Data Protection and Privacy in Software Contracts: Ensuring Compliance with Global Regulations

This article is written by Aniket Kumar Singh,BBA LLB,3^rd year ,Kristu Jayanti college of law during his internship with Le Droit India.

1. INTRODUCTION

Data protection and privacy in software contracts are essentials of today’s generational needs. The world is adapting and moving towards Artificial intelligence and different sorts of software solutions for ease of work and professionalism, it is an urgent requirement to address the essential requirement for safeguarding user data.

Thus, as we require software & rely on them. We must provide & share our data for registering in particular applications & software for continuing the use of that specific software by “Agreeing to the terms and conditions of the software”.

All these services acquire our data by making us accept their terms and conditions or ‘cookies’.

Cookies are bits of data that are sent to and from a browser to identify a certain user. These terms and conditions or cookies are so lengthy and technical that most people skip reading them.

Starting from online shopping to net banking, from commuting from one place to another to watching online shows and movies everything takes some personal information of an individual.

Then, it becomes the moral obligation & unequivocal responsibility of the particular software company to safeguard & prioritize the data that we provide them for accessing their software.

The global giants must warrant & uphold the fundamental data protection and encryption standards are established.

• What are Software Contracts?

A software contract is a legal agreement that outlines the terms and conditions for software development, its use, and distribution. It is also referred to as a software license agreement.

The software contract generally has the following information:

1. Ownership: who owns the software or the person who has the IP rights of the particular software.

• Usage & Restrictions: what all things end user is permissible to do and what not one can’t do with the software.

• Term & termination: the duration of the contract and its validity of the software usage and such terms that prohibit the piracy of the software.

• Fees & payment: what methods are available to pay? For example- through credit card or debit card, PayPal, or UPI.
• Indemnification: who will be responsible in case the end-user suffers damage or losses, thus making an individual accountable in such cases.

• Software contracts: A judicial insight
•  In the case of
• Infotech Software dealers’ association V/s Union of India on 24 August 2010[1]

• Facts of the case
• The ISODA comprises approximately 100 members, all of whom are software resellers. These member companies specialize in the business of reselling computer software products. The software sales by these association members are categorized into three types:
  • Shrink Wrap Software,
  • Multiple User Software/Paper License, and
  • Internet Download.

• Shrink Wrap Software refers to a package that includes a CD/DVD, a user manual, and an end-user license agreement, all encased in plastic wrap. When a DVD/CD is produced to be compatible with multiple hardware devices and is sold with a paper license that allows a customer to use it on a specified number of hardware units, it is termed “Multiple User Software” or “Paper License”. For situations involving numerous users across different locations, paper license DVDs/CDs may be impractical. Consequently, the distributor, authorized by the software manufacturer, may enter into an agreement allowing the purchaser to download a predetermined number of software copies from the internet, a process known as “Internet Download”.

• Until May 16, 2008, the sale of canned software licenses was subject to a 4% VAT, while contracts for customized software maintenance and other technical support were subject to service tax. However, the sale of canned software licenses did not attract service tax.

• Issues of the case
• Both writ petitions raise a critical question: Is software considered good, and if so, is the provision of software to a customer under an “End User License Agreement” (EULA) considered a sale or a service? Additionally, does the Parliament have the legislative authority to introduce amended provisions of Section 65(105) under the powers granted by Entry 97 of List I of Schedule VII of the Constitution of India?

• When addressing the issue at hand, two related questions emerge: first, is software classified as goods, and second, does every transaction involving software constitute a sale, or could some be deemed a service?
• Judgement
• The writ petitions were dismissed, with the court holding that the nature of the transaction involving software as goods or services depends on the individual case. Therefore, the amended provision cannot be deemed unconstitutional as long as Parliament has the legislative competence to enact laws on service taxation under Entry 97 of List I of Schedule VII.

• In the case of the communication of Income tax V/s ZTE corporation (2011) [2]

• In this case, it was determined that the buyer is given a limited, non-transferable, and perpetual license to use the software and documentation under the contract. The buyer does not have any title or ownership rights based on the contract between the assessed and the customers.

• Indian laws & legislation for data protections

• There are no such strong and stringent laws that regulate data-related issues as compared to the ones in Europe or Western nations.

• The Indian laws are not up to the level of the European standards which are to be considered as the “Global standards”.

• Many such problems & issues with data protection are being fixed by the passing or amending of the different legislation.

•  The enactment or amendment of various laws is effectively tackling numerous data protection issues, establishing a robust legal framework to safeguard sensitive data and reduce the risks related to data breaches and privacy infractions.

• The first law that was enacted to secure the digital information of individuals was the Information Technology Act, of 2000

•  Later in the year 2011, Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 came into force to secure the sensitive personal data or information of individuals.

•  Further, the Ministry of Electronic and Information Technology codified Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 to balance privacy rights in the interest of national security and public order.

• In response to the significant and complex impact of digital transformation, heightened risk factors, and the increasing dependency on artificial intelligence technologies, the government enacted The Digital Personal Data Protection Act (DPDPA) of 2023. This legislation comprehensively addresses the issues surrounding the privacy of digital personal data.

• Indian Landmark case laws relating to Data privacy & others
• In the landmark case of

Karmanya Singh Sareen and Anr vs Union of India and Ors on 23 September, 2016[3]

Facts of the case

The petition stated that upon its 2010 launch, “WhatsApp” had promised a privacy policy ensuring absolute protection against the sharing of user data and details, guaranteeing complete security and privacy. Users, trusting this policy, linked their personal information to the application. However, allegations arose that following the acquisition of “WhatsApp,” a significant alteration to its privacy policy was proposed. In August 2016, users were notified that their “WhatsApp” account information would be shared with “Facebook” and its group companies to enhance advertising and product experiences on “Facebook.” Users were required to accept these updated terms and privacy policy by September 25, 2016, to continue using “WhatsApp.”

Judgement of the case

Users who opt to continue using WhatsApp and consent to data sharing should not have their historical information disseminated.

Furthermore, WhatsApp should be prohibited from utilizing the data for any purpose without explicit user consent. It seems that users may not be able to insist that WhatsApp retain the same terms of service.

However, as WhatsApp’s terms of service are not based on any legislative or statutory provisions, the concerns presented in the current petition might not be within the scope of writ jurisdiction under Article 226 of the Indian Constitution.

It is important to note that WhatsApp’s Privacy Policy permits users to delete their accounts at any time, which results in the deletion of their data from WhatsApp’s servers. Consequently, existing WhatsApp users who prefer not to share their data with Facebook have the option to terminate their accounts.

In the landmark case of Justice K S Puttaswamy (Retd.) and Anr. Versus Union of India in 2012[4]

Supreme Court of India’s nine-judge bench pronounced the Of the Indian Constitution. Following this significant ruling, the B.N. Shrikrishna Committee was established to deliberate on the challenges posed by the digitalization of personal data and to suggest a framework for its protection. The committee formulated the Draft Personal Data Protection Bill in 2018, which was subsequently introduced in the lower house of Parliament. In a further development during 2019, the draft Bill underwent scrutiny by a joint parliamentary committee, which also sought public feedback.

• Global Standards & ensuring compliance with the global regulations

The Digital Personal Data Protection Act of 2023, often referred to as the DPDP Act, marks a substantial advancement by the Indian government in safeguarding individual privacy within the digital domain.

Drawing inspiration from the European Union’s General Data Protection Regulation, the DPDP Act establishes a concise yet comprehensive framework that addresses the multitude of challenges associated with data protection in India, avoiding an excessively intricate and prescriptive approach.

In the current digital era, the protection of data and privacy stands at the forefront of international legal and ethical debates among businesses and organizations.

The escalation of data breaches and heightened sensitivity around personal information have necessitated strict regulatory measures. The European Union’s General Data Protection Regulation (GDPR) is particularly significant, establishing benchmarks for data privacy and mandating compliance from any organization handling the data of EU citizens, irrespective of its geographical location.

The GDPR first came into effect on the date of 25^TH May 2018. It impacts every company or individual who targets the European market or has certain information about European citizens.  

The organizations which process the data or store the data of European citizens must comply with the GDPR or else they might face consequences.

The GDPR’s extraterritorial reach has profound implications for software contracts, which must now incorporate comprehensive data protection clauses to ensure legal compliance. This report delves into the intricacies of aligning software contracts with global data protection regulations, emphasizing the GDPR, and other prominent frameworks such as the California Consumer Privacy Act (CCPA) and the Health Insurance Portability and Accountability Act (HIPAA).

• The GDPR and its Global Influence

The General Data Protection Regulation (GDPR) has significantly shaped global data protection standards by establishing rigorous criteria for personal data protection processing within the European Union & the European economic area. It includes mandates for obtaining consent, preventing data loss, limiting the purpose of data processing & upholding the “Right to be forgotten”.

The Concept of “Right to be forgotten was first established in the case of Google Spain V/s AEPD (2014) 

In 2010, A person named Mario who was a Spanish citizen, searched his name on Google and found links to a 1998 newspaper article about his house being auctioned to settle his old debts.

The person then requested to remove his name from the articles, arguing that it wasn’t relevant to him and was of no use.

The European Union court held that the “Search engines and all the data controllers which process or have the data of any European citizens may come under the purview of European Union data protection law.

Also established the “rights to be forgotten”, allowing individuals they request that companies remove personal data from their search engines if the data is Inadequate, Irrelevant, or no longer needed. Or if the data processing isn’t necessary for the public interest or historical or statistical purposes.

Consequently, software agreements are required to incorporate these stipulations delineating, the extent of data processing affirming the enforcement of sufficient security protocols, and facilitating the means for individuals to enact those rights.

            6.2 Contractual Provisions for Data Protection

Software contracts must include detailed provisions for data privacy and protection to comply with data privacy regulations. These provisions are crucial and should outline specific guidance on the management and safeguarding of data. They should encompass areas such as data handling, access rights, data retention, and security measures to protect personal and sensitive information.:

1. Data Processing and Purpose Limitation: Under the GDPR’s principle of purpose limitation, contracts must clearly define the scope, intent, and duration of data processing activities. They are obligated to detail the lawful basis for processing personal data, categorize the data being processed, and delineate the processing timeframe.
2.  Data Security Measures: To safeguard sensitive information from unauthorized access and breaches, the contracts should meticulously outline robust encryption methods, access controls, and data integrity protocols. This entails defining the specific encryption standards to be followed, access control mechanisms, and protocols for ensuring data integrity.
3.  Data Subject Rights: Contracts should comprehensively address data subject rights, providing clear and detailed mechanisms for data subjects to exercise their rights under the GDPR. This includes specifying the procedures for data subjects to request access to their data, rectify inaccuracies, request erasure, and obtain their data in a portable format.
4.  Data Breach Notification: Contracts should explicitly specify the requirements for immediate notification following a data breach. They must define the precise periods in which the data controller or processor is obligated to inform the appropriate supervisory authority and the individuals impacted, in compliance with the General Data Protection Regulation (GDPR) mandates.
5.  Data Transfer: When dealing with cross-border data transfer, contracts must clearly define the mechanisms and protections that comply with the GDPR’s strict regulations for international data movement. This requires a comprehensive description of the legal frameworks used to transfer data to countries outside the EEA, such as standard contractual clauses or binding corporate rules, along with extra measures to secure the data during transfer.

• Conclusion

In conclusion, ensuring data protection and privacy in software contracts is paramount in today’s digital landscape. The intersection of Indian laws, such as the Digital Personal Data Protection Act, of 2023, and global regulations like the GDPR, necessitates robust contractual provisions. Software contracts must incorporate clear stipulations on data processing, security measures, data subject rights, breach notification, and cross-border data transfer. By adhering to these standards, parties can mitigate risks and safeguard sensitive information. Software contracts must prioritize data protection, upholding the rights of individuals and fostering trust in the digital ecosystem.

[1] Infotech Software Dealers Association vs Union Of India on 24 August, 2010 (indiankanoon.org)

[2] All you need to know about software contracts – iPleaders

[3] Karmanya Singh Sareen And Anr vs Union Of India And Ors on 23 September, 2016 (indiankanoon.org)

[4] Justice K.S.Puttaswamy(Retd) vs Union Of India on 26 September, 2018 (indiankanoon.org)