It is a common practice in business that a successful “Brand” tries to monetize its brand value by extending it to other products of the brand owner. The brand owner may operate multiple entities in different locations which will all be part of the same entity.
Some times, the brand is also shared with others under a “Franchise” scheme with a different legal entity. Franchise contracts may be of different types. Some franchisers place complete restrictions on the way the business is presented in terms of the decor so that all franchise outlets of a particular brand look similar to the customer.
Where possible, the recipe of the service is also controlled by the franchisor though the execution still remains with the franchisee. This is expected to provide confidence to customers that the service would also be similar across all franchisee outlets of a brand. There could however be situations where the franchisee may have a set of services which are additional to that of the brand owner. The franchisee may or may not properly disclose whether the additional services are within the brand or outside the brand.
In the DPDPA scenario this popular marketing concept provides its own complications if the franchisee collects personal data of customers, stores it, processes it, shares it with the brand owner, transfers it across borders etc. Often data breaches occur at the franchisee unit and the questions of liability under DPDPA also may come under question.
Since franchisee units are owned by a different legal entity, the role of the franchisee unit may be that of a “Data Fiduciary” in respect of personal information collected. The customer however provides his information and permissions to use based on the perception that he is providing it to the brand owner.
Currently DPDPA recognizes the role of entities as “Data Fiduciaries” when the purpose and means of processing of personal data is determined by an entity. When more than one entity is involved in determining the purpose and means, all may be called “Data Fiduciaries”.
DGPSI, the framework of compliance has coined a term “Joint Data Fiduciaries” for such contexts though the term is not used in DPDPA 2023 or its rules at present.
However in cases where the Franchisee has complete control on the services or part of the services, the brand owner will be lending his name but not determine the purpose or means of processing.
In such cases the franchisee should ensure that there is a separation of services within the brand and outside the brand so that there is no “Consumer Confusion” which is a trademark violation.
However, if the disclosure is not adequately highlighted, the consumer may consume the services only as a part of the services from the brand owner. When consumer complaints arise in such cases, it will be natural for the consumer to raise the complaint against the brand owner and not on the entity that delivers the branded service.
This raises a huge responsibility/liability for the brand owner since the service contract may not cover all the liabilities that are associated with non compliance of DPDPA 2023 either because the ‘Faulty contract” is the responsibility of the franchisor or because the resources of the franchisee may be inadequate.
In terms of “Risk Management”, in such cases the franchisor holds “Unknown Risks” for the activities of the franchisee.
DGPSI considers that such cases need to be covered both by contract as well as the prominent disclosures (like in a dotted line contract with a dominant party). To address such situations DGPSI recognizes the franchisor as a “Super Data Fiduciary” as he is a “Data Fiduciary” of “Data Fiduciaries”.
Surprisingly, this situation arises in more situations than we recognise, whether it is the Telecom Marketing agent or the Insurance marketing agent or a Bank marketing agent calling on you as a representative of the service provider and not disclosing that he represents a vendor. It also applies to hospitals with independent doctors as consultants, Taxi service aggregators, or the Hotels under common brand name such as OYO, Fab etc.
This interpretation comes out of the unique DGPSI framework of compliance which is rightfully called the “Crown Jewel” of DPDPA Compliance frameworks.
It will take some time for other frameworks and even the rules under DPDPA 2023 to add the word “Super Data Fiduciary” into its lingo. But at present It is the endeavour of Naavi to develop “Jurisprudence on DPDPA” through the DGPSI framework.
When such franchisors evaluate themselves for “Significant Data fiduciary” status, they should consider both the volume of data processed by all franchisees and also the “Risk of the Unknown” and self determine that they are “Significant Data Fiduciaries”. When an officer is appointed by MeitY to issue clarifications, it is better MeitY refers to DGPSI for determining the status of an entity as “Significant Data Fiduciary” or not.
Naavi