A lot has been talked about who will get impacted by the Personal Data Protection Bill. This Post aims at providing an overview of the key stakeholders involved in processing of personal data under the Bill and analysing the underlying dynamics.
1. Existing framework: Any body corporate or any person acting on its behalf, and engaged in collecting, receiving, storing or dealing with personal information in any other manner must comply with the processing requirements under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data) Rules (IT Rules). Body corporate includes all kinds of incorporated or unincorporated legal entities such as company, limited liability partnership, firm, sole proprietorship or an association of individuals engaged in commercial or professional activities. The person who processes personal information on behalf of the said body corporate is commonly referred as processor, and can be a legal or natural person. Further, the IT Rules must be complied if the personal information relates to a natural person only. While government agencies collect and process personal information, they are outside the purview of the IT Rules.
Thus, the existing framework involves 3 actors –
(i) private body corporates requiring processing of personal information,
(ii) any legal or natural person performing such processing, and
(iii) the natural person whose personal information is being processed.
2. Stakeholders under the Bill: The Bill contemplates 3 key players –
(i) data principal,
(ii) data fiduciary and
(iii) data processor.
• Data principal means the natural person to whom personal data relates to. The data principal is the central actor in the data processing chain. The Bill prescribes processing obligations bearing in mind data principal’s right to informational privacy and her autonomy to decide the extent of processing. For instance, the Bill prohibits processing without prior, free, informed, specific, and clear consent from the data principal. Similarly, the data principal has various rights vis-à-vis her personal data like right to withdraw consent, seek confirmation and access to personal data processed, correction, and data portability from one platform to another.
The concept is akin to “data subject” under EU General Data Protection Regulation. However, the Bill does not clarify if a deceased person is covered as a data principal unlike EU law, which categorically excludes them from the scope of data subjects. Without such clarification, data principal may cover deceased persons as well.
• Data fiduciary is any person who alone or in conjunction with others (i.e. a joint controller) determines the purpose and means of processing. It will include government bodies, all private and public entities as well as individuals. For instance, a travel company uses Google analytics to understand customer preferences and website traffic. Accordingly, the company shares customer data with Google. While the actual processing is performed by Google, the purpose and means are determined by the company. Accordingly, it will qualify as a data fiduciary under the Bill.
The concept is wider than “controller” under EU General Data Protection Regulation. This is because the Bill uses the term “fiduciary” and thereby, seeks to create a relationship of trust between the data principal and data fiduciary. This can imply that the fiduciary must process personal data fairly, for purposes which are reasonably foreseeable, and only in data principal’s best interests. But, the exact scope of fiduciary duties cannot be confined in a strait-jacket and consequently, each case will be decided on its specific facts.
The data fiduciary is primarily responsible to ensure that processing is as per the principles and requirements under the Bill. Amongst various obligations, the fiduciary is required to obtain consent from principal, facilitate exercise of data principal’s rights, and promptly act and notify data breach incidents. Any penalty for default under the Bill is also attributed to the data fiduciary.
Additionally, the Data Protection Authority can notify certain kinds of fiduciaries as “significant” data fiduciaries. To determine this, the Authority will consider factors like volume and sensitivity of personal data, turnover, potential harm that may ensue from processing, and technology deployed. Once a fiduciary is recognized as significant, it will be required to register with the Authority and may be obligated to comply with additional requirements relating to data audit, appointment of data protection officer, conducting data protection impact assessments and maintaining processing records.
• Data processor means any person who processes the personal data for and on behalf of the data fiduciary. Processor will include government, all private and public entities and individuals. This is similar to “processor” under EU General Data Protection Regulation. For example, in the prior illustration, Google in providing analytics services to the travel company will act as a data processor.
The processor must comply with fair processing principles, retain confidentiality of personal data, and process strictly in accordance with data fiduciary’s instructions. A data processor can be engaged through a valid contract, and where the processor wants to involve a sub-processor, prior consent must be obtained from the fiduciary. Liability and penalty can be imposed on a data processor if it breaches processor specific obligations under the contract, or any specific order issued by the Data Protection Authority.
• Analysis Data lifecycle from its collection to destruction involves multiple parties performing different processing activities. More often than not, the fiduciary will work alongside the processor, and heavily rely on its technical competence to determine the means of processing. The Bill in its current form seeks to impose obligations and liabilities on fiduciaries. For instance, the Bill imposes penalty upto INR 150 million or 4% of worldwide turnover (whichever is higher) on data fiduciaries for failure to adhere with security safeguards. In reality, processors are equally responsible for implementing security measures. This indicates that processors have limited liability under the Bill, and as long as they fulfill their contractual terms, it will be difficult to impose penalties or seek compensation for non-compliance or breach. Additionally, where a processor has breached the contract, data fiduciary will have to substantiate loss to claim damages and indemnification, which is a tedious process. In light of this, it appears that processors can have limited accountability irrespective of their actual involvement in processing.
On the other hand, to safeguard themselves, fiduciaries may impose unreasonable contractual terms that may be difficult to adhere or substantially increase costs for processors. To address these concerns, the EU General Data Protection Regulation provide for fundamental processing obligations that apply equally to processors and controllers, detailed guidance on mandatory contractual terms, and principles for affixing liability. Factoring the inter se dependencies between fiduciaries and processors, it is worthwhile that similar aspects are provided for under the Bill, failing which the objective of achieving transparency throughout the processing cycle may remain far-fetched.