A query was received from a student recently “Whether a Data Fiduciary can also be an Intermediary” under ITA 2000.
I have tried to present the response in the video at Naavi Academy and also provide a brief summary here. The video is available here
Naavi has been advocating Jurisprudence on DPDPA through the DGPSI framework and has indicated that DPDPA compliance is better implemented by recognizing that an organization has multiple processes in which it processes personal data and compliance has to be worked out at the process level instead of the enterprise level. The enterprise level compliance will then emerge as an aggregation of the process level compliance.
As a result in an organization there will be several processes and in some the organization determines the Purpose and Means and in some it may not. Hence an organization could be a data fiduciary in one process, a data processor in another process. In some contexts it may share the responsibility as a data fiduciary with another organization. Thus when we look at the organization as an entity, it has one face as a Data Fiduciary and another face as a Data Processor and yet another face where it is a Joint Data Fiduciary.
This possibility had not been explored by any observers of GDPR law or the DPDPA till now and it is for the first time this has emerged as a thought. This goes well with the “Process Based Compliance Approach” adopted by DGPSI.
At the same time, when we look at ITA 2000 we have a category of data handlers who are recognized as “Intermediaries” and others whom we can call as “Data Users”. The nature of an intermediary is that data is collected from one source and passed on to another destination but does not
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
It is noted that the definition of an Intermediary under Section 2(w) of ITA 2000 clearly restricts it to a message. It defines an “Intermediary” as…
Intermediary with respect to any particular electronic records, means any person…..”
From the above definition of an Intermediary it can be seen that it is defined with reference to a message or a context and not applicable to an entire entity under all types of activities. It is therefore possible for an organization to be an Intermediary in one service and not an intermediary in another service context.
This is similar to the approach of DGPSI which recognizes that in one process an organization may be a Data Fiduciary and not be so in another.
A “Data Fiduciary process” cannot be an “Intermediary process” but a “Data Processor Process” can be an “Intermediary Process”.
Hence we need to shed the concept of “This organization is a Data Fiduciary and another is a Data Processor” or “This organization is an Intermediary and another is not”. We should always make such assertion specific to the context.
This article and video underscores the reason why we call “DGPSI is the Jurisprudence for DPDPA”
Naavi