Digital Personal Data Protection Act, 2023 - Identifying the Data Fiduciary
Identifying entities involved and determining their role as data fiduciary or processor is important because to the customer (data principal) the e-commerce platform or retail brand/store would naturally appear to be the data fiduciary, being the single point where the transaction is concluded.
With the Digital Personal Data Protection Act, 2023 (“Act”) in place, a key aspect of understanding compliance is identifying the role of each person in a transaction. For an over-the-counter transaction involving cash, this may be simple enough but is more challenging when there are multiple entities involved.
E-commerce and retail are apt examples - identifying entities involved and determining their role as data fiduciary or processor is important because to the customer (data principal) the e-commerce platform or retail brand/store would naturally appear to be the data fiduciary, being the single point where the transaction is concluded. Therefore, it is useful for the merchant as purported data fiduciary to accurately identify all data fiduciaries in a transaction and notify the customer appropriately.
An e-commerce transaction typically involves the platform, seller, payment participants and fulfilment participants.
Platform: In a marketplace platform where multiple sellers register and sell products, the platform will be a data fiduciary in respect of the customer using the platform, having collected personal details of the customers. It is also uniquely able to track consumer behavior and serve tailored product offerings and suggestions.
Seller: The third-party seller registered on the platform will also be a data fiduciary depending on the extent of control the platform exerts. For orders fulfilled by the seller, it is in the position to be a data fiduciary along with the platform, with access to customer contact and order details. Some sellers, depending on their size and range of product offerings, will also be able to track consumer behavior in relation to their own offerings.
However, the platform may seek to restrict the amount of data available to a seller and place contractual restrictions on the seller’s use of data. For instance, on the website of a prominent marketplace platform, controller1-processor or controller-controller terms were not available under the seller registration portal, with protection of customer information and data usage restrictions being covered under a brief confidentiality clause. The lack of documentation and ambiguity could be deliberate: avoid expressly designating the seller as a data fiduciary/ controller so that the platform maintains a semblance of control over processing purpose; also, expressly designating the seller a processor would make the platform liable for the seller’s processing activity without retaining real control over the same.
Payment participants
Payment participants may appear to be processors, being principally an enabler of a transaction between a merchant and a customer. This may not be the case. In a credit card transaction, there are 6 or more participants – cardholder, merchant, payment processor (including provider of the PoS/card swipe machine and payment gateway), card network (Visa, MasterCard, RuPay, etc), the card issuer and the merchant acquirer.
The extent to which some of these entities process personal data in the role of a data fiduciary is difficult to determine with certainty without visibility of the contracts among these participants. Each party is in the position to be a data fiduciary as well as a processor, depending on its role (some roles are subject to distinct licenses or approvals from RBI), but would likely fall within the category of joint data fiduciaries (joint controllers) as each entity determines purpose of processing of collected personal data.
The card issuer (bank) acts basis a contract with the individual, therefore, is in the position to act as a data fiduciary vis-à-vis the individual. The card network may also process personal data, being involved in the transaction. For instance, the website of a card network, in categories of personal data it may collect, stated: “Information about your transactions, including the date, time, location and amount of the transaction and information about the merchant. This may also include item-level data in some instances, and billing and shipping information.”
The PoS provider also appears to process data as a data fiduciary at present. The website of a PoS provider stated: “When you use our PoS to make, accept, request, or record payments, we receive information about when and where the transactions occur, the names of the transacting parties, a description of the transactions, the payment or transfer amounts, billing and shipping information, and the devices and payment methods used to complete the transactions”.
These entities participating in the payment process operate largely based on standard form contracts with merchants and customers having limited or no ability to negotiate the terms, making it more relevant for the merchants to be aware of their status as data fiduciary or processor.
Fulfilment
Fulfilment vendors such as couriers, transporters and warehouse providers will fall within the realm of processors, i.e., one who carries out any processing activity on behalf of the fiduciary, and as per the instructions of and based on a contract with the data fiduciary. Their role is entirely subject to terms with the merchant or platform.
Following the money
In a situation where clear determination of a participant’s relationship with other entities in the transaction becomes challenging to determine, a key approach could be to decipher the flow of money in the transaction. This does not have to be directly between the merchant/ platform and the customer alone, but also the revenue source of each participant in the transaction. For instance, while the card issuer earns from the customer, the merchant acquirer deducts a fee from the amounts paid to the merchant, and both receive personal and transaction information of the customer.
Being principally liable under the Act for processing activity, each participant in a transaction must identify its own role and that of others involved as a ‘data fiduciary’ or ‘processor’ and ensure adequacy of contracts with participants identifiable as data processors.
What the data fiduciary must do
Being principally liable under the Act for processing activity, each participant in a transaction must identify its own role and that of others involved as a ‘data fiduciary’ or ‘processor’ and ensure adequacy of contracts with participants identifiable as data processors.
For the platform (or merchant in case of retail), it is important to accurately identify and inform customers of the existence of other data fiduciaries to mitigate its own risk.
Depending on what rules are notified by the government vis-à-vis notice requirements, this could become cumbersome, and this is where participants will feel the absence of ‘performance of a contract’ as a ground for processing. The European General Data Protection Regulation provides this as a key ground for processing where consent of the data principal is not necessary. The Act leaves this out, making consent the only available ground. The absence of this enablement will be more relevant to participants currently determining purpose of processing but who have no direct nexus with the data principal. These entities may see their sources of customer behavioral information drying up, or coming with significant restrictions from participants who are clearly data fiduciaries.
1. The term ‘controller’ is used in place of ‘data fiduciary’ internationally.