DATA FIDUCIARY UNDER THE DIGITAL PERSONAL DATA PROTECTION BILL 2022
As per section 2(5) of the DPDP 2022, a data fiduciary is any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data ("Data Fiduciary”)
There is no specific legislation dealing with data protection in India. Currently, the two Indian statutes that touch upon data protection are the Information Technology Act, 2000 and the Indian Contract Act, 1872.
In 2011, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 were introduced, specifying minimum standards for the protection of sensitive personal data. These rules mandated that companies must have a privacy policy, obtain consent when collecting or transferring sensitive personal data or information, and inform individuals about the recipients of such data.
The Honourable Supreme Court recognised the importance of data protection in the case of Justice K.S. Puttuswamy (Retd.) & Anr. v. Union of India & Ors. [(2017) 10 SCC 1] in 2018. It was affirmed that “privacy” is intrinsic to the right to life and liberty, as guaranteed by Article 21 of the Constitution of India, making “right to privacy” a fundamental right. Thereafter, the Draft Personal Data Protection Bill was prepared by the Justice Srikrishna Committee in 2018 and the Personal Data Protection Bill, 2019 was introduced in the Rajya Sabha. It was eventually withdrawn after many deliberations and discussions. Consequently, the Ministry of Electronics and Information Technology released the Digital Personal Data Protection Bill, 2022 (“DPDP 2022”) on November 18, 2022. While the DPDP 2022 has its own set of pros and cons, which have been discussed widely over the past few months, this article focusses on the role and obligations of a data fiduciary under the DPDP 2022.
DATA FIDUCIARY
As per section 2(5) of the DPDP 2022, a data fiduciary is any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data (“Data Fiduciary”). In laymen’s terms, a Data Fiduciary is someone who processes another party’s personal data.
A‘person’ as mentioned above includes an individual, HUF, a company, a firm, an association of persons or a body of individuals, whether incorporated or not, the State and every artificial juristic person.
KEY TERMS
To understand the obligations of a Data Fiduciary, it is pertinent to understand some key terms as provided in the DPDP 2022:
1. Automated
As per section 2(1) of the DPDP 2022, ‘automated’ means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data.
2. Consent Manager
As per proviso of section 7(6) of the DPDP 2022, ‘consent manager’ is a Data Fiduciary which enables a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.
3. Data
As per section 2(4) of the DPDP 2022, ‘data’ is defined as a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means.
4. Data Principal
As per section 2(6) of the DPDP 2022, ‘data principal’ is defined as the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child.
5. Data Processor
As per section 2(7) of the DPDP 2022, ‘data processor’ means any person who processes personal data on behalf of a Data Fiduciary.
6. Data Protection Officer
As per section 2(8) of the DPDP 2022, ‘data protection officer’ means an individual appointed as such by a Significant Data Fiduciary under the provisions of the DPDP 2022.
7. Data Protection Impact Assessment
As per the proviso of section 11(2) of the DPDP 2022, ‘data protection impact assessment’ means a process comprising description, purpose, assessment of harm, measures for managing risk of harm and such other matters with respect to processing of personal data, as may be prescribed under the DPDP 2022 or any rules made thereunder.
8. Lawful Purpose
As per the proviso of section 5 of the DPDP 2022, ‘lawful purpose’ means any purpose which is not expressly forbidden by law.
9. Personal Data
As per section 2(13) of the DPDP 2022, ‘personal data’ means any data about an individual who is identifiable by or in relation to such data.
10. Personal Data Breach
As per section 2(14) of the DPDP 2022, ‘personal data breach’ means any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.
11. Processing
As per section 2(16) of the DPDP 2022, ‘processing’ in relation to personal data means an automated operation or set of operations performed on digital personal data, and may include operations such as collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
GROUNDS FOR PROCESSING DIGITAL PERSONAL DATA
A person may process the personal data of a Data Principal only in accordance with the provisions of the DPDP 2022 and rules made thereunder for a lawful purpose for which the Data Principal has given or is deemed to have given his/her consent.
OBLIGATIONS OF A DATA FIDUCIARY
The general obligations of a Data Fiduciary under the DPDP 2022 are as follows:
1. Compliance with respect to any processing undertaken by it or on its behalf by a Data Processor or another Data Fiduciary.
2. Ensuring that the personal data processed is accurate and complete.
3. Ensuring technical and organisational measures for effective adherence with the DPDP 2022 and to taking reasonable steps to ensure the security of the personal data.
4. Informing the data protection board as set up by the Central Government and each affected Data Principal, in the event of a personal data breach in the form and manner as prescribed by the DPDP 2022.
5. Ceasing retention and removal of personal data collected from Data Principals, once clear that retention of the data is no longer serving its initial purpose.
6. Publishing the business contact information of a Data Protection Officer, if applicable.
7. Effective procedure and mechanism to redress the grievances of Data Principals.
8. The personal data of the Data Principal to be shared, transferred or transmitted to any other Data Fiduciary or engage, appoint, use or involve a Data Processor to process personal data on its behalf, only with the consent of the Data Principal via valid contract. Such Data Processor may, if permitted under its contract with the Data Fiduciary, further engage, appoint, use, or involve another Data Processor in processing personal data only under a valid contract.
9. Before processing any personal data of a child, to obtain verifiable parental consent and to not process data that is likely to cause harm to or tracking behavioural monitoring of a child for any sort of targeted advertising.
SIGNIFICANT DATA FIDUCIARY
Significant Data Fiduciary is a Data Fiduciary who is in possession of high volumes of personal data and is termed as significant data fiduciary by the Central Government on the basis of the following factors:
• the volume and sensitivity of personal data processed;
• risk of harm to the Data Principal;
• potential impact on the sovereignty and integrity of India;
• risk to electoral democracy;
• security of the State;
• public order; and
• such other factors as it may consider necessary.
In addition to the general obligations of a Data Fiduciary, a Significant Data Fiduciary has the following obligations:
• Appointing a Data Protection Officer who represents the Significant Data Fiduciary and is based in India. The Data Protection Officer shall be an individual responsible to the board of directors of the entity or similar governing body of the Significant Data Fiduciary.
• Appointing an independent data auditor to evaluate the compliance of the Significant Data Fiduciary; and
• Undertaking such other measures including data protection impact assessment and periodic audit to achieve the objectives of the DPDP 2022.
CONSENT UNDER DPDP 2022
The DPDP 2022 requires Data Fiduciaries to obtain consent from Data Principals prior to processing their Personal Data. This is to be done through an itemised notice containing a description of the Personal Data being collected along with the purpose of processing. Further, the request for consent must be in clear and plain language. However, the DPDP 2022 does not discuss the requirement for specific consent for individual processing activities while earlier draft bills had proposed separate consents for processing of sensitive personal data for individual purposes.
The DPDP 2022 also introduces the concept of deemed consent which enables processing of Personal Data without explicit consent. For example, cases where it is reasonably expected that the Data Principal would provide such Personal Data, for the purposes of employment such as biometrics and for public interest such as debt recovery, mergers and acquisitions, and prevention of fraud. This is a departure from the position under previous draft bills and a welcome change.
CONCLUSION
It now remains to be seen whether the DPDP 2022 is passed and becomes law. The proof will truly be in the pudding as to the implementation of this legislation and how the role of Data Fiduciaries will evolve.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.