DF or for their own independent purposes. As a result, while every data processor is technically a third party, not every third party qualifies as a data processor under the DPDP Act.

Despite this conceptual difference, the DPDP Act largely collapses the distinction when it comes to regulatory exposure since the act does not have a provision for shifting the liability on onto a third party. Section 8(5) makes the DF expressly responsible for personal data breaches caused by a data processor engaged by it. The threshold for a personal data breach under the act is also deliberately low. Under Section 2(u), a breach is constituted by any unauthorised processing, accidental or unauthorised disclosure, acquisition, sharing, use, alteration, destruction and loss of access to personal data, among other situations. Whether or not actual harm is immediately demonstrated. The statute therefore focuses on the fact of unauthorised activity, not on the magnitude of resulting damage.

Taken together, these provisions significantly widen the DF’s exposure. The act does not provide a parallel enforcement mechanism against processors or other downstream recipients, nor does it offer any statutory safe harbour where the DF has imposed contractual safeguards or exercised reasonable oversight. Even where non-compliance is caused entirely by another entity acting beyond its mandate, the DF remains the primary party answerable to the regulator.

3. Consent as the Legal Boundary of Data Processing under the DPDP Act

   
   

The DPDP Act is built around purpose limitation(As given under Section 4 of the DPDP Act) enforced through consent. Personal data may be processed only for purposes communicated to the DP at the time of collection. The DF remains responsible for ensuring that all processing stays within these limits. 

In practice, DFs often rely on broadly worded consent notices stating that personal data may be shared with third parties for certain specified purposes, which differ from fiduciary to fiduciary. Data-sharing agreements then contractually restrict those third parties to process data only within those purposes. 

4. Centralised Liability and Limited Control over Third Parties

   
   

The DPDP Act creates a clear imbalance between control and liability. While processing activities can be outsourced, legal responsibility cannot. The DF remains accountable for compliance even where a violation is caused entirely by a third party acting beyond its contractual mandate.

From the regulator’s perspective, this approach is straightforward. The DF is the entity that collected the data and obtained consent, and therefore remains the primary target of enforcement. Whether the immediate wrongdoing was committed by a vendor or service provider is largely irrelevant for regulatory purposes.

This structure makes traditional breach-of-contract remedies ineffective as tools for managing regulatory risk. A breach claim is inherently ex post and depends on proof of actual loss. Under Indian contract law, damages are compensatory(Section 73 of Indian Contract Act) and require the claimant to establish that loss has already been suffered. In the DPDP context, this would usually require the DF to first incur regulatory penalties or compliance costs before seeking recovery from the third party. As a result, breach claims are slow, uncertain, and poorly aligned with the nature of regulatory exposure.

5. The Gap in the DPDP Framework on Downstream Liability

   
   

The DPDP Act does not adequately address how liability should be allocated in complex data ecosystems. While it recognises data processors, it does not distinguish between violations caused by the DF itself and those caused by third parties acting independently. Nor does the DPDP Act provide any statutory safe harbour for DFs that have exercised reasonable diligence through contractual safeguards and oversight.

This gap creates perverse incentives. DFs may respond by limiting data sharing, which will undermine innovation and the efficient functioning of data-driven services. At the same time, third-parties may face weakened incentives to comply, since regulatory enforcement is likely to focus on the DF rather than the party that actually misused the data.

In theory, the immediate private-law remedy available to a Data Fiduciary in such cases is to proceed against the downstream entity for breach of the data-sharing contract. Most data processing and data transfer agreements impose strict purpose limitations, confidentiality obligations, and compliance covenants tied to the DPDP Act. Where a third party exceeds the agreed scope of processing, the DF may claim that the recipient has violated contractual restrictions and seek damages or other relief under ordinary principles of contract law. Contractual enforcement, therefore, remains the primary mechanism through which DFs attempt to manage downstream misconduct and allocate risk inter se.

However, breach-of-contract is an inherently weak remedy in this context for multiple reasons. First, as affirmed by the Madras High CourtSupreme Court in Shipping Corporation of India Ltd v. Bharat Earth Movers Ltd, proof of actual loss remains a prerequisite for an award of damages. In the DPDP context, this means that a Data Fiduciary may be required to first absorb the penalties before it can successfully quantify and recover damages from the downstream entity. Second, the financial burden at stake is not marginal. The DPDP Act empowers the imposition of penalties extending up to ₹250 crore(See Schedule 1 of DPDP Act), exposure that the DF may have to bear immediately, even where the breach was caused entirely by a processor acting beyond its contractual mandate. Contractual breach claims, therefore, operate only after the DF has already suffered the regulatory and financial impact, making them an inadequate tool for managing DPDP-related liability.

6. Indemnity as a Practical Response to Regulatory Risk under the DPDP Act

   
   

Given the DPDP Act’s approach to liability, indemnity clauses become a critical risk-management tool in data-sharing contracts. Unlike a breach of contract, an indemnity is designed to protect a party from liability as it arises. Under Section 124 of the Indian Contract Act, 1872, an indemnity is a promise to protect another party from loss caused by the conduct of the indemnifier or a third person.

Indian courts have consistently held that an indemnified party need not wait until it has paid the loss. In Gajanan Moreshwar Parelkar v. Moreshwar Madan Mantri Osman Jamal & Sons Ltd v. Gopal Purushottam, it was held that once liability becomes certain, the indemnified party can require the indemnifier to step in, even if payment has not yet been made.

In the DPDP context, regulatory liability arises when non-compliance is established, not when a penalty is finally paid. A well-drafted indemnity clause, therefore, allows a DF to shift the financial impact of unlawful downstream processing to the third party responsible for it, without first absorbing the regulatory burden. While indemnity clauses cannot prevent regulatory action against the DF, they are essential for aligning incentives, managing risk, and sustaining lawful data sharing under India’s data protection regime.

7. Conclusion

   
   

The DPDP Act, 2023, is a decisive step that reflects the realities of India’s data-driven economy, where personal data is routinely shared across vendors, platforms, and service chains. By placing consent and accountability at the centre of the regime, the statute anchors enforcement responsibility in the Data Fiduciary. At the same time, it creates a structural tension: processing may be outsourced, but liability cannot. The Act provides limited clarity on downstream misuse, leaving Data Fiduciaries exposed even when violations arise entirely from third parties. Traditional breach-of-contract remedies remain retrospective and ill-suited to regulatory exposure, especially given penalties that can extend up to ₹250 crore. In this context, indemnity clauses become essential contractual infrastructure for sustainable data sharing. The regime’s long-term viability will depend on clearer downstream accountability and meaningful safeguards in regulatory practice.