# Classification of data fiduciaries as significant data fiduciaries

# Bare Act

# Section 26(1)

The Authority shall, having regard to the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely

(a) volume of personal data processed;

(b) sensitivity of personal data processed;

(c) turnover of the data fiduciary;

(d) risk of harm by processing by the data fiduciary;

(e) use of new technologies for processing; and

(f) any other factor causing harm from such processing.

# Section 26(2)

The data fiduciary or class of data fiduciary referred to in sub-section (1) shall register itself with the Authority in such manner as may be specified by regulations.

# Section 26(3)

Notwithstanding anything in this Act, if the Authority is of the opinion that any processing by any data fiduciary or class of data fiduciary carries a risk of significant harm to any data principal, it may, by notification, apply all or any of the obligations specified in sections 27 to 30 to such data fiduciary or class of data fiduciary as if it is a significant data fiduciary.

# Section 26(4)

Notwithstanding anything contained in this section, any social media intermediary,—

(i) with users above such threshold as may be notified by the Central Government, in consultation with the Authority; and

(ii) whose actions have, or are likely to have a significant impact on electoral democracy, security of the State, public order or the sovereignty and integrity of India, shall be notified by the Central Government, in consultation with the Authority, as a significant data fiduciary:

Provided that different thresholds may be notified for different classes of social media intermediaries.

# Section 26(1) Explanation

For the purposes of this sub-section, a "social media intermediary" is an intermediary who primarily or solely enables online interaction between two or more users and allows them to create, upload, share, disseminate, modify or access information using its services, but shall not include intermediaries which primarily,—

(a) enable commercial or business oriented transactions;

(b) provide access to the Internet;

(c) in the nature of search-engines, on-line encyclopedias, e-mail services or on- line storage services.

# Explanation

# Exemption

  1. Section 26 is not applicable to "small entity" (Ref:Section 39(1))
Last Updated: 12 Dec 2019