Section 26 Indian Data Protection Act 2019

Classification of data fiduciaries as significant data fiduciaries

26. (1) The Authority shall, having regard to the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely:

(a) volume of personal data processed;

(b) sensitivity of personal data processed;

(c) turnover of the data fiduciary;

(d) risk of harm by processing by the data fiduciary;

(e) use of new technologies for processing; and

(f) any other factor causing harm from such processing.

(2) The data fiduciary or class of data fiduciary referred to in sub-section (1) shall register itself with the Authority in such manner as may be specified by regulations.

(3) Notwithstanding anything in this Act, if the Authority is of the opinion that any processing by any data fiduciary or class of data fiduciary carries a risk of significant harm to any data principal, it may, by notification, apply all or any of the obligations specified in sections 27 to 30 to such data fiduciary or class of data fiduciary as if it is a significant data fiduciary. (4) Notwithstanding anything contained in this section, any social media intermediary,

(i) with users above such threshold as may be notified by the Central Government, in consultation with the Authority; and

(ii) whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary: Provided that different thresholds may be notified for different classes of social media intermediaries. Explanation.

For the purposes of this sub-section, a “social media intermediary” is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,

(a) enable commercial or business oriented transactions;

(b) provide access to the Internet;

(c) in the nature of search-engines, on-line encyclopedias, e-mail services or online storage services.