Recently FDPPI conducted a three day offline course for C.DPO.DA. in Bangalore.
The following are the short feedback from the participants.
We thank all the participants who have recorded their views here.
Naavi
In processing of personal data, it is common for data to be transferred from one entity to another either within the country or across borders. In such cases we identify the entities as either Data Fiduciary or Data Processor based on the definitions in the data protection laws.
For example if the entity determines the purpose and means of processing of personal data, it is called the “Data Fiduciary”. If the entity processes data on behalf of another entity and does not determine the purpose and means of processing, it is called the Data Processor.
DPDPA obligations are for the Data Fiduciary and even the responsibilities of the data processor is boarne by the data fiduciary through a data processing contract. Where there is a sharing of the purpose and means of processing between two entities, they become joint data fiduciaries.
In the event of a personal data breach and two data fiduciaries are involved, the liability may have to be determined based on the cause of the breach.
These requirements and role definitions are for processing of “Personal Data” and does not apply to processing of “Non Personal Data”.
We are aware that Section 72A of ITA 2000 applies when personal data is transferred from one entity to another under a contract and makes the processor liable for any contractual failures leading to compromise of data.
In this background we can discuss a very important jurisprudential issue in the data processing context involving two processors, the second processor is processing “personal data” or “Non Personal data”.
DPDPA considers Personal data as the alienable property of the data principal and the data fiduciary as having certain limited rights of processing of the data. The data elements that are part of the consent are deemed to have been passed on by the data principal to the data fiduciary by transfer of custody.
This part of the data of the principal for the purpose agreed, becomes the licensed property of the data fiduciary. If the entity transfers this custody to another entity for processing, it is as if it is the property of the data fiduciary that gets transferred to the data processor.
It is like a person owning 1000 Sft of land leasing 100 Sft to another person on lease and that person sub leasing it to another person for temporary use and return. The terms of the sub lease has to be within the permitted purposes of the main lease but otherwise it may or may not be necessary for the second lessee to directly recognize the presence of the first owner of the 1000 Sft land.
Similarly the data principal and the data fiduciary has a direct contractual relationship which may either directly or otherwise permit the Data Fiduciary to use a Data Processor. (If not prohibited, it may be a deemed agreement). But when the Data Fiduciary enters into a Data Processing contract with the Processor, it is a business to business transaction and hence the data processor is well within his rights to consider the data as belonging to the data fiduciary.
In this instance, Section 72A of ITA is applicable to the contract. Otherwise the data processor may not even know if the data is real or pseudonymized.
In such data contracts therefore following situations occur.
Data Fiduciary transfers identifiable personal data to the data processor and the data processor uses his proprietary means to process it. In this case, the data processor is in control of the “Means of process” and the data fiduciary can reasonably ask the data processor to be considered as a “Joint Data Fiduciary”. Otherwise he has to put lots of specific conditions such as that the data shall not be given to any other processor, shall be returned after the processing, shall be deleted after the processing etc. along with the power to audit. If he considers the data processor as a joint data fiduciary, there is no need to worry about the contractual terms since DPDPA applies in full to the data processor also.
On the other hand, if the data processor wants to safeguard himself from being held liable under DPDPA, he can insist that the data fiduciary pseudonymize the data and not share identifiable data with him so that he will not be liable as a “Joint Data Fiduciary”.
A parallel situation arises in HIPAA where PHI is transferred from one covered entity to another covered entity. This is considered as a permissible transfer. On the other hand transfer of data from a covered entity to a business associate is subject to contract.
Similarly transfer of personal data from a data fiduciary to another data fiduciary can be considered as a permissible transfer with a simple contract with the admission of the roles and we may call them as “Joint Data Fiduciaries”.
If the data transferred is not “Personally identifiable” because it is pseudonymized, then the transaction is completely out of DPDPA itself. If the pseudonymisation is done by the data fiduciary and the mapping data of real and pseudonymized data is held by hm, in the hands of the data processor, the data is as good as “Anonymised”. As an abundant caution, the contract may state that “The data processor shall not attempt to re-identify the pseudonymized data which will be considered as punishable offence under Section 43, Section 72A of the ITA 2000”.
This is not only applicable to DPDPA and perhaps applies to all other data protection acts including GDPR. perhaps we the professionals have not discussed this adequately and this has been a missing link between the data transfer contracts.
I would welcome the views of the experts….
Naavi
In the annual flagship event of FDPPI, namely the Indian Data Protection Summit 2024 (IDPS 2024) set to be held on November 30 and December 1, 2024 at Bengaluru, FDPPI recognizes those who contribute to Privacy and Data Protection in India.
Yesterday we lost Justice K S. Puttaswamy who had contributed to the rising of the Privacy Consciousness in India leading to the passing of DPDPA 2023. FDPPI had the satisfaction of recognizing him with a title of “Privacy Pitamaha” during our 2023 AGM. Continuing our appreciation of his contribution to the Privacy eco system in India, FDPPI has decided that this year, the “Privacy Advocate of the year Award” would be “Dedicated to the memory of the Privacy Pitamaha, Late Justice Sri K.S.Puttaswamy”.
Nominations will be open upto 10th November 2024 and the nomination form would be available here https://fdppi.iletsolutions.com/idps-2024-award-nominations.
There will also be 4 other categories of awards namely “Privacy Knight”, “Privacy Squad”, Privacy Champion (Organization) and “Privacy Innovator”. Out of these, the Privacy Champion Award would be “Dedicated to the memory of Padma Vibhushan, Late Sri Ratan Tata”.
We hope that these leaders who have left this world will continue to inspire our professionals through these awards.
A query was received from a student recently “Whether a Data Fiduciary can also be an Intermediary” under ITA 2000.
I have tried to present the response in the video at Naavi Academy and also provide a brief summary here. The video is available here
Naavi has been advocating Jurisprudence on DPDPA through the DGPSI framework and has indicated that DPDPA compliance is better implemented by recognizing that an organization has multiple processes in which it processes personal data and compliance has to be worked out at the process level instead of the enterprise level. The enterprise level compliance will then emerge as an aggregation of the process level compliance.
As a result in an organization there will be several processes and in some the organization determines the Purpose and Means and in some it may not. Hence an organization could be a data fiduciary in one process, a data processor in another process. In some contexts it may share the responsibility as a data fiduciary with another organization. Thus when we look at the organization as an entity, it has one face as a Data Fiduciary and another face as a Data Processor and yet another face where it is a Joint Data Fiduciary.
This possibility had not been explored by any observers of GDPR law or the DPDPA till now and it is for the first time this has emerged as a thought. This goes well with the “Process Based Compliance Approach” adopted by DGPSI.
At the same time, when we look at ITA 2000 we have a category of data handlers who are recognized as “Intermediaries” and others whom we can call as “Data Users”. The nature of an intermediary is that data is collected from one source and passed on to another destination but does not
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
It is noted that the definition of an Intermediary under Section 2(w) of ITA 2000 clearly restricts it to a message. It defines an “Intermediary” as…
Intermediary with respect to any particular electronic records, means any person…..”
From the above definition of an Intermediary it can be seen that it is defined with reference to a message or a context and not applicable to an entire entity under all types of activities. It is therefore possible for an organization to be an Intermediary in one service and not an intermediary in another service context.
This is similar to the approach of DGPSI which recognizes that in one process an organization may be a Data Fiduciary and not be so in another.
A “Data Fiduciary process” cannot be an “Intermediary process” but a “Data Processor Process” can be an “Intermediary Process”.
Hence we need to shed the concept of “This organization is a Data Fiduciary and another is a Data Processor” or “This organization is an Intermediary and another is not”. We should always make such assertion specific to the context.
This article and video underscores the reason why we call “DGPSI is the Jurisprudence for DPDPA”
Naavi
We announced the formation of Naavi Academy a few days back as a channel of educative content through video blogging as a supplement to Naavi.org. While the system of publication of the blog is being finalized, we present the first set of Videos here.
