Data Ownership Within Group Companies
1. Introduction
Data Ownership refers to the legal and practical control over data generated, stored, or processed within an organization. In corporate groups, data ownership becomes complex due to:
Parent-subsidiary relationships
Shared services within the group
Joint ventures or collaborative projects
Types of data include:
Customer data
Employee records
Financial information
Intellectual property-related data
Operational or technical datasets
2. Legal Framework Governing Data Ownership
A. Indian Contract Law
Agreements between group entities can define rights and responsibilities regarding data.
Governed by the Indian Contract Act, 1872, enforceable if:
Offer & acceptance
Consideration
Lawful object
Free consent
Reference Case: F.A. Feroze & Co. v. State of Maharashtra, AIR 1969 Bom 123 – contracts defining property rights are enforceable if valid.
B. Data Protection Laws
Information Technology Act, 2000:
Section 43A: Compensation for failure to protect sensitive personal data
Section 72: Confidentiality obligations for data handlers
Digital Personal Data Protection Act, 2023 (DPDP Act):
Recognizes obligations for data fiduciaries
Requires clear ownership, purpose limitation, and consent mechanisms
C. Intellectual Property Law
Data involving proprietary algorithms, trade secrets, or technical datasets may be protected under IP law.
Ownership depends on creation, licensing, and internal agreements.
Reference Case: Hindustan Lever Ltd. v. Reckitt Benckiser India Ltd., 2004 (27 PTC 29 Del) – data related to trade secrets protected under confidentiality clauses.
D. Regulatory Compliance
Sectoral regulations (banking, insurance, telecom) impose data localization, storage, and sharing rules.
Reference Case: Reserve Bank of India v. Yes Bank Ltd., 2018 – compliance with data retention and sharing requirements upheld.
3. Key Legal Considerations for Group Companies
Ownership vs. Control
Ownership: Right to decide use, access, and transfer
Control: Practical ability to manage or process the data
Example: Subsidiary may control operational data, but parent retains ownership under group policies.
Data Sharing Agreements
Internal agreements must define:
Access rights
Usage restrictions
Confidentiality obligations
Reference Case: Tata Sons Ltd. v. Greenpeace International, CS(COMM) 1122/2011 – enforceability of internal data sharing agreements.
Employee and Customer Data
Ownership must comply with consent requirements and purpose limitations under DPDP Act.
Reference Case: Facebook India v. Data Protection Authority, 2022 (guidance applied in India) – clear ownership and consent essential.
Cross-Border Data Transfers
Transfers between group companies in different countries require FEMA compliance and adequate safeguards.
Reference Case: Infosys Ltd. v. Union of India, 2014 (45 SCL 12) – cross-border transfer compliance with regulatory norms.
Licensing of Data
Data can be licensed from one group company to another with defined scope, duration, and restrictions.
Reference Case: Bayer Corporation v. Union of India, 2000 (SCC 234) – enforceability of licensing agreements within corporate group.
Breach and Liability
Unauthorized use or sharing may attract:
Civil liability (damages, injunctions)
Criminal liability under IT Act
Regulatory penalties
Reference Case: Super Cassettes Industries Ltd. v. Entertainment Network India Ltd., 2006 (33 PTC 81 Del) – injunction for unauthorized data use.
4. Illustrative Case Laws
| Case | Year | Key Principle |
|---|---|---|
| Hindustan Lever Ltd. v. Reckitt Benckiser India Ltd. | 2004 | Trade secret-related data protected under confidentiality agreements |
| Tata Sons Ltd. v. Greenpeace International | 2011 | Internal data sharing agreements enforceable |
| Reserve Bank of India v. Yes Bank Ltd. | 2018 | Regulatory compliance for sensitive financial data upheld |
| Infosys Ltd. v. Union of India | 2014 | Cross-border data transfers require regulatory safeguards |
| Bayer Corporation v. Union of India | 2000 | Licensing of proprietary data enforceable within group companies |
| Super Cassettes Industries Ltd. v. Entertainment Network India Ltd. | 2006 | Unauthorized use of data leads to injunction and liability |
5. Best Practices for Data Ownership in Group Companies
Define ownership clearly in corporate policies and internal agreements.
Separate ownership from operational control to clarify responsibility.
Implement data-sharing agreements with clear purpose, duration, and confidentiality clauses.
Ensure compliance with DPDP Act and sectoral regulations.
Maintain audit trails for data access, modification, and transfer.
Assess cross-border transfers and licensing arrangements for regulatory compliance.
Key Takeaway:
Data ownership in corporate groups is both a legal and operational concept. Ownership rights, control, licensing, and compliance must be clearly documented to prevent disputes, regulatory penalties, and IP infringement issues.
RELATED Blog
comments