Criteria for designation of SMIs as SDFs
Section 26(1) of the PDP Bill, 2019 provides a list of criteria on the basis of which the Data Protection Authority (DPA) could notify a data fiduciary or a class of data fiduciary as SDF. As stated above, these criteria included the volume and sensitivity of personal data processed, the risk of harms arising from such processing and technology used for the same.
Section 26(4) provided that, notwithstanding, anything provided in section 26, the Central Government could notify, in consultation with the DPA, an SMI as a significant data fiduciary. The factors to be taken into account for this were, first, if the number of users were above the threshold notified by the Central government and second, that the actions of the SMI “have or are likely to have a significant impact on electoral democracy, security of the state, public order or the sovereignty and integrity of India”.
The Data Protection Bill, 2021 omits section 26(4) and adds this as section 26(1)(f). This effectively provides that the DPA shall based on “any (emphasis added) of the following factors, notify any data fiduciary or class of data fiduciary as significant data fiduciary, namely … any social media platform” along with the two criteria for SMIs.