Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data (either alone or in conjunction with other persons), are largely responsible and liable for compliances. Except nomenclature differences, data fiduciaries are functionally equivalent to ‘data controllers’ under the European Union’s General Data Protection Regulation (GDPR).
While the GDPR (under article 26) recognizes ‘joint controllers’, requiring them to execute responsibility-sharing arrangements, the DPDP Act does not distinctly call out ‘joint data fiduciaries’ as such or impose specific requirements for such ‘joint’ arrangements. However, as a principles-based legislation, the definition of ‘data fiduciaries’ envisions the possibility of more than one entity controlling personal data processing. The GDPR holds data controllers jointly and severally liable, i.e., a data subject can institute a suit against any joint controller instead of instituting multiple lawsuits. While under the DPDP Act, there is no express provision for joint and several liability where multiple data fiduciaries are involved, each data fiduciary will be independently responsible for compliance with its provisions, to the extent applicable. The data fiduciary suffering a loss owing to another party may however seek contractual indemnities/insulations from responsible parties.
Whether a contracting entity is a joint data fiduciary, independent fiduciary or merely a data processor will be a question of fact in each case. The regulator will possibly pierce through the contract in a given situation, to scrutinise the actual roles undertaken by each party in attributing fault. The illustrations below highlight where such determination may be a tricky endeavour.
Arrangement to Determine Customer Creditworthiness
An e-commerce platform engages an affiliate to generate creditworthiness data to cross-sell financial services to a customer through its financial arm. Such affiliate may determine a customer’s creditworthiness through analytics of their borrowing history and cherry-pick which categories of data to rely on to arrive at such an outcome. The purpose of this exercise is determined by the e-commerce company, i.e., to facilitate the lending process. The means of this exercise would be determined by the affiliate. Depending on the level of control exercised by the e-commerce entity on the means (e.g., categories of personal data to base the decision on, the decision-making process, etc), the affiliate may be classified as a joint data fiduciary. If the affiliate only acts on behalf of the e-commerce platform, operating strictly within parameters laid down by the e-commerce platform, such affiliate may only be a data processor, shielded from any direct liability under the DPDP Act (except what is passed through contract).
Clinical Trial Arrangements
Drug manufacturers (Sponsors) typically outsource research functions to Contract Research Organisations (CROs) with requisite expertise in clinical trial processes. While the manufacturer defines broad parameters of the study, the CRO controls the research process on behalf of the Sponsor. To complicate this further, the trial is conducted by a doctor appointed by an institution (i.e., a hospital), responsible for interfacing with the patient, obtaining their informed consent, etc. In such cases, each party may distinctively act as one of the joint data fiduciaries or even a mere data processor, depending on the extent to which they complement each other in determining the means and purposes of processing.
Joint Data Fiduciary or Merely a Data Processor?
In complex data processing arrangements, where there is at least some control over the means of processing personal data, an entity’s classification as a joint data fiduciary or a processor may be difficult. However, this question lies at the heart of liability attribution since a joint data fiduciary may be independently proceeded against for non-compliance with the law. To draw inspiration from the EU, the European Data Protection Board, EU’s independent advisory body on the GDPR, distinguishes between essential and non-essential means. Essential means are linked closely to the purposes and scope of processing (e.g., which categories of personal data may be processed, for how long may personal data be retained, etc.). Non-essential means relate to practical aspects of implementation (e.g., choice of software or hardware used to process personal data, security measures undertaken, etc). However, in situations highlighted above, control exercised by each party over the essential means may overlap.
As would be clear from the above, parties should carefully assume the roles and responsibilities for processing personal data. They should review data processing contracts / contractual provisions closely to ring-fence, and appropriately attribute liability to the relevant responsible party.