In the DPDPA 2023, when the rules are notified, one of the most important aspects which the industry is looking forward to is the notification under Section 10(1) on the identification of a Significant Data Fiduciary.
The “Data Fiduciary” (DF) is an entity that determines the purpose and means of processing of personal data as distinguished from the “Data Processor” who processes the personal data under the instruction from another entity which determines the purpose and means.
There are some instances when one organization determines the purpose and then engages another organization which has full control on the means of processing for the given purpose. In such instances both organizations become “Joint Data Fiduciaries”.
Once this distinction is determined an organization needs to determine whether they are “Significant Data Fiduciaries” or not.
If volume is a criteria there could be many processors who become “Data Fiduciaries”. Firstly since they manage proprietary processing technologies they may become joint Data Fiduciaries. There after, they may become “Significant Data Fiduciaries” since as processors for many Data Fiduciaries, the cumulative volume they handle may exceed the thresholds even if the vendors themselves may operate at low volumes.
In other words, in today’s chain of processors, the sub contractor (Who is today referred to as a data processor) could be a “SDF” while the main contracting party may be only a “DF”.
Many cloud service providers will fall into the category of SDF where as their users may not be.
It is possible that the determination of when a DF becomes a SDF is not determined only on the basis of “Volume” but also on “Sensitivity”. Sensitivity (including processing of children data) itself is based on the “Risk to the Data Principal” and hence the criteria for determination of SDF status may depend on Volume-Sensitivity-Risk combination.
It is also possible that without consideration of “Volume”, some factors such as ‘Risk’, as well as the ‘impact on sovereignty and integrity of India’, ‘risk to electoral democracy’, ‘security of state’ or ‘public order’ may be considered as independent criteria under which an organization may be classified as SDF .
Hence the primary criteria for identifying SDF status is the “Risk status of Processing” and volume becomes a secondary factor.
The term Data Fiduciary used in DPDPA is similar to the term “Data Controller” under GDPR and hence it would be natural for many to interpret DF from their knowledge of a Data Controller under GDPR.
The current interpretation of Data Controller is that “An Organization is a Data Controller”. If the same is applied in India, an “Organization” becomes a “Data Fiduciary”.
I would however like to challenge this concept of the status of Data Fiduciary being assigned to an organization.
Most of us today accept that an organization is some times a data controller and some times also a data processor. Significant Data Fiduciary is considered another status with special obligations. We identify this as the “Trinity Principle” where an organization can be any one of these categories for compliance purpose.
This “Trinity” principle of an organization seems to remind us of the famous Heisenberg principle of uncertainty applicable to light and matter. The Trinity principle states that an organization in the context of Data Protection context may exist in any of the three states of Data Fiduciary, Significant Data Fiduciary or Data Processor and the controls have to be applied accordingly.
These three different categories of status of an organization adds uncertainty to when the organization should designate a DPO or appoint a DA or when it has the obligations under Section 9.
It is for this reason that the DGPSI (Data Governance and Protection Standard of India) adopts the principle that
“Every Organization is an aggregation of multiple processes”.
This principle of DGPSI is related to the Trinity principle of categorization of compliance entities and makes it easy to recognise that in one process the organization may be a Data fiduciary and in another a Data Processor. By the same logic, in one process an organization is a “Significant Data Fiduciary” and in another, simply a “Data Fiduciary”.
Thus an organization is like a “Trinity” and in terms of compliance may need to be a Data Processor some times, Data Fiduciary some other times and Significant Data Fiduciary some other times. This can be identified and tagged if we break up an organization into processes of personal information for compliance.
Unfortunately, GDPR did not visualize this possibility and the DPDPA 2023 at the level of he Act has also not visualized this possibility.
However, while framing the rules, it is possible for the Government to bring in this “Trinity Principle” and distinguish our law from the rest of the world.
The Section 10(1) provides an option to notify either any “Data Fiduciary” or a “Class of Data Fiduciary” as a SDF and the Government can use the “Class” as a sub category of a DF and link it to a process.
For example, (after stating the general criteria for determining the data fiduciary), it may state
“The term ‘class’ under Section 10(1) of the Act for the application of this rule applies to any class of personal data process/es that an entity may use where the risk, sensitivity and volume of personal data processed exceeds a specified threshold”
I hope the Meity incorporates this principle when the rules are notified…..
Naavi
Also refer: Why Not “Significant Data Fiduciary” be Process Centric