On May 10, 2024, the Andhra Pradesh High Court delivered a ruling that could rival any courtroom drama you have binge-watched. This legal battle featured the Real Time Governance Society (“RTGS”) against Code Tree Software Solutions Pvt. Ltd. (“Code Tree”) in a dispute that had everything—big money, a mysterious data breach, and a plot twist.
Code Tree specializes in off-site IT consulting, offering services including application development, project management, software development, web design, and cloud services, while RTGS is an e-Governance initiative of the Government of Andhra Pradesh to encourage the use of technology and electronic communication for governance.
RTGS wished to utilize the services provided by Code Tree to advance its projects and initiatives. Code Tree claimed RTGS held back INR 1.4 crore despite them delivering on their contractual promise to provide IT services to RTGS. RTGS argued that a data breach suffered by Code Tree during the contract term gave them the right to withhold the payment.
Here is the plot twist: The Hon’ble High Court agreed with RTGS’ argument on right to withhold payment. They ruled that RTGS could hold onto the payment for now, citing the terms of their contract. But it’s not over yet—this case is headed to arbitration to ascertain if Code Tree was responsible for the alleged data breach. If RTGS is unable to prove Code Tree’s involvement in the data breach, they will be liable to pay the withheld sum to Code Tree.
This decision is relevant for businesses today, especially as India is gearing up to roll out the rules under the Digital Personal Data Protection Act, 2023 (“DP Act”). With stricter rules around the corner, this case is a reminder that data privacy isn’t just a buzzword—it is a survival skill and a business enabler.
Getting Ready for the New Rules: Data Protection and Dispute Resolution
Now, let’s break down what this means for companies trying to navigate the new data protection landscape and keep disputes from blowing up.
Lesson One: Securing Your Contracts: In today’s data-centric world, the contracts that your business executes need to be airtight. This means clarifying responsibilities and data protection duties of each party and providing a mechanism for when there is a breach. Measures may include regular audits, breach notifications, and top-tier security standards. It is also important to conduct due diligence before signing on the dotted line with any service provider or any third-party vendors. Additionally, ensuring indemnities will ensure an extra layer of protection to your interests in a business transaction.
Lesson Two: ADR is Your Go-To: Even the best-laid plans can go awry. When disputes arise, alternative dispute resolution (“ADR”) can be a beneficial path. The RTGS vs. Code Tree dispute is a prime example, where the Hon’ble High Court referred the matter to arbitration—a preferred forum for addressing complex technical issues. Arbitration is a crucial mechanism, particularly in an increasingly globalized digital landscape where cross-border challenges are becoming the norm.
The Global Perspective: Are We All Playing by the Same Rules?
Analysing India’s approach to data protection in the context of global practices highlights unique differences, much like comparing Eastern and Western cinema—each with its own distinct approach. In the U.S., courts often prefer addressing these issues through judicial proceedings. Meanwhile, the European Union’s Global Data Protection Regulation permits “non-judicial” remedies that allow disputes to be resolved outside the courtroom.
India’s DP Act introduces a unique blend of traditional dispute resolution and the flexibility of ADR. The Data Protection Board of India can encourage parties to pursue mediation, facilitating a resolution with the assistance of a mediator. Additionally, the DP Act provides for voluntary undertakings, enabling parties to agree on corrective actions, potentially avoiding further legal proceedings.
What Service Providers Need to Know: Stay Safe or Pay the Price
For service providers dealing with sensitive data (such as medical, financial, biometric, etc.) —the Hon’ble High Court’s ruling in the case of RTGS vs. Code Tree is a call to action. The decision sends a clear message: data protection is non-negotiable. Given the need to ensure data protection measures are undertaken, here is what service providers can consider implementing as best practices:
- Enhance Security Protocols: Roll out robust data security measures and maintain their effectiveness through regular, comprehensive audits. Staying ahead of potential threats is key to safeguarding sensitive information.
- Invest in Training: Ensure that the teams that deal with personal data is well-versed in data protection best practices. Regular training sessions are essential to prevent vulnerabilities, as even one oversight can have significant repercussions.
- Communicate Transparently: Clearly communicate your data protection policies and breach response procedures to clients. Transparency helps manage expectations and reduces the likelihood of disputes, fostering trust and long-term relationships.
Moving Forward: Navigating Compliance and Conflict Like a Pro
As the legal landscape around data protection evolves at an unprecedented pace, the stakes for businesses are higher than ever. ADR is increasingly becoming the preferred approach for resolving conflicts, making it essential to stay ahead of the curve. Whether it’s ensuring compliance with the DP Act or proactively addressing disputes before they escalate, partnering with experts who can assist with drafting robust contracts, conducting comprehensive due diligence, and skilfully navigating the complexities of ADR is crucial. In the realm of data protection and dispute resolution, staying ahead is not just about keeping up—it’s about leading the way.
AUTHORS: Shruti Dvivedi Sodhi (Partner) | Purvi Morwal (Associate)
