As India Inc. gears up for implementation of the new Digital Personal Data Protection Act, 2023 (DPDP), a new challenge seems to be emerging – how to identify and distinguish a data fiduciary from a data processor?

Hold on!! Shouldn’t this be quite simple and straightforward? Well, read on!

Why is this question even important? – A data processing ecosystem would ordinarily involve 3 stakeholders, data principal (the human being, to whom the personal data relates to), data fiduciary (the person who determines the purpose and means of processing of personal data) and data processor (who processes personal data on behalf of the data fiduciary).

It is the data fiduciary who is responsible for compliance with the DPDP, including any non-compliance by the data processor. Given that the DPDP does not impose any obligation or penalty on the data processor, there is a natural inclination amongst stakeholders to try and fit themselves or describe themselves as data processors, to escape such statutory exposure.

This is why it is important to correctly determine the capacity in which an entity is processing personal data. Such determination will also influence the nature of the agreement and the kind of rights & obligations that parties need to negotiate inter-se.

Misconception

There seems to be a popular misconception that the entity that collects personal data from the data principal is the data fiduciary, whereas the other entities that receive personal data from the data fiduciary would only be considered as data processors. Such perception seems to stem from the belief that the recipient entities are merely rendering a service to the data fiduciary, neither enjoy direct privity of contract with nor directly engage with the data principal. Since the recipient entities are at arms’ length from the data principal, it seems to have given rise to the belief that such recipient entities are merely data processors, whereas the entity directly receiving personal data from the data principal would be considered as data fiduciary.

We disagree! That is not how the law is worded or intended!

More often than not, this will be a complex exercise and requires assessment of the role, responsibilities and degree of influence that one party exercises over processing of personal data by another – as discussed below.

The Illustration

To better understand the capacity of parties involved, let us take a simple example – John (data principal) sets-up an online account on an e-commerce marketplace operated by an entity called MARKETPLAZE and places an order for shoes sold by an entity called SELLER. John makes an online payment for such order using his credit card issued by a bank called DRINDOTTS. MARKETPLAZE uses cloud services offered by a cloud service provider, called BADAL to store all data connected with its e-commerce marketplace operations, including personal data of its customers like John. MARKETPLAZE also provides support services to SELLER, that helps arrange delivery of the shoes to John, through a courier company (called DEV-EX).

All participants in this ecosystem will process personal data of John in some capacity or the other. What are their obligations under DPDP? Can any of them be held liable for wrongful processing of personal data by another? What is their respective risk exposure?

Answers to all these questions depend upon correctly determining the capacity in which they process personal data – data fiduciary or data processor.

We will come back to this illustration once we have discussed the considerations relevant in determination of data fiduciary and how to distinguish them from a data processor.

Fiduciary or Processor

It is therefore clear from the above definition that a person can be identified as a “data fiduciary” only if such person “determines” both, the purpose and means of processing personal data.

Data Fiduciary & Data Processor – The Puppeteer & The Puppet

Only when this influence, this degree of control is so penetrative such that an entity determines the purpose (why are we processing data) and means of processing personal data (the method or how are we processing data) for another, only then, can such other entity be considered to be a data processor on behalf of the first mentioned entity – and not otherwise.

Even conceptually, one party should be held responsible for inappropriate data processing by another only if the former (data fiduciary) exercises such degree of influence or control over the latter (data processor) that it can be said it is really the former (data fiduciary) who is calling the shots, i.e., pulling the strings. Who is the puppeteer? Why else should a data fiduciary be accountable for someone else’s misadventure? Why else should a data fiduciary be held liable for someone else failing to take reasonable security safeguards to prevent breach of personal data? Why does only a data fiduciary face every and all statutory liability?

Only if it can really be said that an entity has determined the purpose and means of processing personal data by another, only when the latter (data processor) is following detailed and specific instructions of the former (data fiduciary), only when the latter (data processor) does not exercise significant autonomy or independence with respect to processing of such data, only when the latter can be considered as extra arms and limbs for the data fiduciary to process personal data – can it be said that the latter (data processor) is processing data on behalf of the former (data fiduciary). Only when the puppeteer can work the puppet, can it be said that the puppeteer is the data fiduciary and responsible for working the puppet, the data processor.

It is only then that it makes sense to make the data fiduciary liable for the data processor’s conduct – because conduct of the data processor is effectively the conduct of the data fiduciary itself. It is this factual assessment that will require examination of the roles and responsibilities of parties and the degree of influence or control exercised by one over the other before the capacities of parties can be confidently determined.

The Big Question

It is evident from the given definitions of data fiduciary and data processor, that it is irrelevant whether entities sharing / transferring personal data and entities receiving such data are engaged on a principal-to-principal basis. It does not matter whether the entity sharing / transferring personal data is the only one that connects with or has a privity of contract with the data principal. It is irrelevant that the entity receiving the personal data considers itself to merely be a service provider to the entity sharing / transferring such data. Any or all of these factors do not seem to count in determining a party’s capacity as a data fiduciary or a data processor.

Hence, the big question seems to be this – Whether the arrangement between various participants reflects significant influence in the hands of one such that it controls the processing of personal data in the hands of another? If the answer to this is in the affirmative, the parties would establish a data fiduciary – data processor relationship.

The Illustration

In light of the aforesaid principles, the illustration can now be better discussed.

John – He is the data principal. The personal data relates to him and hence John can exercise certain rights with respect to his personal data, including the right to correct, update and even elect to delete his data being processed by data fiduciaries.

MARKETPLAZE – This is the marketplace entity that determines purpose and means of processing John’s personal data. It processes John’s personal data in order to connect John with the SELLER and to facilitate the purchase and delivery of shoes to John, using other service providers – such as the SELLER, BADAL and DEV-EX. MARKETPLAZE is likely to be considered as a data fiduciary.

DRINDOTTS – This is the card issuing bank, whose card John uses to make an online purchase. DRINDOTTS uses John’s personal data to issue the card and process card transactions undertaken by John using the card, including the online transaction through the e-commerce MARKETPLAZE. DRINDOTTS has determined its own purpose of collecting and processing John’s personal data i.e. for issuance of card and processing card transactions undertaken by John using such a card. This purpose has not been determined by the MARKETPLAZE, but is rather determined by DRINDOTTS – a service it provides to thousands of its cardholder customers. DRINDOTTS exercises significant autonomy in terms of processing such personal data including determining what data it needs and the purpose of such data processing, where to store this data and as well deciding the security practices to implement in order to secure such cardholder data. DRINDOTTS is a data fiduciary in its own right.

SELLER – The SELLER uses John’s personal data for sale of shoes to John through the e-commerce MARKETPLAZE. The agreement between MARKETPLAZE and SELLER merely allows John to access and transact with the SELLER over the platform made available by the MARKETPLAZE. The SELLER has determined its own purpose of collecting and processing John’s personal data i.e., for sale of shoes to John. This purpose has not been determined by the MARKETPLAZE, but is rather determined by the SELLER. The SELLER exercises significant autonomy in terms of processing such personal data including determining where to store this data and as well deciding the security practices to implement in order to secure such data. The MARKETPLAZE has not engaged SELLER to process John’s personal data of its behalf, but rather has been engaged so that the SELLER may sell its products on its website. SELLER is likely to be considered as a data fiduciary.

BADAL – Being a cloud service provider, the dominant nature of engagement with the MARKETPLAZE is in relation to data storage. BADAL does not determine what data it will store or what is the purpose for which the MARKETPLAZE has engaged its cloud services. BADAL enjoys limited autonomy in as much as it may still determine the location of its servers or the security measures to be implemented in order to protect such data from unauthorized disclosure. But such limited autonomy does not result in BADAL determining the purpose and means of processing John’s personal data. BADAL will also follow instructions of the MARKETPLAZE to delete personal data of John. BADAL would likely be considered as a data processor.

DEV-EX – It uses John’s personal data for delivery of the parcel ordered by John through the e-commerce MARKETPLAZE. The agreement between MARKETPLAZE and DEV-EX merely allows DEV-EX to offer its delivery services to the MARKETPLAZE and deliver goods ordered by customers (including John) online. DEV-EX has determined its own purpose of collecting and processing John’s personal data i.e., for delivery of parcels to John. This purpose has not been determined by the MARKETPLAZE but is rather determined by DEV-EX – a service offered by DEV-EX to thousands of other customers. DEV-EX exercises significant autonomy in terms of processing such data including determining what data is needed for the purpose of delivery of goods, where to store this data and as well deciding the security practices to implement in order to secure such data. The MARKETPLAZE has not engaged DEV-EX to process John’s personal data of its behalf, but rather has been engaged so that DEV-EX may assist in transportation of goods ordered online. DEV-EX is likely to be considered as a data fiduciary.

In the coming times and as DPDP catches momentum, classification of participants as data fiduciaries or data processors will be a constant struggle as businesses will try, pigeonhole and categorize themselves as data processors, when the factual assessment may reveal a different story. This could make the job of data auditors quite challenging and negotiation of data processing agreements difficult, especially when one of the parties suffers from a burning desire to minimize statutory exposure (under DPDP).

Be that as it may, a puppeteer always works the puppet. Find the strings, find the puppeteer.