In all cases, it is the responsibility of the data fiduciary, and more so when they are dealing with smaller setups, to sensitize and also put data protection measures in place
Podcast transcript: How DPDP Act will impact the e-commerce businesses
Pallavi: In e-commerce, we have platforms and retailers in various permutations and combinations. Who will be the data fiduciary in this case – the platform or the seller? After all, both would be collecting data from the data principal.
Mini: Data fiduciary is the one who decides the means and purpose of the personal data that is being collected. In the case of an e-commerce environment, the platform provider in e-commerce will definitely be one of the data controllers, because they collect personal data at the time of registration and process it for purposes such as marketing, analytics, or targeting. The e-commerce platform will be considered as a data fiduciary unless it is a pure technology play where the platform is only providing a technology layer and everything else on top of that is being decided by the retailers or the entity that has engaged with the e-commerce platform provider. But if you look at the regular e-commerce platforms, they typically act in the capacity of a data fiduciary.
Similarly, if you look at the retailers or the sellers on the platform, there are larger retailers and sellers who decide what is the kind of data that they collect – for processing or fulfilling orders. They may also be considered as data fiduciaries unless these are retailers that the platform or the e-commerce organization is engaging purely to collect goods and then deliver to customers without revealing who the end-customer is or providing any personal data. If the platform providers are not passing on personal information to the retailer, and the retailer is just there to provide goods and services, they (retailer) would be the processors.
However, if these are retailers who are deciding what could be the various parameters or details required for an end consumer to fulfill the orders, then they would also be considered as data fiduciaries.
While there are various permutations and combinations when it comes to platforms and retailers, their role as a data fiduciary may be similar. Both could be data fiduciaries or there could be combinations where each one of them is a processor more than a fiduciary, depending on the role that they play. But the principle to follow is that any entity which is determining the means and purpose of collecting and processing the customer’s personal data would act as a data fiduciary.
Pallavi: In online businesses, often the person or the organization fulfilling the order of the data principal is a small business or an individual. For example, an Uber or Ola driver has a platform. Uber or Ola is accessing the data of the person as well as the driver partner. Similarly, for businesses like Urban Company (earlier Urban Clap), how can the data principal’s data be safeguarded?
Mini: In such scenarios, an Uber or an Ola are the data fiduciary themselves and they have to ensure that adequate data protection measures are put in place prior to sharing personal data with the small businesses or individuals. In some cases, there is obfuscation of personal data such that while they can reach out to an individual, personal details such as mobile numbers are not available. However, some necessary data such as name and address will be provided. While controls such as data masking and data obfuscation can be used, there will still be some limited data that may need to be shared. Hence, it is the duty of the data fiduciary to ensure that smaller businesses, set-ups or individuals are sensitized about the matter, the confidentiality of such data being shared, and the need to keep this data protected as well.
Right now, there are measures such as non-disclosure agreements or confidentiality agreements, along with consequence management, that could be signed with smaller businesses or individuals to act as a deterrent and to ensure that they protect the data principal’s personal data and avoid any misuse.
In all cases, it is the responsibility of the data fiduciary, and more so when they are dealing with smaller setups, to sensitize and also put data protection measures in place.
aniltikotekar4sme.com 