Abstract: This note tries to discuss why Privacy by design fails and compliance by design is a better option to pursue, and why duties of a data processor needs to be recognized and what could be a suggested “responsible Data Processor clause”
Privacy By Design Vs Compliance by Design
Since the days of GDPR, we have been using the terms “Privacy By Design” implying that the objective of GDPR is to protect “Privacy” of an individual.
However, “Privacy” is a concept not fully defined. It is primarily the freedom of an individual to keep his “State of Mind” free from external influence. This “State of Mind” is dynamic and is not amenable to legislation unless at each step of interaction with an individual, a third party checks “Is this fine with your current state of mind?” , “How do I recognize when you change your mind?” etc.
“Design” pre-supposes a base structure for “Privacy” and if “Privacy Risk” is indeterminable, “Privacy By design” is not feasible except as a safety template.
Recognizing this fundamental hurdle, DGPSI framework adopted “Compliance by Design” as an objective. Being “Compliant” to the law ensures that the “Risk” associated with penalties is “Mitigated”.
Hence DPDPA Compliance is an exercise of “Non-Compliance Risk Mitigation” .
The Non-Compliance Risk may arise due to Governance failures, Technology failures or Human Failures. Governance can be defined, Technology can be designed and humans can be trained. These are the measures that can be considered as the basic level of Risk Mitigation.
However, human training has to be raised from the level of mere “Awareness” building to “Self Motivation to build a culture of Respect for Privacy”. Governance should be elevated from introducing lengthy policies to designing practical, implementable procedures for management. Similarly the “Technology element” has to take into account the unpredictability of technology risks.
In the AI scenario, the “Unpredictable” AI-Risks are today creating a new challenge that is making “Compliance by Design” a challenge.
For some time since the rise of GUI based software like Windows, Computerization has been growing in business circles with the belief that a user need not be a technology expert. Similarly use of AI based software should be free from the necessity of the user to know how the AI functions.
It is for this reason that DGPSI-AI believes that the fundamental principles of AI Governance such as Bias prevention is like a bug to be fixed by the AI developers. It is the duty of the AI developer to ensure that AI does not generate false outputs either because the algorithm itself or its learning data is faulty. The needs of “Explainability”, “Transparency”, “Accountability” are derivatives of the need for the AI to be free from error in its decision output.
Hence DGPSI-AI focusing on “Compliance by Design” by the AI Deployer who is a Data Fiduciary expects all AI Risks to be absorbed by the AI vendor/Licensor/Developer.
Currently, this is sought to be achieved through the “Contractual Commitment”.
“Duty” is the essence of DPDPA
DPDPA is unique as a law since while balancing the Rights and Duties, it lays a strong emphasis on the principle of “Duties”. The Data Fiduciary is bound by a “Duty” not only as a Trustee of the Data Principal but also as a custodian of lawfulness of processing of personal data.
Section 4 of the Act specifying that a person may process personal data only for a lawful purpose extends to laws outside DPDPA. Though this applies to the definition of “Lawful purpose” which is limited to what is not expressly forbidden by law, the simultaneous operation of ITA 2000, extends the responsibility to “Prevention of harm to the society”. The “Due Diligence” aspect of the ITA 2000, lack of which will lead to the recognition of an “Offence” or “Civil Wrong” brings in a concept of “Duty to the society”.
The Data Principal himself is also expected to follow certain “Duties” under Section 15 of the DPDPA 2023 itself . One of the duties cast upon the Data Principal under this section is to be compliant with the provisions of all applicable laws while exercising rights under DPDPA 2023.
Thus, both the Data Fiduciary and the Data Principal have been imposed with the burden of a “Duty”. A “Joint Data Fiduciary” who in conjunction with another entity determines the purpose and means of processing, being a Data Fiduciary is also bound by the duty within the scope of his operation. The Consent Manager who is also a Data Fiduciary is bound by his duties.
In this context it has become necessary for us to raise a question on whether a “Data Processor” is also bound by some “Duty” of his own. There are two types of Data Processors whom we come across in the DPDPA scenario. They are the “Back End Data Processor” and the “Front End Data Processor”.
The “Front end data processor” interacts with the Data Principals on behalf of the Data Fiduciary. Most of them would be “Joint Data Fiduciaries” but it is technically feasible for them to be also “Data Principals”. The Back end data processors are “Undisclosed agents” (Unless the Privacy Notice specifically discloses their presence) who have influence on the outcome of processing but hide behind the Data Fiduciary. The “Duties” of these types of Data Processors need to be clarified for compliance purpose.
DPDPA 2023 does not seem to directly impose a “Duty” on the Data Processor. However, the definition of “Data Processor” is analogous to an “Agent” of a Data Fiduciary.
It is time we analyze the Indian Contract Act and study the law of agency in greater detail as to determine what are the liabilities of an agent (Data Processor) towards meeting the duties cast on the Principal.(Data Fiduciary).
The Agent has one set of duties to the Principal which is to “follow instructions of the principal as per the contract”, “To conduct his activities with reasonable skill and diligence” etc.
At the same time the Principal has a duty to the Agent such as “Indemnifying the agent against lawful acts done in exercise of the authority done in good faith”.
When we look at the liability of an agent against a third party, the concept of “Disclosed” or “Undisclosed” agent takes effect. (Applicable for Front end data processor). In the case of an agent who has disclosed his representative role, the Principal (Data Fiduciary) is liable to the third party (Data Principal). If the activity of the agent is as an “Undisclosed Agent”, the third party may have recourse to the agent also.
Such an agent can be the Data Processor or even the AI used by the Data Fiduciary or the Data Processor. This concept can be applied to the Data Processor when the processing contract involves an interaction with the third party.
When an AI makes a decision and communicates to the data principal, the recourse of the data principal is against the Data Fiduciary as the disclosed party and also against the “Person who caused the AI system to behave in a particular manner” (Refer Section 11 of ITA 2000). Such a person is primarily the Data Fiduciary himself or the Data Processor if the AI is used by the Data Processor .
But if the AI usage is bound by a software contract and the developer/Licensor of the AI has retained his own control over the code and functioning of the software, we may draw him into the liability chain.
Managing Risk Through a Model Contractual Clause
Hence the Data Fiduciary-Data Processor contract assumes importance to determine the liability of the Data Processor.
If the contract makes a statement such as
“The Data Processor shall be bound by the duties cast on the Data Fiduciary as per DPDPA read with Information Technology Act 2000 which includes processing of personal data in a lawful manner, in compliance with all applicable laws and with due diligence and reasonable security practices. “
This clause can be called “Responsible Data Processor Clause” and is recommended for incorporation in all Data Processor contracts.
Since the Data Processor has the power to negotiate a contract where such responsibility may be refused it is suggested that the MeitY through its recommendations re-iterate the link between the Indian Contract Act and the DPDPA and ensure that the Data Processors are not allowed to walk away without responsibility. Until such time, the above Responsible Data processor clause may be used in contracts.
(Comments welcome)
Naavi
