ABIR ROY : And before I introduce today's topic, I want to first give an example so that it just shows the importance of the topic that we are discussing today. Suppose I log into a fitness app. I'm the data principal. I'm the user of the fitness app. The fitness app is the data fiduciary. So what details do I put into the system? I put my name. I put my date of birth. I may put my blood type. I took my, if I have any allergies, et cetera, I will put a whole lot of data. Then that fitness company may give it to another company to send me say, workout trips. So which is very common. this is okay, fine. Now it's very, very simple. I've consented to it. But then what will also happen is that fitness company will in turn send this data to multiple companies for storage, for analysis. Now the data has been transferred to various entities. Now if for example, there is a data breach not at the fitness at level, but say at the cloud storage level.

The reason why I'm telling this, this entire issue is because under the DPDP, the entire liability is on the data fiduciary because the DPDP is thinking about the citizens right, from that perspective. But the real world situation is such where the data is transferred across multiple entries, wherein they are back to back commercial arrangements between a data fiduciary, data processor, perhaps another data fiduciary.

So that's the reason why we have termed what we are discussing today, the business to business conundrum.

AMAN SHANKAR : I think you have raised a very interesting point because if you see actually, we have always explored the DPDP Act, at least till now from the consumer centric angle, because the Act is fashioned in such a way. But if you analyze it more in detail, there are a lot many businesses which are layered at the back end. And that's why the nomenclature of data fiduciary or data processor is not just a mere nomenclature without any difference. It's about the liability of fixation.

So for example, the act says a data fiduciary is someone who determines the means and purpose. The two words are very important, means and purpose. A data processor is someone who processes data on behalf of the data fiduciary. So it's all about fundamentally saying who drives the steering wheel and who is just a fuel for the engine. So ultimately, the lines often start blurring. For example, the fitness app example that you give. When the data starts going backward in the system, the lines blur. Who is what? 

For example, there may be a situation in the scenario that Abir mentioned. The fitness app for me as a user can be the data fiduciary. But at the back end, maybe the fitness app is working with someone else and determining the means and purpose. So they may be a joint data fiduciary also. Or the processor, for example, the cloud or the analytics platform. They are analyzing the data, giving it to the business. But what if they are also creating a repository for themselves, maybe for launching some other product? For that data transaction, they may be a data fiduciary and that will be without consent. So that's a different discussion altogether. But the scenario being that for every data transaction, the nomenclature might change. So as I said that this data fiduciary or data processor, this term is not just mere nomenclature. Your determination will automatically flow that what are your liabilities, what are your obligations, what will be the enforcement priorities of the regulators against you. So those things become critical.

KUMUDAVALLI SEETHARAMAN : It is interesting because in the Indian context the terms used is data fiduciary instead of data controller which is what is there in the GDPR context, right. So, when even back in when Justice Srikrishna committee emphasized on this entire aspect of things, what they said is that there is an element or the relationship is based on trust, it is rooted in trust instead of just based on trust. That if I as a user am giving information, I trust that it is used for a particular purpose. Therefore, it falls very naturally that a fiduciary is expected to act in the best interest of the data principle.

ABIR ROY : See the term fiduciary like you mentioned is quite interesting because this not the first time in India. Even under the Companies Act for example, it is said that directors have a fiduciary duty towards the shareholders, towards the stakeholders. I think the same principle has been adopted and that's what I think Srikrishna committee also spoke about.

AMAN SHANKAR : I think it's all about the principle of accountability kicking in here.

VIVEK PANDEY : And that's where the conundrum lies. See, let's say if company A enters in a contract with company B, an advertisement platform, there's some data that company A will collect and share it with company B. But there will be a lot of data that company B will already have it. So in that case, who is the data fiduciary qua the data collected by company B? Is it company A? Because ultimately, like you mentioned, it's on the direction of company A, company B will be processing the data. Or will it be company B because that is the one which actually collected? So, I think the consent structure has to be decided, has to be negotiated and the contracts have to be executed in that way so that the liabilities of both the parties are predetermined.

ABIR ROY : I think interestingly, like you mentioned, just to take the example forward. Say suppose company A in your example is hiring company B to do some advertisement. So like you said, company B already has some data and company A has the data. Again, the entire idea of a processor is on behalf of, so yeah, company B is acting on behalf of company A. But does company A may determine the purpose but doesn't have the means to have the data which they don't have? So that's where the entire issue arises. On behalf of, yes, company B may say that I was only acting in behalf of, so I am not liable. It's only the data fiduciary which is liable. But you're absolutely right. You need to look at the contracts to see, A, there has to be liability of fixation, and secondly, that company B, which is the agent in this particular case, acts within its capacity.

KUMUDAVALLI SEETHARAMAN : So essentially what is flowing is that a couple of questions can basically decide whether you're a data fiduciary or a data processor. One is the why and one is the how. So are you deciding why the data is being processed? And are you deciding how the data is being processed? Or the divorce of this, you are just simply doing an app for somebody else.

So, if you are doing either the first or the second which is why or how, then you are a data fiduciary. But if you are just following somebody's actions or orders, then you are a data processor.

AMAN SHANKAR : And I think if you look closely at the phrase on behalf of, which is used to define a data processor, that reminds me of the principal agent relationship, which Abir was also mentioning. So it automatically comes to the point that what is the authority that the principal would have given. That is the specified purpose. And if the data processor is going beyond that purpose, then the concept of independent liability comes, because the contract law also says that if the agent goes beyond the principal's authority, then they're individually liable.

So ultimately, the point comes that there has to be a contract which, in very tight and very focused terms, determines who is doing what. Because the Act also says that a data fiduciary, as part of obligation, will have to have contracts. So outsourcing your responsibility just for the sake of it is not a legal defense, for sure. So vetting of those contracts is very much essential.

VIVEK PANDEY : See, I think that's where the risk is. Unlike GDPR, where data processor is also responsible, under the Indian law, the obligation is solely on the data fiduciary. So that's an issue. Like you mentioned, the contracts have to be negotiated and all that, to divide the responsibilities and obligations. For example, I'm the owner of a project and I enter into a contract with a contractor. Now, the contractor has certain responsibilities under statutes like labor law compliances, paying the wages, etc. and EPFX, everything. Now, if the contractor does not pay the wages or anything is there, me being a principal employer will be held responsible by the authorities. Now, therefore, I will enter into what? Indemnity contract. Let's say, if there's any penalty levied on me, I can recover that by filing a suit or let's say, go in an arbitration, whatever the case may be. Therefore the contracts become very crucial, how those are negotiated and how the risks are minimized from both the perspectives.

ABIR ROY : I think that's a very fundamental point because like Aman, you also mentioned that under the law, it says that you need to have written contracts between the data fiduciary and our data processor. So there will be a myriad of data processors, many levels of data processing which may happen. And I think you raise a fundamental point of indemnity. So obviously that has to be there, back to back indemnity. But one more thing which has to be there is we always talk about means and purpose.

So even there should be purpose limitations also even in the contract between data fiduciary and data processor. You should tell the data processor as a data fiduciary, why are you giving the data? What is the purpose of that data? So that if you go beyond the purpose, then you are an independent contractor by itself. Now, yes, the presumption under GDPR will not apply because what the GDPR actually says is if the processor goes beyond its scope, and does something to that extent he or she is the data controller or the data fiduciary. In India, it's not the case, but still having watertight contracts will be helpful because how will the investigation occur? The data principle will report a breach, the authorities will investigate. When the authorities investigate or the data protection board will investigate, they will look into your contracts and see whether you have everything that you could have done and that's where these contracts will be very very helpful. Obviously there is a subsequent claim that the data principle may have of compensation which is again different, but they're also in civil suits they will see the contracts. So at the end of the day I completely agree I think there has to be watertight contracts and the companies are actually engaging because while the rules are yet to be framed the principles of the law is there, people know that this law is coming in.

Time has come for all the companies to review their agreements to limit their liability. Secondly, I think one more point is one is we spoke about indemnity, we spoke about liability. The data fiduciary should also have audit rights, whether the data processor is following all the security norms, et cetera. So I guess the time has come for all these companies to revisit their contracts because they deal with so many loads of data and subsequent processing thereof.

AMAN SHANKAR : I think there must also be a pre-estimated damages clause which should cover the cases wherein a reputational loss is caused to a data fiduciary at the expense of a data processor because it might just be a fault of a data processor. So those things will also come into play. And this reminds me of one of the cases I read in which the EU Court of Justice in a ruling of I think 2023 dealt with this exact scenario. So the fact situation was one of the public health department of the health ministry for a particular state, they had, in the COVID time, had commissioned an app for tracing for COVID-19 virus. It obviously engaged a private company, but ultimately there was no formal agreement to that purpose. The health department  helped and also decided the questioners that will be there, the mechanisms that will be followed. Everything was done together with the company. But later on, the health department withdrew its support for reasons known best to them. There was no agreement. The app was not owned by the health department. Nothing was there. However, the company went on and released the app. They also collected some good amount of data and trained the app basis that data. Some mishap happened. The authority was seized of the matter. And one of the principal arguments of the public health authority was that, boss, I'm nowhere involved. How can you hold me liable? There was no contract. I have no control. Even despite then, the data protection authority said that this is a classic case of joint liability, because both of you are influencing the purpose and the means. You have together decided what all data will be collected, what all mechanisms will be there. So it becomes very much critical and goes back to our initial point that what role are you playing in the entire scheme of things? So the lesson from this case or a take away is when there's a joint data fiduciary involved, there's always a joint liability.

KUMUDAVALLI SEETHARAMAN : Yeah, but you know it is interesting because while in the Indian law it does not use the term joint fiduciary, but it refers to entities acting in conjunction with the others. So, essentially the idea is that there will be joint liabilities. So, what falls actually is that we now need joint data fiduciary contracts that one needs to look at.

ABIR ROY : See, say I agree with your point on one level, but the fact of the matter is you again have to come back whether who is deciding the purpose and means. Are both the companies deciding the purpose and means? Because once you are a data fiduciary, there are a lot of obligations which come in. Who will take the constant? How will the constant be taken? One is obviously collection storage analytics that is at the backend. At the end of the day, who is dealing with the customer? Who is the interface with the customer? Because there are a lot of obligations of a data fiduciary. You may say that it's a conjunction with a joint fiduciary, but who is the interface with the customer becomes a very tricky part.

VIVEK PANDEY : See, technically that is correct. That is also flowing from the act. But practically the situation is often very different as we know. Let's say a small and medium enterprise enters into a contract with a big corporation for advertisement services. Now, in all practicality, that small enterprise will have no control as to how the data will be processed. It will be a standard contract without any negotiating power. So how will that play out?

ABIR ROY : See, one thing is like you said, you're dealing with a real world situation here. All these storage companies, all these advertising companies, yes, perhaps will be in a, what we in contract will call it an unfair bargaining position. Yes, the liability under the act is on the data fiduciary, but practically it may not work. So perhaps one approach is, obviously you have to go to a civil court saying that, see, I have my duty under law, but I'm not able to meet that duty under law.

So there's a classic case of strategy taught. The data processor is forcing on me. That may be one approach. But I think the second approach may be what the small and medium data fiduciary can think about is perhaps put it on their website, saying that you have the terms of use. You have the privacy policy. Perhaps you can also have a standard processing agreement saying that I have taken the data from the user. I have told the user that I am using this data for one, two, three purposes. I've taken consent. And this is the kind of agreement that I have or should have with the data processor. So you're telling the world at large that I want to comply with that. But yes, what you said is a real world situation, which obviously will play out in courts. And one of the things which is coming to my mind is unfair bargaining power.

VIVEK PANDEY : I guess the same principle will also apply in the case of sharing of data. See, but the way I see it, let's say the conduct of any big corporation puts me in violation of any contract or sorry, the law. Because of their conduct, I'm not able to comply with the DPDPA. Now, perhaps the remedy in that case would be that firstly, if let's say my contract with the big corporation has some clause, that clause itself may be void, not enforceable or alternatively, I'll have a right to sue and recover as damages whatever penalty I have to pay or compensation I have to pay to the data principal.

ABIR ROY : That's what I am saying, it's statutory tort principles. That is the exact concept of statutory tort. Plus, I think you raise a very good point. When I am in business, it is presumed that I will act in a particular legal manner. Now, if you are forcing me, because of your conduct, to act not in a proper legal manner and exposing myself to liability, perhaps I can call it that provision as an agreement in the strength of trade under contract law. Obviously, there are remedies under competition law, which may or may not come, but definitely under contract law, you can actually approach a civil court in that particular case.

AMAN SHANKAR : And I think the transfer or sharing issue that you mentioned, with that also pops up the cross border data transfer issue. So under the DPDP Act at least, there's a blacklist approach. It simply says that unless the government has notified that some country is banned from the data being exported to that country, you are allowed to do that. But however the mechanics of it, like we have in GDPR, are proper mechanics - what all due diligence measures will have to be taken, what all kind of contracts will have to be there, all things are detailed. But under the Indian law, that is conspicuously missing. 

So I think for a start right now, the best way forward will be to have some data transfer agreements, also have assessment of the transfer jurisdiction, that how the obligations that you have under the DPDPA can be enforced there. So those things will also come into play when you talk about these data sharing agreements or data transfer agreements so to say.

KUMUDAVALLI SEETHARAMAN : I actually agree because you one as a business I will have to ask a couple of questions right. What is the local law of the country that where my data is getting transferred? Is there any onward transfer risk you know when cross border transfers are happening and what happens if the regulator or let say in India if what happens if the Indian regulator is asking for data that is stored abroad? You know for example, will in the real world, for example, in our banking and finance sector, RBI has regulated that all data relating to payments is payment processing has to be stored locally in India. So, what happens is that any payment system, any payment system operator which is in India now has to have all the data relating to their transaction including customer data, all sorts of transaction details, and that has to be stored within India. 

So, as a result of this data localization regulation, what happened was that sometime back American Express and I think Diners Club could not onboard new clients for approximately 6 months. So, what he is saying about you know, how or where all the data is going and how that data is getting, what are the risks that the data is attracting in that jurisdiction is something that we really need to focus on.

AMAN SHANKAR : And I think that also flows from the act itself because one part obviously says that there is a whitelist approach. The other part also says that if there are any sectoral laws that explicitly regulate this you have to follow that as well and that's where RBI kicks in.

ABIR ROY : In fact, additionally, the rules also, the draft rules obviously, while the act itself doesn't provide for data localization, the rules have gotten a concept. So that has obviously the businesses now up in arms saying that you cannot have that rules, but we'll see when the rules get enforced. In fact, like we mentioned about data localization and how the rules have gotten, and obviously the business will have to see how this entire law will evolve, entire practice will evolve and end this discussion with one more parting thought. Recently a competitor in Germany sued another competitor for their data protection practice. They said that their practice is not in terms of the GDPR and the local law. So it’s not only the consumer, it’s not only the business or the processor, it;s actually a competitor suing another competitor. So I guess this is a very important digital age that we are seeing. And we know that for a fact that all these companies, their business model until now was use and collection of data. That was their priority. But I guess now the time has come because of the privacy laws coming in, the sectoral laws coming in, the other data localization laws which are coming in, the international developments which are happening, that this will have a huge ramification in the near future. So we need to watch out.