Data Centre Operations Under DPDPA

Data centres occupy a unique position in the DPDPA compliance landscape. As infrastructure providers hosting personal data for multiple clients across jurisdictions, they face compounding obligations that extend far beyond traditional hosting arrangements. The 2023 Act treats data centre operators as data processors with direct statutory duties, regardless of contractual allocation. This analysis examines the technical, operational and legal measures required for compliant data centre operations in India.

Section 2(k) defines a data processor as any person who processes personal data on behalf of a data fiduciary. Data centres providing colocation, managed hosting, or cloud infrastructure services fall squarely within this definition when client data includes personal data. The critical distinction lies in the processing relationship: a data centre that merely provides rack space without accessing data may argue it is not a processor, but any service involving data handling, backup, disaster recovery, or security monitoring constitutes processing. The operational reality for most data centre services is that processor status is unavoidable. This status carries direct statutory obligations under Section 8(2) that cannot be contracted away. A data centre cannot rely on client indemnities to escape regulatory liability for its own compliance failures.

Section 8(2) mandates that data processors process personal data only in accordance with data fiduciary instructions and only for specified purposes. For data centres, this requires documented processing instructions from each client, clear purpose limitation in service agreements, and operational controls preventing processing beyond authorised scope. The challenge intensifies in multi-tenant environments where processing systems are shared. A data centre operating analytics services, optimisation tools, or usage monitoring must ensure these activities fall within client authorisations. Processing personal data for the data centres own business purposes, such as service improvement or capacity planning using client data, requires explicit authorisation or anonymisation to a standard precluding re-identification.

Data centres must implement reasonable security safeguards to prevent personal data breaches. The reasonable standard is assessed against industry practices, data sensitivity, and available technology. For data centres, this translates to physical security controls including biometric access, CCTV surveillance, mantrap entry systems, and 24/7 security personnel. Network security requires segmentation, intrusion detection, encryption in transit and at rest, and access logging. Administrative safeguards include personnel vetting, confidentiality agreements, access reviews, and incident response procedures. The 2024 Tata Communications data centre breach, where configuration errors exposed client infrastructure, illustrates that technical sophistication alone is insufficient. Process failures, human errors, and configuration management weaknesses constitute security failures regardless of underlying infrastructure quality. Rule 6 of the DPDP Rules 2025 prescribes specific technical and organisational measures including encryption standards, access controls, and monitoring requirements that data centres must implement and demonstrate.

DPDPA does not mandate blanket data localisation, departing from earlier draft requirements. Section 16 permits cross-border transfers except to jurisdictions blacklisted by Central Government notification. However, sectoral regulations impose localisation requirements that indirectly affect data centres. RBI directions require payment system data to be stored exclusively in India. IRDAI mandates insurer data to be maintained domestically. Telecom regulations require subscriber data to remain within India. Data centres serving these sectors must maintain India-based infrastructure and cannot replicate to foreign facilities for disaster recovery without careful regulatory analysis. The Central Government retains authority under Section 16(2) to restrict transfers to specific jurisdictions. Data centres with global operations must monitor notifications and implement geofencing capabilities to prevent data replication to blacklisted locations. The absence of current blacklist does not eliminate future compliance risk.

Personal data breaches at data centres trigger dual notification obligations. The data centre as processor must immediately notify affected data fiduciary clients to enable their Section 8(6) compliance. Simultaneously, the data centre may have direct notification obligations to CERT-In under the 2022 Directions for cyber incidents. The 72-hour timeline for data fiduciary notification to the Data Protection Board begins when the breach is discovered, making rapid processor-to-fiduciary communication critical. Data centre service agreements must establish breach notification protocols including contact points, escalation timelines, and information requirements. Ambiguity in breach ownership, particularly for incidents affecting shared infrastructure, creates notification gaps that expose both parties to regulatory action. Clear contractual allocation of investigation responsibilities, communication duties, and remediation costs is essential before incidents occur.

Data centres hosting Significant Data Fiduciary clients inherit enhanced compliance burdens. SDFs must conduct annual audits under Section 10(2)(d), and auditors will examine processor arrangements as part of compliance assessment. Data centres must facilitate audit access, maintain documentation demonstrating compliance, and respond to audit findings affecting their operations. SDF clients must appoint Data Protection Officers resident in India, and DPOs will require data centre cooperation for oversight functions. Data centres may need to designate liaison personnel, provide compliance reporting, and participate in privacy impact assessments for new services. The DPIA requirement under Section 10(2)(c) extends to processing likely to affect rights, which may include certain data centre services involving large-scale data processing, profiling capabilities, or sensitive data handling.

Data centres rarely operate in isolation. Interconnection with other facilities, use of cloud platforms for disaster recovery, engagement of maintenance vendors, and reliance on software providers create sub-processor chains. Each link requires contractual flow-down of DPDPA obligations, due diligence on sub-processor compliance capabilities, and disclosure to data fiduciary clients. Client consent for sub-processor engagement may be general, authorising categories of sub-processors, or specific, requiring individual approval. Data centre standard terms should address sub-processor authorisation, impose equivalent contractual protections, and establish liability for sub-processor failures. The data centre remains liable to data fiduciary clients for sub-processor compliance regardless of contractual indemnities between the data centre and its sub-processors.

Data processing agreements for data centre services require restructuring under DPDPA. Essential clauses include: processing scope limited to documented instructions, confidentiality extending beyond contract termination, security measures meeting Rule 6 standards, breach notification timelines and responsibilities, audit facilitation provisions, sub-processor authorisation and liability, data return and deletion upon termination, and indemnification for regulatory penalties arising from processor defaults. Standard hosting agreements predating DPDPA likely lack required provisions. Data centres should conduct contract portfolio reviews and issue addenda addressing compliance gaps. New engagements require DPDPA-compliant templates reviewed by privacy counsel familiar with both technical operations and regulatory requirements.

Operational compliance requires technical implementation beyond policy documentation. Access controls must enforce least privilege principles with role-based permissions, multi-factor authentication, and privileged access management. Encryption must protect data at rest using AES-256 or equivalent, and in transit using TLS 1.3 for external communications. Logging must capture access events, configuration changes, and security incidents with tamper-evident storage and retention meeting regulatory timelines. Data deletion capabilities must enable verifiable destruction upon client instruction, including backup media and disaster recovery replicas. Many data centres lack tools to locate and purge specific client data across distributed systems. Investment in data discovery and deletion tooling is essential for meeting erasure obligations under Section 12(3).

Personnel accessing personal data require training on DPDPA obligations, handling procedures, and incident recognition. Background verification for employees with data access is prudent given breach liability. Confidentiality agreements should reference statutory obligations and survive employment termination. Governance structures must assign compliance responsibility to designated personnel, establish escalation paths for compliance concerns, and integrate data protection into operational decision-making. Data centres with mature information security programmes often assume ISO 27001 certification satisfies DPDPA requirements. While certification demonstrates security management capability, DPDPA imposes specific obligations around consent, purpose limitation, and data principal rights that security frameworks do not address. Compliance requires dedicated attention beyond information security programmes.

Data centres face penalty exposure under Section 33 for security failures, breach notification delays, and non-compliance with Board directions. Penalties extend to Rs. 250 crores for the most serious violations. The Board will consider harm caused, compliance history, and cooperation when assessing penalties. Data centre failures affecting multiple clients create compounding exposure where each affected engagement represents separate potential violation. A single security incident affecting 50 data fiduciary clients creates 50 potential enforcement actions. This multiplier effect makes data centre compliance failures catastrophically expensive compared to single-entity exposure. Insurance coverage and client indemnification cannot fully mitigate regulatory penalty risk, as penalties are not insurable in most jurisdictions and indemnification enforcement depends on counterparty solvency.

Data centres should commence compliance programmes with asset inventory identifying all systems processing personal data. Classification exercises should map data types to applicable sectoral requirements. Gap assessments against Section 8 and Rule 6 requirements identify remediation priorities. Contract review across client portfolios flags agreements requiring DPDPA addenda. Technical implementation includes access control enhancement, encryption deployment, logging infrastructure, and deletion capability development. Policy documentation covers processing procedures, breach response, sub-processor management, and personnel obligations. Training programmes build organisational awareness. Ongoing compliance requires periodic assessment, contract maintenance, and monitoring of regulatory developments including blacklist notifications and enforcement precedents establishing Board expectations.