Data Licensing Agreement (India)

The legal protection of databases and datasets in India is primarily based on copyright law, contract law, and data protection law. India does not have a dedicated sui generis database right (unlike the European Union's Database Directive), which means that database protection in India is narrower and more dependent on contractual arrangements. Copyright protection: Under the Copyright Act 1957, a 'literary work' is defined to include computer databases under Section 2(o). A database that is an original intellectual creation — meaning the selection, arrangement, or organisation of its contents reflects the author's own intellectual effort — is protected by copyright as a compilation under Section 13 of the Act. The copyright owner has the exclusive right to reproduce, distribute, and communicate the database under Section 14(a). However, copyright protects only the original selection and arrangement, not the underlying data or facts themselves, which remain free for all to use. Contract law: In practice, the most important protection for commercially valuable datasets is contractual. A well-drafted data licence agreement, governed by the Indian Contract Act 1872, creates binding obligations restricting how the licensee may access, use, copy, and share the dataset. This is particularly important for datasets that may not attract strong copyright protection (e.g., factual databases compiled without significant creativity in selection).

The Digital Personal Data Protection Act 2023 (DPDP Act) is India's first comprehensive personal data protection legislation. While the Act is being implemented in phases (the substantive rules under Section 40 are yet to be finalised as of 2024), it has significant implications for any data licensing arrangement involving personal data of Indian residents.

Scope of the DPDP Act: The Act applies to the processing of 'digital personal data' — personal data in digital form, or personal data that is collected in non-digital form and subsequently digitised. It applies to processing by entities established in India and to processing by entities outside India if the processing is in connection with any activity related to offering goods or services to individuals in India.

Key obligations for Data Fiduciaries (organisations that determine the purpose and means of processing): (a) Consent: Personal data may be processed only with the free, specific, informed, unconditional, and unambiguous consent of the data principal, or for 'legitimate uses' specified in Schedule I of the Act; (b) Purpose limitation: Personal data must be processed only for the specified purpose; (c) Data minimisation: Only data necessary for the stated purpose may be collected; (d) Security safeguards: Appropriate technical and organisational measures must be implemented; (e) Breach notification: The Data Protection Board (to be established) and affected data principals must be notified of personal data breaches; (f) Data erasure: Personal data must be erased once the purpose is fulfilled; and (g) Accountability: Data Fiduciaries are responsible for compliance and must maintain processing records.

For data licensing agreements: The licensor (data provider) must ensure that it has a lawful basis to share the data with the licensee. The licensee becomes a Data Fiduciary in respect of the data it processes. The agreement should include a Data Processing Agreement (DPA) addendum addressing all DPDP Act obligations.

Data licence agreements in India typically impose a comprehensive set of restrictions on licensees to protect the value, integrity, and legal compliance of the licensed dataset. The key restrictions are as follows. Purpose restriction: The licensee may use the data only for the specific purpose stated in the agreement. Any use beyond this scope — even if not harmful — constitutes a breach. This is particularly important for compliance with the DPDP Act 2023's purpose limitation principle. Prohibition on redistribution: The licensee may not sell, share, sublicence, or otherwise transfer the data to any third party without the licensor's prior written consent. Redistribution of data without consent may expose the licensee to claims for breach of contract and, if the data contains personal information, to liability under the DPDP Act 2023. Prohibition on re-identification: If the data has been anonymised or pseudonymised, the licensee is typically prohibited from attempting to re-identify the data subjects. Re-identification of anonymised personal data may constitute a breach of the DPDP Act 2023's processing obligations. Derivative data: The licensee may be prohibited from creating derivative datasets from the licensed data without consent, or the agreement may specify that derivative datasets belong to the licensor or are jointly owned. Geographic and purpose restrictions: The licensee may only use the data in specified geographic territories and for specified commercial or research purposes.

A data breach in the context of a data licensing agreement — i.e., an incident involving the unauthorised access to, disclosure, or loss of licensed data — triggers overlapping legal obligations and liabilities under both the agreement and applicable Indian law. Contractual liability: Under the data licence agreement, the party responsible for the breach (typically the licensee, as the data processor) will be liable to the licensor for: all losses arising from the breach (damages under Section 73 of the Indian Contract Act 1872); the costs of investigating and remediating the breach; regulatory fines or penalties imposed on the licensor as a result of the licensee's failure to maintain adequate security; and any third-party claims against the licensor arising from the breach. DPDP Act 2023 obligations: When the DPDP Act 2023 is fully notified, both the Data Fiduciary and any Data Processor responsible for a breach involving personal data of Indian residents must notify the Data Protection Board and affected data principals. Penalties under the DPDP Act 2023 can be substantial — up to ₹250 crore for certain violations. IT Act 2000 obligations: Under Section 43A of the IT Act 2000 and the SPDI Rules 2011, a body corporate that handles sensitive personal data and is negligent in implementing reasonable security practices and thereby causes wrongful loss or wrongful gain to any person is liable to pay compensation to the affected person. This obligation applies regardless of the contractual arrangement.

A Data Licensing Agreement (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.