Recently FDPPI conducted a three day offline course for C.DPO.DA. in Bangalore.
The following are the short feedback from the participants.
We thank all the participants who have recorded their views here.
Naavi
In processing of personal data, it is common for data to be transferred from one entity to another either within the country or across borders. In such cases we identify the entities as either Data Fiduciary or Data Processor based on the definitions in the data protection laws.
For example if the entity determines the purpose and means of processing of personal data, it is called the “Data Fiduciary”. If the entity processes data on behalf of another entity and does not determine the purpose and means of processing, it is called the Data Processor.
DPDPA obligations are for the Data Fiduciary and even the responsibilities of the data processor is boarne by the data fiduciary through a data processing contract. Where there is a sharing of the purpose and means of processing between two entities, they become joint data fiduciaries.
In the event of a personal data breach and two data fiduciaries are involved, the liability may have to be determined based on the cause of the breach.
These requirements and role definitions are for processing of “Personal Data” and does not apply to processing of “Non Personal Data”.
We are aware that Section 72A of ITA 2000 applies when personal data is transferred from one entity to another under a contract and makes the processor liable for any contractual failures leading to compromise of data.
In this background we can discuss a very important jurisprudential issue in the data processing context involving two processors, the second processor is processing “personal data” or “Non Personal data”.
DPDPA considers Personal data as the alienable property of the data principal and the data fiduciary as having certain limited rights of processing of the data. The data elements that are part of the consent are deemed to have been passed on by the data principal to the data fiduciary by transfer of custody.
This part of the data of the principal for the purpose agreed, becomes the licensed property of the data fiduciary. If the entity transfers this custody to another entity for processing, it is as if it is the property of the data fiduciary that gets transferred to the data processor.
It is like a person owning 1000 Sft of land leasing 100 Sft to another person on lease and that person sub leasing it to another person for temporary use and return. The terms of the sub lease has to be within the permitted purposes of the main lease but otherwise it may or may not be necessary for the second lessee to directly recognize the presence of the first owner of the 1000 Sft land.
Similarly the data principal and the data fiduciary has a direct contractual relationship which may either directly or otherwise permit the Data Fiduciary to use a Data Processor. (If not prohibited, it may be a deemed agreement). But when the Data Fiduciary enters into a Data Processing contract with the Processor, it is a business to business transaction and hence the data processor is well within his rights to consider the data as belonging to the data fiduciary.
In this instance, Section 72A of ITA is applicable to the contract. Otherwise the data processor may not even know if the data is real or pseudonymized.
In such data contracts therefore following situations occur.
Data Fiduciary transfers identifiable personal data to the data processor and the data processor uses his proprietary means to process it. In this case, the data processor is in control of the “Means of process” and the data fiduciary can reasonably ask the data processor to be considered as a “Joint Data Fiduciary”. Otherwise he has to put lots of specific conditions such as that the data shall not be given to any other processor, shall be returned after the processing, shall be deleted after the processing etc. along with the power to audit. If he considers the data processor as a joint data fiduciary, there is no need to worry about the contractual terms since DPDPA applies in full to the data processor also.
On the other hand, if the data processor wants to safeguard himself from being held liable under DPDPA, he can insist that the data fiduciary pseudonymize the data and not share identifiable data with him so that he will not be liable as a “Joint Data Fiduciary”.
A parallel situation arises in HIPAA where PHI is transferred from one covered entity to another covered entity. This is considered as a permissible transfer. On the other hand transfer of data from a covered entity to a business associate is subject to contract.
Similarly transfer of personal data from a data fiduciary to another data fiduciary can be considered as a permissible transfer with a simple contract with the admission of the roles and we may call them as “Joint Data Fiduciaries”.
If the data transferred is not “Personally identifiable” because it is pseudonymized, then the transaction is completely out of DPDPA itself. If the pseudonymisation is done by the data fiduciary and the mapping data of real and pseudonymized data is held by hm, in the hands of the data processor, the data is as good as “Anonymised”. As an abundant caution, the contract may state that “The data processor shall not attempt to re-identify the pseudonymized data which will be considered as punishable offence under Section 43, Section 72A of the ITA 2000”.
This is not only applicable to DPDPA and perhaps applies to all other data protection acts including GDPR. perhaps we the professionals have not discussed this adequately and this has been a missing link between the data transfer contracts.
I would welcome the views of the experts….
Naavi
In the annual flagship event of FDPPI, namely the Indian Data Protection Summit 2024 (IDPS 2024) set to be held on November 30 and December 1, 2024 at Bengaluru, FDPPI recognizes those who contribute to Privacy and Data Protection in India.
Yesterday we lost Justice K S. Puttaswamy who had contributed to the rising of the Privacy Consciousness in India leading to the passing of DPDPA 2023. FDPPI had the satisfaction of recognizing him with a title of “Privacy Pitamaha” during our 2023 AGM. Continuing our appreciation of his contribution to the Privacy eco system in India, FDPPI has decided that this year, the “Privacy Advocate of the year Award” would be “Dedicated to the memory of the Privacy Pitamaha, Late Justice Sri K.S.Puttaswamy”.
Nominations will be open upto 10th November 2024 and the nomination form would be available here https://fdppi.iletsolutions.com/idps-2024-award-nominations.
There will also be 4 other categories of awards namely “Privacy Knight”, “Privacy Squad”, Privacy Champion (Organization) and “Privacy Innovator”. Out of these, the Privacy Champion Award would be “Dedicated to the memory of Padma Vibhushan, Late Sri Ratan Tata”.
We hope that these leaders who have left this world will continue to inspire our professionals through these awards.
A query was received from a student recently “Whether a Data Fiduciary can also be an Intermediary” under ITA 2000.
I have tried to present the response in the video at Naavi Academy and also provide a brief summary here. The video is available here
Naavi has been advocating Jurisprudence on DPDPA through the DGPSI framework and has indicated that DPDPA compliance is better implemented by recognizing that an organization has multiple processes in which it processes personal data and compliance has to be worked out at the process level instead of the enterprise level. The enterprise level compliance will then emerge as an aggregation of the process level compliance.
As a result in an organization there will be several processes and in some the organization determines the Purpose and Means and in some it may not. Hence an organization could be a data fiduciary in one process, a data processor in another process. In some contexts it may share the responsibility as a data fiduciary with another organization. Thus when we look at the organization as an entity, it has one face as a Data Fiduciary and another face as a Data Processor and yet another face where it is a Joint Data Fiduciary.
This possibility had not been explored by any observers of GDPR law or the DPDPA till now and it is for the first time this has emerged as a thought. This goes well with the “Process Based Compliance Approach” adopted by DGPSI.
At the same time, when we look at ITA 2000 we have a category of data handlers who are recognized as “Intermediaries” and others whom we can call as “Data Users”. The nature of an intermediary is that data is collected from one source and passed on to another destination but does not
(i) initiate the transmission,
(ii) select the receiver of the transmission, and
(iii) select or modify the information contained in the transmission
It is noted that the definition of an Intermediary under Section 2(w) of ITA 2000 clearly restricts it to a message. It defines an “Intermediary” as…
Intermediary with respect to any particular electronic records, means any person…..”
From the above definition of an Intermediary it can be seen that it is defined with reference to a message or a context and not applicable to an entire entity under all types of activities. It is therefore possible for an organization to be an Intermediary in one service and not an intermediary in another service context.
This is similar to the approach of DGPSI which recognizes that in one process an organization may be a Data Fiduciary and not be so in another.
A “Data Fiduciary process” cannot be an “Intermediary process” but a “Data Processor Process” can be an “Intermediary Process”.
Hence we need to shed the concept of “This organization is a Data Fiduciary and another is a Data Processor” or “This organization is an Intermediary and another is not”. We should always make such assertion specific to the context.
This article and video underscores the reason why we call “DGPSI is the Jurisprudence for DPDPA”
Naavi
We announced the formation of Naavi Academy a few days back as a channel of educative content through video blogging as a supplement to Naavi.org. While the system of publication of the blog is being finalized, we present the first set of Videos here.
In the DPDPA implementation, we have been discussing he requirement of determining the “Age” of a data principal to identify if he is a minor or not. Without identification of the age, the obligations of DPDPA towards a “Minor” cannot be fulfiled.
At the same time, there is a need to develop a mechanism by which one can identify the class of data principals to which Section 9 of DPDPA is applicable (Minors and Disabled Persons). In the case of a minor the consent has to be provided by the guardian who may be either a natural guardian or a legal guardian. In case of the disabled persons, it is the legal guardian who has to provide the consent.
The “Legal Guardian” is always a product of the decision of the Court and unless the Courts create a system of publishing a data base of “Legal Guardians” approved by different Courts, there is no way for a Data fiduciary to know if a person is disabled or not. A request for this has been sent by FDPPI to CJI and some time in future it may see the light of the day.
As regards the Natural Guardian, law has its own uncertainty since there may be many single parents and divorced parents where the natural guardian cannot be determined by just identifying the father or mother.
It is the duty of the Government and the Judiciary to find a proper mechanism to identify the age of a data principal if they are serious about protecting the privacy of a minor. At present Data Fiduciaries simply accept a “Self Declaration” from the data principal that he/she is not a minor and proceed to provide services meant for adults. This is not an effective system for protection of privacy of minors without a verification of the declaration. We therefore need a mechanism for such verification.
At DGPSI, we need to identify a suitable mechanism for organizations to identify the age of a data principal. We have in the past discussed this in these columns and recommended the use of Aaadhar as an instrument for not only creating a “Age Pass” but also to verify the “Guardian of a minor”. (Refer article titled “Is there no solution for Age Gating?)
In this context we need to discuss the recent Supreme Court judgement in the case Saroj & Ors vs IFFCO-TOKIO General Insurance Co & Ors
An article titled “Aadhaar Card Not Suitable as proof of date of Birth: Supreme Court” was published in Live Law yesterday explaining this judgement.
We however would like to point out that the article with the above headline may not reflect the issue in the right context of “Age-Gating” for Privacy regulation and need to be read in the given context.
The context in which the Supreme Court decided in this appeal was that the insurance company had sought a reduction of compensation based on the age of the deceased in the Aadhaar Card vs the Age of the deceased as per a school leaving certificate. There were two age documents available and there was a conflict. The choice of the reference document would have materially altered the compensation payable to a victim of an accident which had taken away the life of a bread winner in the family.
We trust that the decision of the Court has to be viewed in this context.
It is also true that as observed by the Court, the purpose of Aadhaar was to establish the identity of the individual and the noting of the Date of Birth is only incidental.
However it is to be noted that Aadhaar is still the best Government document that can establish the identity of a person. The Adhaar card issued to a minor also records the name of the guardian. Short of a Court order, this is therefore the best document of proof of the age of a minor and the name of the guardian.
The documents which are collected for Aadhaar enrolment are available here and indicate the documents which are used for age verification.
The enrolment documents include the Birth Certificate, Passport, Certificate issued by an Orphanage, School Leaving Certificate, Service Identity Card, Pensioner’s Card, Transgender certificate.
The Aadhaar document therefore is not an adhoc self declaration of date of birth and is based on documentation. The subject Supreme Court judgement was a case where there were conflicting dates in different authentic documents and the Court had to prioritize one over the other. In the context they chose to chose the school leaving certificate ahead of the Aadhar.
DGPSI which is defining the Jurisprudence related to the DPDPA therefore does not suggest dropping of the Aadhar based age determining process for determination of a minor for the purpose of obtaining the consent from the parent.
We remember that when Supreme Court in the Afzal Guru case had held that Section 65B certificate for digital evidence as “Not Mandatory”, Naavi had disagreed with the Court and held to his view that Section 65B Certificate for admissibility of digital evidence was mandatory. It took several more years and the Judgement of PV Anwar Vs P K Basheer to correct the decision. Even subsequently, when Shafi Mohammed judgement appeared to disagree with our view, we held onto the view until it was validated in the Arjun Pandit Rao case. Now IEA has been replaced with Bharatiya Nyaaya Samhita and the jurisprudence that “Section 63 Certificate is mandatory for admissibility of digital evidence” holds, though the form of Certification has changed a little.
Similarly we hold onto our view on Age Verification for DPDPA purpose that an Aadhaar based system is acceptable as a “Reasonable Measure” for the Data Fiduciary to verify the Age. In every case it is not feasible for a Data Fiduciary to be a Court and ask for multiple age proof document and verify the same. Probably a Consent Manager can do it and the case of a specialized consent manager for minors is made out.
At FDPPI, we can state that the data principal can provide any one of the following documents as age of proof namely
We would also like to add PAN Card and Driving License to the above list. Obviously a court order would also have to be accommodated in this accepted document list. However, these documents may not be as easily verifiable as the Aadhar data and hence Aadhaar remains the preferred reference tool.
As we have discussed earlier, the verification of age is not only a requirement for a person who has already declared himself as a minor so that we donot want anonymous malicious adults in minor community. For this purpose, we need to apply age verification to all data principals as a general rule of entry. Verification of who is the guardian is a more complicated exercise and at present Aadhar is the only document (other than a court order) that has this data. PAN card of a minor may also have this information but they may not be as many minor PAN cards as there are minor Aadhar cards.
To summarize, we may say that the Supreme Court judgement cited above is not a bar on use of Aadhar for the purpose of age verification in the DPDPA compliance and can be one of the several ways by which the data fiduciary may satisfy himself about the status of a data principal as a minor or not a minor.
Naavi
