Data Fiduciary

From Justice Definitions Project

What is a Data Fiduciary?

The Digital Personal Data Protection Act of 2023 (DPDPA) is India’s first cross-sectoral law for personal data protection. It recognises certain rights of individuals over their personal data and imposes various obligations on organisations using or seeking to collect, use, store, share, handle, or otherwise carry out any operations in relation to that data. To operationalise those rights against and target those obligations on relevant organisations vis-à-vis particular sets of data, the DPDPA defines the concept of a ‘Data Fiduciary’.

The need for this definition arises from the fact that, in practice, activities involving the use of personal data often involve multiple actors performing different roles, functions, or services, and not all will have the same degree of responsibility or decision-making power.

For example, a bank collecting personal data from its customers may rely on third-party service providers to actually collect and digitise the data in practice (e.g., bank correspondents). These service providers would, however, be agents acting on the bank’s instructions. The bank would be defining, for example, what personal data the service providers would be collecting and how they would be doing so. Accordingly, it would be the bank that would have the ultimate responsibility in this scenario, making it necessary to ensure the bank has a higher degree of responsibility.

This idea of differentiated roles of different actors is reflected in the design of the DPDPA by defining the concept of a ‘Data Fiduciary’ and, further, distinguishing it from that of a ‘Data Processor’ (which is another definition used to capture those actors that perform different operations on personal data on behalf of a Data Fiduciary).

This distinction is established in global data protection law, which differentiates, similarly, between ‘controllers’ and ‘processors’ (though the precise terminologies may vary across different jurisdictions)[1]. In fact, the term ‘Data Fiduciary’ is the Indian equivalent of the more globally recognised term ‘controller’ used in the laws of several other jurisdictions, including those in the European Union (such as the General Data Protection Regulation (GDPR)). As we discuss below, the difference is only one of terminology, as the contents of the definition in the DPDPA is functionally the same as that in the GDPR.

Official definition of Data Fiduciary

Section 2(i) of the DPDPA defines a “Data Fiduciary” as follows:

“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”[2]

Understanding the interpretation, application, and operation of the definition requires reading it together with several other definitions in the DPDPA. The following points may be noted.

  • The phrase ‘processing of personal data’ is key to the application of this definition. The terms ‘personal data’ and ‘processing’ are defined in Sections 2(t) and 2(x) of the DPDPA. While personal data is data about a specific individual that can be used to identify that individual, processing is a broad term used to capture any kind of activity involving, or operation performed on, that personal data. Taken together, this means that a ‘Data Fiduciary’ is a role defined in relation to a particular set of personal data and of processing operations involving that data in particular; it is not a context-agnostic or static concept that applies at an organisation-wide level or across all types of data handled by an organisation. An organisation’s role can vary across different types of personal data processed by it.
  • The term ‘person’ enables the definition to have a wide scope of application. Section 2(s) of the DPDPA defines the term “person” as inclusive of any individual, any ‘artificial juristic persons’ (including a company, a partnership firm, or a Hindu Undivided Family) as well as the “State” - which means that any of the above can be regarded as a “Data Fiduciary” in relation to particular personal data. Section 2(zb) further defines the term “State” by referring to Article 12 of the Constitution of India. This implies that the “Data Fiduciary” can be interpreted to apply to any agency, authority or organization that can be regarded as the “State” under Article 12[3]. The use of these broadly inclusive terms “person” and the “State” underlines the cross-sectoral character of the term “Data Fiduciary” in particular, and the DPDPA, more generally – they enable obligations thereunder to be attached to a wide set of organisations (including even individuals) across sectors and contexts.
  • The phrase ‘alone or in conjunction with other persons’ indicates that a group of individuals or entities can collectively be deemed a data fiduciary for the purposes of a particular personal data processing operation or set of operations. By virtue of this phrase, the DPDPA can be applied to complex data processing activities that are carried out by multiple stakeholders. It has been noted that this phrase is the DPDPA equivalent of the concept of “joint controllership” present in the GDPR[4].
  • The phrase ‘determines the purpose and means’ is the key operative phrase of this definition. An organisation is only regarded as the ‘Data Fiduciary’ in relation to particular personal data if they are determining the purpose and means of the processing operation in question. Neither ‘purpose’ nor ‘means’ are further defined or explained in the DPDPA. Their interpretation and application in practice will end up being defined by the Data Protection Board of India (DPBI) across its rulings.
  • The DPBI may look to rely on global interpretations of these concepts as they are relatively well-established and well-understood in other jurisdictions. The most relevant reference point is the GDPR, which uses the same key operative phrase to define the equivalent concept of a ‘data controller’. Article 4(7) of the GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This matches the definition under section 2(i) of the DPDPA.  

While the GDPR itself does not formally define either term, we note that the European Data Protection Board (EDPB), which is considered an authoritative source of guidance on European data protection law, has issued guidance in 2020 of relevance[5][6]. They note that:

“Determining the purposes and means amounts to deciding respectively the “why” and the “how of the processing: given a particular processing operation, the controller is the actor who has determined why the processing is taking place (i.e., “to what end”; or “what for”) and how this objective shall be reached (i.e. which means shall be employed to attain the objective).”

From the above, we can note that, in simple terms, for the EDPB, the data controller will be that actor who determines the ‘why’ and ‘how’ of a processing operation. This provides an indication of how the definition of a ‘data fiduciary’ may be interpreted in India as well.

  • It is also worth noting that the DPDPA was introduced to replace a framework under the Information Technology Act of 2000 (IT Act), namely, section 43A read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[7]. Under that framework, entities processing personal data were identified using the term “body corporate”. This indicated that the earlier IT Act framework was limited to the private sector.

Legislative and policy-making history

The relevance of the term “data controller” from European data protection law also emerges from the legislative and policymaking history of the process of drafting a data protection law for India[8]. As we discuss below, throughout this history, the term “Data Fiduciary” has been intended to be an Indian equivalent of the term “data controller”.

  • The first effort to evolve a personal data protection framework for India was undertaken in 2011 by the A.P. Shah Committee, formally known as the Group of Experts on Privacy. In their report, the A.P. Shah Committee used the term “data controller” throughout the report and especially when framing various privacy principles. A reading of their report indicates that, though they did not formally define the concept of a ‘data controller’, they were referring to and relying on the European conception of the term[9]. By using this term, the AP Shah Committee underscored the need for a formal legal concept to attach obligations relating to personal data protection to specific entities that were using personal data – which is the role performed by the definition of a “Data Fiduciary” in the DPDPA today.
  • The term “Data Fiduciary” was coined by the Committee of Experts on a Data Protection Framework for India (Srikrishna Committee), established in 2017 by the Ministry of Electronics and Information Technology, Government of India pursuant to the Puttuswamy judgment which recognised the fundamental right to privacy[10]. The Srikrishna Committee, tasked with developing a personal data protection law for India, released a draft Personal Data Protection Act of 2018 (PDP 2018), which used the term “Data Fiduciary” for the first time. In their accompanying report, the Srikrishna Committee justified using the term “data fiduciary” instead of the term “data controller” to emphasize the trust-based relationship between the individual being identified by the personal data (i.e., the “data principal”) and the entity using their data (i.e., the “data fiduciary”). The Committee felt that the former term better reflects a fiduciary responsibility to act in the best interests of data principals[11].
  • In all subsequent drafts of a personal data protection law for India, the term “Data Fiduciary” as defined in the PDP 2018 has been used. This includes the Personal Data Protection Bill of 2019 (PDP 2019), the Data Protection Bill of 2021, and the draft Digital Personal Data Protection Bill of 2023[12][13]. The DPDPA also retains that definition, giving us the official definition stated in Section 2(i) (see above).

Categories of Data Fiduciaries

It is worth noting that the DPDPA distinguishes between ‘Data Fiduciaries” and “Significant Data Fiduciaries” (SDF). As per Section 10(1) of the DPDPA, the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as an SDF. Upon notification, SDFs are subject to additional obligations specified in section 10(2), which they must comply with over and above all the obligations that are applied on Data Fiduciaries in general. This distinction is intended to bring in flexibility under the DPDPA, where obligations may be asymmetrically imposed on organisations based on the potential risks and harms associated with different data processing operations.

International Experiences

As discussed above, the concept of a ‘data controller’ used in many other jurisdictions is a key reference point for interpreting and applying the definition of a “Data Fiduciary”. Both concepts are similarly defined using the “purpose and means” test. In addition, two other useful international reference points are:

Singapore

Under the Singaporean Personal Data Protection Act of 2012 (SPDPA), the equivalent of the term “Data Fiduciary” is the term “organisation”, which is defined as including any ‘individual, company, association or body of persons, corporate or unincorporated’.[14] Instead of the ‘purpose and means’ test, obligations apply to organisations based on the specific data processing activities performed by them in question – that is, some obligations apply to the activities of collection or disclosure, while others apply to storage or transfers. The SPDPA term is a similarly wide definition as that of a ‘Data Fiduciary’ to the extent that both capture the private sector exhaustively. However, the Singaporean term does not capture the State, a key difference from the DPDPA term. This is because the SPDPA only applies to the private sector.  

California

Under the Californian Consumer Privacy Act of 2018 (CCPA)[15], the equivalent is the term “business”, which is defined as any for-profit entity that does business in California, collects consumers’ personal data and meets certain qualifying thresholds[16]. Businesses meeting these thresholds must comply with the obligations under the CCPA as applicable to their services and/or business activities. The CCPA is a narrower definition than that of a ‘Data Fiduciary’ under the DPDPA due to these qualifying thresholds; consequently, the CCPA does not apply to the entirely of the private sector as the default. It also does not capture the State, another key difference from the DPDPA term.

Research that engages with the term "Data Fiduciary"

Fiduciary relationships as a means to protect privacy: Examining the use of the fiduciary concept in the draft Personal Data Protection Bill, 2018

A particular relevant research paper, focusing on the use of the term ‘fiduciary’ in Indian law, has been authored by Bailey and Goyal (2019), who were focusing on the framework of the PDP 2019[17]. They noted that, while the inspiration for the term may have come from conventional fiduciary relationships that demand obligations of loyalty and care, such those between physicians and patients, the PDP 2019 did not impose similar obligations. As such, the PDP 2019 did not strictly compel organisations to operate in the best interest of the user; instead, it places more emphasis on good faith and reasonableness, akin to the fair dealing requirements found in contract law. According to their paper, the PDP 2019’s usage of the fiduciary concept may be more of a symbolic move to denote a high degree of rights protection rather than significantly altering notice-and-consent-based laws like the GDPR.

Way Ahead

As noted above, the term ‘Data Fiduciary’ serves as the Indian equivalent of the term ‘data controller’ found in the data protection laws of several jurisdictions (including those in the European Union). The substance of the definition is the same as that found in the GDPR, and the use of the term ‘fiduciary’ is more of a symbolic move. Going forward, it remains to be seen how the DPBI will interpret and apply the term and the ‘purpose and means’ test that is the crux of the definition, and the extent to which it will rely on the European conception of the term.

References

  1. https://www.undp.org/sites/g/files/zskgke326/files/2023-04/UNDP%20Drafting%20Data%20Protection%20Legislation%20March%202023.pdf
  2. https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf
  3. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4051127
  4. https://www.scconline.com/blog/post/2024/01/28/who-is-in-control-identifying-data-fiduciaries-in-complex-processing-scenarios/
  5. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  6. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  7. https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf
  8. https://icrier.org/pdf/IPCIDE-Policy_Brief_4.pdf
  9. https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf
  10. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  11. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  12. https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
  13. https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf
  14. https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=Sc1-#:~:text=(2)%20Where%20the%20organisation%20collects,the%20collection%2C%20use%20or%20disclosure%2C
  15. https://oag.ca.gov/privacy/ccpa
  16. https://oag.ca.gov/privacy/ccpa
  17. https://www.datagovernance.org/report/fiduciary-relationships-as-a-means-to-protect-privacy
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Fiduciary&oldid=4416"