Is this the Missing Link in Data Protection Jurisprudence?

Posted on October 30, 2024 by Vijayashankar Na

In processing of personal data, it is common for data to be transferred from one entity to another either within the country or across borders. In such cases we identify the entities as either Data Fiduciary or Data Processor based on the definitions in the data protection laws.

For example if the entity determines the purpose and means of processing of personal data, it is called the “Data Fiduciary”. If the entity processes data on behalf of another entity and does not determine the purpose and means of processing, it is called the Data Processor.

DPDPA obligations are for the Data Fiduciary and even the responsibilities of the data processor is boarne by the data fiduciary through a data processing contract. Where there is a sharing of the purpose and means of processing between two entities, they become joint data fiduciaries.

In the event of a personal data breach and two data fiduciaries are involved, the liability may have to be determined based on the cause of the breach.

These requirements and role definitions are for processing of “Personal Data” and does not apply to processing of “Non Personal Data”.

We are aware that Section 72A of ITA 2000 applies when personal data is transferred from one entity to another under a contract and makes the processor liable for any contractual failures leading to compromise of data.

In this background we can discuss a very important jurisprudential issue in the data processing context involving two processors, the second processor is processing “personal data” or “Non Personal data”.

DPDPA considers Personal data as the alienable property of the data principal and the data fiduciary as having certain limited rights of processing of the data. The data elements that are part of the consent are deemed to have been passed on by the data principal to the data fiduciary by transfer of custody.

This part of the data of the principal for the purpose agreed, becomes the licensed property of the data fiduciary. If the entity transfers this custody to another entity for processing, it is as if it is the property of the data fiduciary that gets transferred to the data processor.

It is like a person owning 1000 Sft of land leasing 100 Sft to another person on lease and that person sub leasing it to another person for temporary use and return. The terms of the sub lease has to be within the permitted purposes of the main lease but otherwise it may or may not be necessary for the second lessee to directly recognize the presence of the first owner of the 1000 Sft land.

Similarly the data principal and the data fiduciary has a direct contractual relationship which may either directly or otherwise permit the Data Fiduciary to use a Data Processor. (If not prohibited, it may be a deemed agreement). But when the Data Fiduciary enters into a Data Processing contract with the Processor, it is a business to business transaction and hence the data processor is well within his rights to consider the data as belonging to the data fiduciary.

In this instance, Section 72A of ITA is applicable to the contract. Otherwise the data processor may not even know if the data is real or pseudonymized.

In such data contracts therefore following situations occur.

Data Fiduciary transfers identifiable personal data to the data processor and the data processor uses his proprietary means to process it. In this case, the data processor is in control of the “Means of process” and the data fiduciary can reasonably ask the data processor to be considered as a “Joint Data Fiduciary”. Otherwise he has to put lots of specific conditions such as that the data shall not be given to any other processor, shall be returned after the processing, shall be deleted after the processing etc. along with the power to audit. If he considers the data processor as a joint data fiduciary, there is no need to worry about the contractual terms since DPDPA applies in full to the data processor also.

On the other hand, if the data processor wants to safeguard himself from being held liable under DPDPA, he can insist that the data fiduciary pseudonymize the data and not share identifiable data with him so that he will not be liable as a “Joint Data Fiduciary”.

A parallel situation arises in HIPAA where PHI is transferred from one covered entity to another covered entity. This is considered as a permissible transfer. On the other hand transfer of data from a covered entity to a business associate is subject to contract.

Similarly transfer of personal data from a data fiduciary to another data fiduciary can be considered as a permissible transfer with a simple contract with the admission of the roles and we may call them as “Joint Data Fiduciaries”.

If the data transferred is not “Personally identifiable” because it is pseudonymized, then the transaction is completely out of DPDPA itself. If the pseudonymisation is done by the data fiduciary and the mapping data of real and pseudonymized data is held by hm, in the hands of the data processor, the data is as good as “Anonymised”. As an abundant caution, the contract may state that “The data processor shall not attempt to re-identify the pseudonymized data which will be considered as punishable offence under Section 43, Section 72A of the ITA 2000”.

This is not only applicable to DPDPA and perhaps applies to all other data protection acts including GDPR. perhaps we the professionals have not discussed this adequately and this has been a missing link between the data transfer contracts.

I would welcome the views of the experts….

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.