In continuance of the Series VII, on the Indian PDPB 2019, where we defined and discussed the rights of the Data Principal, in this Series VIII, we look at the major role that the Data Fiduciary will play.
Data fiduciary has been defined as any entity that alone or together with others determines the purpose and means of processing of personal data. Processing involves collecting, organising, storing, structuring, erasing and many more similar functions.
Such processing will be subject to a certain purpose, collection and storage limitations. For instance, personal data can be processed only for specific, clear and lawful purposes. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as:
- implementing security safeguards (such as data encryption and preventing misuse of data), and
- instituting grievance redressal mechanisms to address complaints of individuals.
- They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children.
There is an element of trust that the data principal, who has been defined as any Indian citizen, who has consented to share his personal data, places on various companies/ data fiduciaries while sharing his personal information. S/He trusts the data fiduciaries to use the information only to the extent necessary to provide services and not to use it for any other purpose. This is an essential feature of a fiduciary relationship.
The nomenclature of “Fiduciary” makes the Data Fiduciary a “Trustee” and the “Data Principal” the beneficiary of the trust where the personal data is the trust property.
The draft Bill incorporates important aspects such as consent, reasonable purpose, processing of personal data but only with consent. Additionally, it is difficult to ascertain the amount of damage that could be caused due to the sharing of personal data in breach of a contract. The reason for this is the unique nature of data on the internet and various technologies. This has been mandated to avoid the current practise of obtaining one-sided consent from users, without any form of grievance mechanism or redressal.
The option of processing personal data without consent has been recognised such as recruitment and termination etc. Likewise, recruitment and termination of employment have also been brought under categories of processing personal data. However, if such data meets the criteria of being sensitive data, then such processing cannot be done without prior consent.
The Indian PDPB 2019 although permits data fiduciaries to process personal data without consent for reasonable purposes, states that the reasonable purposes “may be specified by regulations.” The Bill also extends the list of examples of reasonable purposes to include “the operation of search engines.”
Obligations of data fiduciary
The data fiduciary is mandated to protect the interest of the data principal and he cannot act to promote its self-interest. Therefore, the Bill has aptly used the word data fiduciary and imposed several obligations on the data fiduciary to protect the interests of the data principal.
A. Prohibition of processing of personal data
No personal data shall be processed by any person, except for any specific, clear and lawful purpose.
B. Limitation on the purpose of processing of personal data
Processing has to be done in a fair and reasonable manner only for the purpose of its collection
C. Limitation on the collection of personal data
The personal data shall be collected only to the extent that is necessary for the purposes of processing of such personal data.
D. Requirement of notice for collection or processing of personal data
The fiduciary has to clearly define its purpose, nature, identity and contact details and the rights of the data principal
E. Quality of personal data processed
To ensure that the personal data processed is complete, accurate, not misleading and updated, having regard to the purpose for which it is processed.
F. Restriction on retention of personal data
No retention of data, beyond its usage as per consent
G. Accountability of data fiduciary
The data fiduciary shall be responsible for complying with the provisions of this Act
H. Consent necessary for processing of personal data
The consent has to be free, fair, informed, specific, clear & can be withdrawn
The burden of proof that the consent has been given by the data principal for processing of the personal data shall be on the data fiduciary
The Indian PDPB 2019 also defines types of Data Fiduciary,
Significant Data Fiduciary, Small Entity, Guardian Data Fiduciary, any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data
A Guardian data fiduciary is a classification based on a fiduciary who operates any commercial website or online services or otherwise process larger volumes of personal data of children.
The definition of “Data Processor” includes any person including a State which processes personal data on behalf of a data fiduciary
Another definition is that of a “Social Media Intermediary” which applies to such data user organizations who may have a significant impact on electoral democracy, security of state, etc. which may be classified as a Significant data fiduciary
The definition of “Consent Manager” is one who is authorized by a data principal to share the personal data with a data fiduciary just like a personal data intermediary
The factors for classification may include
- volume of personal data processed
- sensitivity of personal data processed
- turnover of the data fiduciary
- risk of harm resulting from any processing or any kind of processing undertaken by the fiduciary
- use of new technologies for processing
- any other factor relevant in causing harm to any data principal as a consequence of such processing
In subsequent Series IX, and beyond, we shall get more insights on Exemptions, Penalties, Harm, Data Trust Score and Data Privacy Framework.
By Sameer Mathur, Founder & CEO, SM Consulting
President, Delhi-NCR Chapter of the Foundation of Data Protection Professionals in India
With inputs from Mr Vijayashankar Nagaraj Rao