Pune Media

Our Terms & Conditions | Our Privacy Policy

Marketing & Advertising Industry

Significant data fiduciaries under draft DPDP Rules: Key Issues

By Pune Media

Participants at MediaNama’s roundtable discussion “Understanding the Draft Digital Personal Data Protection Rules” discussed the potential criteria that the government could use to classify certain entities as Significant Data Fiduciaries (SDFs). These entities would then be subject to added compliance requirements, including a data localisation mandate that the Rules introduced.

MediaNama held the discussion under Chatham House rules, with all participants remaining anonymous.

Key Points From The Discussion:

How Will Data Localisation Requirements Complicate Matters For SDFs?

A speaker stated that data localisation norms for SDFs added a new layer of complexity that might make it difficult to plan data transfers for backups, as it is unknown what data the government wants companies to keep within the country.

The Criteria For SDFs Are Vague

A speaker stated that global organisations with diverse datasets were at a significant risk of being classified as SDF. The criteria outlined in the Act were also difficult to quantify, they said. Currently, the following have been listed as the requirements for determining significant data fiduciaries—

  • volume and sensitivity of the personal data they look at
  • risk to the rights of users
  • potential impact the company may have on the sovereignty and integrity of India
  • risk to electoral democracy
  • security of the State
  • public order

    The first two—sensitivity and volume of data—were somewhat interpretable, but the remaining were broad and vague, the discussants pointed out.

The Rules Are Bringing Back Discarded Ideas

A participant suggested that to increase certainty in SDF classification, the government could revisit the Act and provide clearer definitions of “volume” and “sensitivity” of data. However, the speaker felt that the government was going back to ideas and concepts that it had already discarded once, like categorising certain data as sensitive and mandating strict data localisation.

“The rules were quite disappointing and surprising for me. These concepts were discussed and debated for 4 to 5 years and discarded in the new iteration. Now we keep going back to them,” said the speaker.

SDF Classifications Are Not Based On Sensitivity Of Data But The Sensitivity Of Processing

“It’s not sensitive data, it’s the sensitivity of what you are doing, on the basis of the volume and the data that you are processing. So it qualifies processing, not the data,” said a participant. In order to decide whether an entity should be an SDF or not, the government would need to consider a number of factors, including the volume and the sensitivity of the data it processes, not just the data itself. They pointed out that other jurisdictions classify the data itself while the DPDP Act classifies data fiduciaries.

How Will The Data Protection Board And The Government Committee Work Together?

A speaker pointed out that there seemed to be two bodies with authority in the legislation. On one hand, there was the Data Protection Board, which was the institutional infrastructure that the Act laid out. On the other hand, there was a committee that was to handle data localisation and potentially restrict cross-border data flows. The speaker suggested that this could leave Data Fiduciaries in ambiguity not knowing whether a decision would come from the board or the committee.

SDF Classification Could Hurt Smaller Orgs:

A speaker stated that of the six possible criteria for determining an SDF in the DPDP act, four of them referred to the sovereignty and integrity of India, risk to electoral democracy, security of the state and public order. They pointed out that since all major media companies collect vast amounts of user data and engage in behavioural targeting, there was a risk of the government classifying them as SDFs. The speaker pointed out that smaller news organisations would not be able to keep up with the compliance demands of the Act.

Key Recommendations:

Classification of Sensitive Data Need Not Depend On The Volume

According to a speaker, the definition of sensitive data or the classification of SDFs need not depend on an arbitrary number. Instead, the criteria could be based on the proportion of personal data processed that is classified as sensitive and directly provided by users. Other factors can be whether inferences drawn from processed data can be traced back to specific individuals and whether those inferences are of a sensitive nature. Also, the proportion of personal data processed that pertains specifically to children can be taken into consideration.

Advertisements

SDFs Can Be Determined On A Case To Case Basis

A speaker suggested that SDF classification should be based on the risk posed by the data processing, determined on a case-by-case basis. “You might have to work backwards in terms of what is the risk that is posed. Go use case by use case and then say, because we can clearly establish this is the risk, you are designated,” they said. They gave the example of a database of resumes, which is not a high-risk use case in the context of people looking for employment. But it becomes one when matrimonial websites are concerned.

Also Read:

Support our journalism:

For You

[ad_1]

Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.

Aggregated From –

[ad_2]

Continue Reading
Pune Media
You might also like More from author

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More