The Importance Of Being ‘Significant': Significant Data Fiduciaries Under India's Proposed Data Protection Regime

Background

Under Section 11 of the most recent (and publicly available) version of India's proposed data protection law – called the Digital Personal Data Protection Bill ("DPDP"), a draft of which was released in November last year for comments – the central government ("CG") has been empowered to notify any 'data fiduciary' (or a class of data fiduciaries) as a 'Significant Data Fiduciary' ("SDF").

Accordingly, the CG can issue an SDF notification on the basis of its own assessment of factors prescribed under DPDP – which include the volume and sensitivity of the personal data processed, as well as the risk of harm to a 'data principal' (along with other possible reasons, such as national/public interest, or such supplementary factors as deemed necessary by the CG).

Pursuant to such governmental classification, additional obligations may be imposed on notified SDFs, over and above the general obligations that all data fiduciaries need to comply with under Section 9 of DPDP.

In this note, we review DPDP's provisions related to SDFs, including with reference to existing law and past legislative proposals. In a subsequent note, we will discuss the main factors listed under DPDP's Section 11 (other than reasons of national/public interest) pursuant to which the CG may classify a data fiduciary as an SDF. In addition, we will analyze certain key SDF considerations in such subsequent note, including with respect to impact assessments.

Key Terms

A 'data principal' under DPDP is the individual with respect to whom the personal data in question relates – i.e., the equivalent of a 'data subject' under the EU's General Data Protection Regulation ("GDPR"). A 'data fiduciary' under DPDP, on the other hand, means any person who – either alone or in conjunction with other persons – determines the purpose and means of processing personal data. Individuals, companies, firms, associations of persons or bodies of individuals (even if unincorporated), the state itself, and any artificial juristic person, may be considered a data fiduciary under DPDP.

SDFs

DPDP is not the first instance that SDFs have been referred to in an Indian draft law on data protection. Provisions in past iterations of DPDP – such as Clauses 38 and 26 of the Personal Data Protection Bills of 2018 ("PDP 18") and 2019 ("PDP 19"), respectively – had contained references to SDFs as well.

GDPR

GDPR, on the other hand, does not have an exact equivalent, although it envisages similar ideas of concern with respect to 'significance' – involving, in particular, situations when there are (or might be): (i) legal or other major effects on individuals stemming from decisions that are solely based on automated processing and/or individual profiling; (ii) clear requirements with respect to conducting a prior impact assessment in terms of protecting data; and (iii) high numbers of individuals in each of multiple European countries who are likely to be substantially affected by processing operations.

DPBI vs. DPA

Nevertheless, in India's case, while earlier versions of DPDP had empowered a Data Protection Authority of India ("DPA") (set up under Chapters IX and X of PDP 18 and PDP 19, respectively) to notify certain data fiduciaries (or classes of data fiduciaries) as SDFs, DPDP directly authorizes the CG to make this classification. At any rate, DPDP has done away with the DPA, replacing such authority with a 'Data Protection Board of India' instead ("DPBI").

GDFs

Earlier, both PDP 18 and PDP 19 had specified that the DPA could notify SDFs with regard to certain prescribed factors. Further, like the Children's Online Privacy Protection Act ("COPPA") in the US (which imposes separate requirements on operators of websites or online services directed at children), previous Indian iterations had provided for a separate class of data fiduciaries which are involved in operations and services similar to what COPPA envisages, including in respect of processing large volumes of children's data. Accordingly, entities falling in this category, called 'guardian' data fiduciaries ("GDFs"), were proposed to be regulated via separate rules, as notified by the DPA.

DPDP vs. past versions

However, while DPDP has done away with such GDF categorization, it has imposed additional obligations under Section 10 on all data fiduciaries that process children's data. Further, DPDP has introduced a different set of parameters for the CG to consider while evaluating SDF notifications. Although certain factors have been retained from previous versions (such as the volume or sensitivity of personal data processed, as well as the risk of harm to data principals), some others have been removed altogether from the ambit of governmental assessment (such as turnover of the data fiduciary and the use of new technologies for processing).

Further, while DPDP's past iterations did provide for the possibility that some other informational category would be later specified for inclusion within the evaluative paradigm related to SDFs, such determination was proposed to be conducted by the DPA itself – as opposed to the CG.

For instance, Clause 22 of PDP 18 had empowered the DPA to notify certain categories of personal data as 'sensitive,' based on: (a) the risk of significant harm; (b) the expectation of confidentiality; (c) whether a significantly discernible class of data principals may suffer significant harm; and (d) the adequacy of protection afforded by ordinary provisions. Subsequently, however, Clause 15 of PDP 19 was modified (relative to PDP 18) for the purpose of authorizing the CG (as opposed to the DPA) to make the same assessment – albeit in consultation with the DPA.

On the other hand, certain additional factors have been introduced in present-day DPDP for SDF classifications, such as: (i) the potential impact on the sovereignty and integrity of India; (ii) the risk to electoral democracy; (iii) security of the state; and (iv) public order. Further, DPDP empowers the CG to take into account "such other factors as it may consider necessary." As a result, a more subjective and discretion-based assessment may now apply (as far as classifying data fiduciaries as SDFs is concerned) – compared to what was contemplated under previous versions of DPDP.

SMIs

PDP 19 had contained a special focus on regulating social media intermediaries ("SMIs"). To that end, PDP 19 had defined SMIs as intermediaries which primarily or solely enable online interaction between two or more users, thus allowing the latter to create, upload, share, disseminate, modify, or access information using the former's services. However, certain intermediaries which primarily: (a) enable commercial or business-oriented transactions; or (b) provide access to the internet; or (c) operate in the nature of search engines, online encyclopedias, e-mail services, or online storage services, were not included within this definition.

PDP 19

Importantly, PDP 19 had specified that over and above the applicable factors which may be considered while making SDF classifications, SMIs could also be notified as SDFs if: (a) such SMIs had users above a certain threshold, the applicable number of which the CG would later notify in consultation with the DPA; and (b) such SMIs were involved in actions that had, or were likely to have, a significant impact on electoral democracy, security of the state, public order, or the sovereignty and integrity of India. Further, different thresholds could be notified for different classes of SMIs.

DP 21

Somewhat similar to PDP 19, the Data Protection Bill of 2021 ("DP 21") – which comprised an amalgam of revisions made to PDP 19 by a parliamentary joint committee – had envisaged that social media 'platforms' (as opposed to 'intermediaries') that had a specified number of users, and whose actions were likely to have a significant impact on certain parameters related to national/public interest, may be notified as SDFs. Like PDP 19, DP 21 had also envisaged different user thresholds for different classes of social media platforms.

PDP 18 and DPDP

On the other hand, PDP 18 had contained no provisions on SMIs. Similarly, DPDP, too, does not create a separate legal category for SMIs. Nevertheless, in light of the fact that the language of Clause 26(4) of PDP 19 (involving elements such as 'significant impact on electoral democracy', 'security of the state', 'public order', or 'the sovereignty and integrity of India') has been incorporated elsewhere in DPDP (under the provision on SDFs itself, in Section 11), the need to separately classify SMIs has been rendered moot. Thus, the 'additional' evaluative factors listed under DPDP for SDF classifications include those that were earlier prescribed for SMI assessments under PDP 19 (for the purpose of being notified as an SDF).

General Obligations of Data Fiduciaries Under DPDP

RSPPs

General requirements under Section 9 of DPDP may include similar obligations as those listed under Rule 8 of the existing Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the "SPDI Rules") with respect to 'reasonable security practices and procedures' ("RSPPs") – especially where sensitive personal data/information ("SPDI") is involved.

Accordingly, similar to the SPDI Rules, RSPPs under DPDP may include obligations for data fiduciaries (which have obligations similar to those of 'body corporates' under the SPDI Rules). Such obligations may require a data fiduciary to: (i) implement appropriate technical and organizational measures for the purpose of ensuring effective compliance; and (ii) protect the personal data in its possession, or under its control, by taking appropriate security safeguards for the purpose of preventing breaches.

In general, India regulates the use and handling of data (including SPDI) under the Information Technology Act, 2000, as amended by the Information Technology (Amendment) Act, 2008 ("the 2008 Amendment," and collectively, the "IT Act") – along with the SPDI Rules. In turn, the SPDI Rules require entities that hold user-related SPDI to maintain certain security standards. The rules also prescribe the specific protocols necessary for storing personal information electronically, including in respect of SPDI.

In addition, pursuant to the 2008 Amendment, Section 43A of the IT Act requires companies, firms, sole proprietorships, and other associations of individuals engaged in commercial or professional activities (each, a 'body corporate') to maintain RSPPs if they possess, deal with or otherwise handle SPDI in a self-owned/controlled/operated computer resource. However, if the negligence of a body corporate – as far as implementing and maintaining RSPPs is concerned – leads to wrongful loss or gain to any person, such negligent body corporate will be liable to pay damages by way of compensation to the affected person.

Accurate/complete data and data disclosures

Similar to obligations mandated under Rule 5(6) of the existing SPDI Rules, data fiduciaries need to make reasonable efforts under the DPDP regime to ensure that the personal data being processed is accurate and complete. Under Section 9 of DPDP, however, this requirement will be especially triggered if the personal data is likely to be: (i) used by the data fiduciary to make a decision that affects the corresponding individual(s); or (ii) disclosed by one data fiduciary to another.

Breach and data retention

In the event of a breach, DPDP's Section 9 requires the concerned data fiduciary to notify both the DPBI as well as each affected individual. In addition, a data fiduciary is required to cease data retention, or alternatively, will be obliged to remove the means through which the underlying information can be linked to specific individuals, as soon as it can be reasonably assumed that: (a) the original purpose of data collection is no longer being served by retention; and (b) retention is no longer necessary for legal or business purposes.

At present, while Rule 5(4) of the SPDI Rules imposes a similar obligation, it relates to SPDI only (as opposed to non-sensitive personal data). Nevertheless, like Section 25 of Singapore's Personal Data Protection Act 2012 ("PDPA"), Section 9(6)(b) of DPDP allows data fiduciaries to retain personal data for 'business' purposes as well (and not just for 'legal' reasons, unlike in the SPDI Rules). Accordingly, data fiduciaries may now have more wiggle room to justify data retention.

Data transfers

Furthermore, Rule 7 of the existing SPDI Rules permits transfers of both non-sensitive personal information as well as SPDI to a third party – as long as (i) such transfers are necessary to perform obligations under a contract between the transferor and the data principal, or where the latter has consented to such data transfer; and (ii) the transferee (whether in India or elsewhere) ensures the same level of data protection as adhered to by the transferor itself under the SPDI Rules.

On the other hand, DPDP allows data fiduciaries to make such transfers solely based on the data principal's consent (i.e., not requiring a separate contract). However, if the data fiduciary intends to involve a data processor for the purpose of processing information on its behalf, it will be required to enter into a valid contract with the latter.

In addition, data fiduciaries need to put in place a grievance redressal mechanism. DPDP also requires every data fiduciary to publish the contact information of a data protection officer ("DPO") or a person responsible for answering questions about data processing.

Additional Obligations of SDFs Under DPDP

Under DPDP's Section 11, each SDF is required to appoint: (i) a DPO based in India ("SDFDPO") who will represent the SDF for the purpose of complying with DPDP's provisions; and (ii) an independent data auditor ("IDA"). Further, SDFs need to undertake additional measures such as conducting data protection impact assessments ("DPIAs") and periodic audits.

DPOs under DPDP

According to DPDP, an SDF DPO is required to be an individual who will remain responsible to a board of directors or similar governing body related to the SDF. Further, the SDF DPO will be the point of contact for grievance redressal.

IDAs under DPDP

In addition, SDFs are required to appoint an IDA for the purpose of evaluating the concerned SDF's compliance with respect to DPDP's provisions.

DPIAs

Unlike in prior iterations, DPDP does not spell out the required elements of conducting a DPIA – although it does define the term, at least to the extent of clarifying what it entails. Thus, a DPIA has been defined as a process that comprises descriptions, purposes, assessments of harm, measures for managing the risks associated with such harm, and other prescribed matters with respect to processing personal data.

In PDP 18 and PDP 19 too, SDFs were required to undertake a prior DPIA in specified situations and/or circumstances. We will analyze such aspects in a subsequent note of this series.

Nevertheless, since the description of special SDF obligations is sparsely worded under DPDP, and on account of the possibility that additional compliance requirements (including procedural mechanisms) may be specified later via bespoke regulation, data fiduciaries might want to review the ways in which such obligations had been detailed in the past, especially under PDP 18 and PDP 19, respectively.

Additional Obligations of SDFs in Prior Iterations of DPDP

Earlier, both PDP 18 and PDP 19 had listed out specific obligations for SDFs, including with respect to: (i) record-keeping; (ii) data audits; and (iii) a DPO (other than those specifically related to DPIAs).

Record-keeping under prior iterations

Under PDP 18 and PDP 19, an SDF was obliged to maintain accurate and updated records in respect of specified items in a form and manner notified by regulation. Such specified items included the following:

1. important operations in the life cycle of the underlying data;
2. periodic reviews of necessary security safeguards, such as:
   1. de-identification and encryption methods;
   2. steps to protect data integrity; and
   3. measures to prevent the misuse of, or unauthorized access to, data.

In addition, SMIs that were notified as SDFs were required to enable users to voluntarily verify their accounts – especially those users who registered for, or used SMI services in, India.

Further, any SMI user who voluntarily verified their account would have to be provided with a demonstrable mark of verification – such that the mark was visible to all users of the service.

Data audits under prior iterations of DPDP

SDFs were required to have their policies and data processing operations audited once a year by an IDA. Among other things, such IDA would need to evaluate the SDF's compliance in respect of the efficacy of measures adopted under a 'privacy by design' policy ("PBD Policy").

PBD Policy

Every data fiduciary was required to prepare a PBD Policy that contained certain elements, such as: (i) the managerial, organizational, and business practices, along with the technical systems, that were designed to anticipate, identify and avoid harm to data principals; (ii) the technology used in data processing, which was required to be in accordance with commercially accepted or certified standards; (iii) the legitimate interests of businesses, including any innovation that was being achieved by such interests/businesses without compromising privacy; (iv) the protection of privacy throughout the operational lifecycle of data processing – from the point of collection to deletion; and (v) the fact that a data principal's interests were being accounted for at every stage of data processing.

Accordingly, an SDF could submit its PBD Policy to the DPA for certification.

DPO

Under DPDP, each SDF is required to appoint a DPO. Earlier, PDP 18 and PDP 19 had specified that a DPO was required to possess specified qualifications and experience, including for the purpose of carrying out functions required under the law.

Conclusion

If an SDF fails to fulfill its additional obligations under Section 11 of DPDP, a penalty may be imposed, the amount of which may go up to INR 1.5 billion.

While DPDP currently lists out certain general obligations of data fiduciaries, an SDF's additional obligations may be detailed later through separate regulation. Nevertheless, past DPDP iterations – which were themselves influenced by GDPR and the SPDI Rules – may provide indicative guidance about such regulations in the future.

In a subsequent note of this series, we will discuss certain aspects related to sensitivity, volume and harm (including the notion of 'significant' harm) in the context of personal data, as well as some key considerations for SDFs while conducting a DPIA, based on existing law and legislative proposals.

This insight/article is intended only as a general discussion of issues and is not intended for any solicitation of work. It should not be regarded as legal advice and no legal or business decision should be based on its content.