The Digital Personal Data Protection Act, 2023 (‘DPDPA’) is a comprehensive framework that provides for the processing of personal data of individuals (‘Data Principals’). It applies to the processing of personal data within India, as well as outside India to the extent that it relates to the offering of goods or services to Indian residents. It proposes to establish the Data Protection Board (‘DPB’) and recognizes certain key actors engaged in the processing of personal data viz.
- Data Fiduciaries: These are entities that determine the purposes and means of processing[1] personal data, either alone or in conjunction with others (Fiduciaries). A comparison with the EU General Data Protection Regulation (‘GDPR’) reveals that this is similar to the ambit of ‘Controller’[2] under the GDPR, which is also identified based on the decisional control exercised with regard to the processing of personal data.
- Data Processors: These are entities that process personal data on behalf[3] of Data Fiduciaries (Processors). They are expected to act on the instructions of the Data Fiduciaries and not exercise autonomy or decisional control over the purposes or means of processing of personal data.
Processor liability through various drafts
A swift review of the various drafts of the data protection law would reveal a change in approach towards regulating processors. From 2018[4] until 2022[5], various drafts of the Data Protection Bill not only recognized and provided certain direct obligations on processors (such as implementing security measures[6]) but also provided penal consequences attached to non-compliance, applicable to Processors, along with Fiduciaries.
In stark contrast, the DPDPA does not provide any direct obligations on Processors, instead, it mandates Fiduciaries to comply with various obligations and holds them responsible for ensuring Processor compliance. This necessitates Fiduciaries to employ necessary measures to monitor and ensure compliance through comprehensive agreements, periodic reviews, audits, and other measures at their disposal, from time to time.
Understanding Fiduciaries and Processors: The ‘why’ and ‘how’ of processing
It is evident that Fiduciaries, by their nature, are expected to exercise decisional control over the purposes and means of processing while Processors act on the former’s instructions. However, this ‘bright line’ in identifying these roles may also blur in more complex situations involving the processing of personal data. We have outlined some of these situations below:
- Credit Scoring Agencies: As part of determining creditworthiness or overall loan eligibility, financial institutions often engage credit rating agencies to extract necessary information relating to the borrowers. While the purpose of processing is determined by the financial institutions, for example, to determine credit eligibility, such credit agencies still exercise certain discretion in determining finer means of processing, such as algorithmic decisions and methodologies, to achieve the broader purpose.
- Marketplaces: In the context of e-commerce marketplaces, while marketplace platforms determine the purposes of processing user data and the manner in which such data is processed, ‘sellers’ on such platforms also process user data, for example, for processing orders and facilitating delivery through logistics partners, often determining the ‘why’ and ‘how’ of processing in many cases.
- Fraud Detection and Prevention Services: Financial institutions often engage third parties at the time of customer onboarding, for assessing risk and complying with KYC and anti-money laundering regulations. In many instances, this may also involve engaging third parties to conduct such assessments. These entities exercise a reasonable degree of independence in processing personal data to provide intelligence and insights on the nature and extent of risk involved in onboarding.
- Marketing and Analytics: Many digital businesses may engage third-party service providers to assist them as part of their broader marketing strategies, ranging from analytics to personalized marketing solutions. While the broader purposes of such processing are determined by digital businesses, the finer strategies for marketing and execution are often conceptualized and undertaken by such agencies pursuant to the analysis of datasets.
- Wealth Management: Wealth managers or firms are engaged in the management of assets and liabilities of individuals or groups of individuals. They may process personal data for a wide variety of purposes to help clients secure appropriate investment options. Similarly, they may also exercise reasonable discretion in the manner in which they process personal data and may determine the means of such processing independently.
Essential and Non-Essential means in the Controller-Processor interface
Similar to the DPDPA, the GDPR also emphasizes the role of Controllers and Processors[7] in applying duties and obligations thereunder. It also recognizes ‘Joint Controllers’[8] when different entities jointly make determinations that qualify them as ‘Controllers’. In this regard, the European Data Protection Board (‘EDPB’) has issued Guidelines 07/2020 (‘CP Guidelines’) which provide that:
“In broad terms, joint controllership exists with regard to a specific processing activity when different parties determine jointly the purpose and means of this processing activity. Therefore, assessing the existence of joint controllers requires examining whether the determination of purposes and means that characterize a controller are decided by more than one party.”[9]
While the distinction between Controllers and Processors is similar under the GDPR, the EDPB recognizes that room exists for Processors to make certain decisions on the means of processing. It is in this context that a classification is drawn between ‘essential’ and ‘non-essential’ means. In this regard, it specifies that:
- Essential means are those which are closely linked to the purpose and scope of processing. This necessitates examining which entity makes critical choices such as deciding what personal data is to be processed, the purpose of processing, security measures (which is also required under the DPDPA[10]), third parties that may have access to personal data, or whose information is to be processed.
For example, credit scoring agencies provided with customer information decide the nature of information and the manner in which such information is to be processed, with financial institutions supplying such data having little control over how such data is processed.
- Non-Essential means, on the other hand, are decisions made on the practical aspects of implementation, such as the choice of software, implementation specifics, etc. These decisions typically do not impact the purposes or means by which personal data is processed.
For example, hosting providers exercise limited autonomy over the purposes and means for which personal data is processed. Instead, choice is primarily exercised by such entities about server specifications and other parameters.
Identifying controllers vis-à-vis processors
The determination of the controller-processor relationship (or the equivalent under DPDPA) is mostly determined on two aspects viz.
- Contractual Agreement: The contractual agreement between a Data Fiduciary and Processor is one of the primary resorts to understanding autonomy and decisional control. Certain aspects such as processing upon express instructions, audit and inspection rights, subcontracting, periodic review, and incorporation of privacy principles (such as retention limitation) also remain relevant in determining the same.
- Conduct of Parties: Apart from the contractual agreement, the conduct of Parties also remains important in determining the autonomy and decisional control. This may include modifying processing parameters without consultation with the Fiduciary or processing personal data for any secondary purposes.
In light of the contractual arrangements and conduct of parties, there remains a possibility that the DPB may consider such Processors that have decisional control and autonomy as Data Fiduciaries under the DPDPA. Even if a Data Processing Agreement stipulates that a party exercises decisional control as a ‘Processor’, such an entity is likely to be considered a Fiduciary under the DPDPA[11], irrespective of the agreement to the contrary.
The DPB to be constituted under the DPDPA is likely to provide more clarity on the determination of Controllers and Processors under the DPDPA, and whether a non-compliant Processor which exercises decisional control over processing is likely to be considered a Fiduciary. While this may be contrary to the conscious removal of Processor liability under various drafts of the law, the approach to be adopted by the Government and/or the DPB may provide further clarity in the implementation stages.
[The authors are Senior Associate and Associate, respectively, in TMT and Data Protection practice at Lakshmikumaran & Sridharan Attorneys, Hyderabad]
[1] Section, 2(x), Digital Personal Data Protection Act, 2023.
[2] Article 4(7), General Data Protection Regulation, 2016.
[3] Section 2(k), Digital Personal Data Protection Act, 2023.
[4] Draft Personal Data Protection Bill, 2018.
[5] The Digital Personal Data Protection Bill, 2022.
[6] Section 8(5), Digital Personal Data Protection Act, 2023.
[7] Article 4(8), General Data Protection Regulation, 2016.
[8] Article 26, General Data Protection Regulation, 2016.
[9] Guidelines 07/2020 on the Concept of ‘Controller’ and ‘Processor’ in the GDPR, dated July 7, 2021.
[10] Section 8(5), Digital Personal Data Protection Act, 2023.
[11] Section 8(1), Digital Personal Data Protection Act, 2023.