The Chilean Constitution was amended on 16th June, 2018 to establish that protection of personal data is a constitutional right. Prior to this, other Latin American countries like Colombia, Mexico and Ecuador have already included the right to protection of personal data in their respective constitutions. Similarly, the French Constitutional Council upheld the validity of GDPR when it was challenged by the Senators recently. These instances reinstate the importance of personal data protection in this modern, tech-savvy age.
In India, the committee of experts headed by Justice B.N. Sri Krishna submitted a draft of Personal Data Protection Bill, 2018 (“Bill”) to the Ministry of Electronics and Information Technology on July 27, 2018. The terms data principal and data fiduciary have been used in the Bill. This article examines the rationale for such usage and the obligations imposed upon the data fiduciary under the Bill.
Data Protection in India has so far been achieved through regulations under various laws. In August 2017, the Hon’ble Supreme Court of India held in Justice K S Puttuswamy v. Union of India [K S Puttuswamy v. Union of India, (2017) 10 SCC 1] that right to privacy is a fundamental right. Through this judgment, right of an individual to exercise control over his/her personal data was also recognised. The Court opined that the ability of a person to control his own life would also encompass his right to control his existence on the internet.
Apart from constitutional protection as stated above, personal data also enjoys protection under Information Technology Act, 2000 (“IT Act”) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Rules), 2011 (“Sensitive Personal Data Rules”). Under Section 43A of the IT Act, if an entity dealing with sensitive personal data or information is found negligent in implementing and maintaining reasonable security practices resulting in wrongful loss or wrongful gain to any person, then such entity may be held liable to pay damages to the person so affected. There is no upper limit specified for the compensation that can be claimed by the affected party in such circumstances.
Similarly, under Section 72A of the IT Act, a service provider who has secured access to any material containing personal information about a person, discloses such information without the consent of the person concerned, or in breach of a lawful contract, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain, shall be punished with imprisonment for a term may extend to three years, or with a fine which may extend to five lakh rupees, or with both. Sensitive Personal Data Rules also provide for protection of personal information by imposing certain obligations on the entities that collect information, similar to the Bill.
Data fiduciary has been defined in the Bill to include any entity that alone or together with others determines the purpose and means of processing of personal data. Processing involves collecting, organising, storing, structuring, use etc. Data principal has been defined as the natural person to whom the personal data relates to.
There is an element of trust that the data principal places on various companies/ data fiduciaries while sharing his personal information. He trusts the data fiduciaries to use the information only to the extent necessary to provide services and not to use it for any other purpose. The report submitted by the committee of experts in relation to the Bill also adapts this approach. It states that the relationship between the person and the organisation with which the person shares his personal data is based on a basic presumption of trust. Irrespective of any existing contractual relationship, every person expects that his personal data will be used fairly, in a manner that fulfils his interest and is reasonably foreseeable. This is the essential feature of a fiduciary relationship.
In law, a fiduciary is a person or business with an obligation to act in a trustworthy manner in the interest of another. A few examples of fiduciary include professionals like lawyers, doctors, directors to a company etc. One might argue that personal information is owned by the users who share it, connoting that one’s personal information is one’s property. If personal information is accepted as property, it can be sold, purchased, licensed or alienated. However, one’s personal information cannot be alienated. It remains associated with a person throughout his life and thereafter too. For example, the name of a person cannot be alienated from him even if he decides to sell his personal data to a data fiduciary. In this sense, right in personal data is not similar to the rights exercised by a person in relation to physical property. Further, a right in physical property also includes the right of exclusion. However, when a user shares his personal data with an entity, it cannot be excluded to be used solely by that entity because it may not be commercially feasible.
One might consider the relationship between the entities and users to be a contractual relationship. Even if the relationship is considered to be a contractual one, it is difficult to ascertain the amount of damage that could be caused due to sharing of personal data in breach of a contract. The reason for this is the unique nature of data on internet and various technologies. What is shared on internet is there forever! Further, most entities obtain consent from users, through one-sided clauses in their privacy policies and terms of service, to deal with personal information, in a manner that is not necessary for the purposes for which the information was shared. Therefore, the users wouldn’t have much scope to claim damages for misuse of personal information shared with entities if they have consented to such use. Also, usually the users do not have any bargaining power in relation to such policies and terms and they are left with no choice but to accept such terms in order to avail the services.
Fiduciary obligations vis-à-vis obligations arising out of a contract
Fiduciary obligations may be created by a contract but they differ from contractual relationships for they can exist even without payment of consideration. In a fiduciary relationship, the principal emphasis is on trust, and reliance, the fiduciary's superior power and corresponding dependence of the beneficiary on the fiduciary. It requires a dominant position, integrity and responsibility of the fiduciary to act in good faith and for the benefit of and to protect the beneficiary and not oneself. [Union of India v. Central Information Commission and Shri P.D Khandelwal, Writ Petition Civil No. 8396 of 2009] Contractual relationship may require that a party should not cause harm or damage the other side, but fiduciary relationship casts a positive obligation and demands that the fiduciary should protect the beneficiary and not promote personal self interest.[Ibid]
The Hon’ble Supreme Court of India in Bihar Public Service Commission v. Saiyed Hussain Abbas Rizwi [Bihar Public Service Commission v. Saiyed Hussain Abbas Rizwi, (2012) 13 SCC 1] held that fiduciary refers to a person having duty to act for benefit of another, showing good faith and candour, where such other person reposes complete trust and special confidence in person owing or discharging duty, while fiduciary relationship refers to situation or transaction where one person places complete confidence in another person in regard to his affairs, business or transactions. While a data principal is sharing his information with a data fiduciary, he places complete trust and confidence in the data fiduciary to act in good faith and in the interest of the data fiduciary. Therefore, the relationship between a data fiduciary and a data principal is a fiduciary relationship.
The rationale behind recognising these companies with which users share their personal data as data fiduciaries lies in the vulnerability prevalent in the relationship between the user and the company. The companies have considerable expertise and knowledge while end-users usually don’t and the users are dependent on the companies for obtaining services.
The need for imposing the obligations of fiduciary on these entities that collect personal data arises because of the following reasons [Jack M Balkin, Information Fiduciaries and the First Amendment, 49(4) UC Davis Law Review (2016) at pg. 1227]. Firstly, there is a significant gap between the knowledge and information possessed by the companies and the users. Secondly, it is difficult for the users to verify the claims of these entities about data collection, security, use and dissemination. Thirdly, it is complicated for the users to understand what the entities do with their data and how data analysis and use affects their interests. Fourthly, even if users understand these practices, it would be almost impossible for the users to monitor entities.
The committee of experts on the Bill observed that a balance must be struck between the interests of the individual with regard to his personal data and the interests of the entity who has access to this data. It observed that data fiduciaries must only be allowed to share and use personal data to fulfil the expectations of the data principal in a manner that furthers the common public good of a free and fair digital economy. The committee opined that such measures would ensure individual autonomy and make available the benefits of data flow to the economy.
The Bill imposes various obligations upon the data fiduciaries. Data fiduciary is responsible for complying with all the obligations under the Act, even when the processing is done by others on its behalf. Every data fiduciary processing personal data ought to process it in a fair and reasonable manner in such a way that it respects the privacy of the individual. The processing must be done only for clear, specific and lawful purposes and it must be restricted only to the specified purpose for which it was collected. Collection of personal data by data fiduciaries should only be to the extent that it is necessary for the purpose of processing. The personal data must be stored only for as long as is necessary.
Further, the data fiduciary is also mandated to issue a notice to the data principal about the collection of data, prior to the collection. Such a notice must contain the purpose for which data is collected, categories of personal data which are collected, source of collection of data, the entities/individuals with whom the data will be shared, whether there will be cross border transfer of such data and the period for which personal data shall be retained.
The data fiduciary is mandated to protect the interest of the data principal and he cannot act to promote his self interest. Therefore, the Bill has aptly used the word data fiduciary and imposed several obligations on the data fiduciary to protect the interests of the data principal.