Data Fiduciary

From Justice Definitions Project

What is a Data Fiduciary?

The Digital Personal Data Protection Act of 2023 (DPDPA) is India’s first cross-sectoral law for personal data protection. It recognizes certain rights of individuals over their personal data and imposes various obligations on organizations using or seeking to collect, use, store, share, handle, or otherwise carry out any operations in relation to that data. To operationalize those rights against and target those obligations on relevant organizations vis-à-vis particular sets of data, the DPDPA defines the concept of a "Data Fiduciary".

A "data fiduciary" is an individual or organization entrusted with the custody, control or management of personal data in a relationship of trust, akin to more traditional fiduciary relationships (for example, between a lawyer and a client, or a physician and a patient). In practice, this means that a data fiduciary is not just someone who collects or processes data mechanically, but a custodian or steward of personal information, as they carry responsibilities including but not limited to; determining why and how data is processed, ensuring lawful and fair handling, minimizing risks of misuse, and maintaining transparency and accountability toward data-subjects.[1]

The need for this definition arises from the fact that, in practice, activities involving the use of personal data often involve multiple actors performing different roles, functions, or services, and not all will have the same degree of responsibility or decision-making power.

Official definition of Data Fiduciary

Data Fiduciary as defined in Legislation(s)

Digital Personal Data Protection Act, 2023

Under the Digital Personal Data Protection Act, 2023[2] (India), Section 2(i)[3] defines Data Fiduciary as: "Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data". Data Fiduciary is a person who ascertains the purpose and means of processing personal data. Under this framing, a data fiduciary has an ethical and often legal responsibility to act in the best interests of the 'data principal', rather than merely as a commercial counterparty or neutral technical processor.

Interpretation of the Definition of Data Fiduciary under DPDPA, 2023

Understanding the interpretation, application, and operation of the definition of a “Data Fiduciary” requires reading Section 2(i)[3] together with several other definitions in the DPDPA, which are highlighted below:

Processing of Personal Data

Sections 2(t)[4] and 2(x)[5] of the DPDPA define the terms ‘personal data’ and ‘processing’, respectively. While personal data is data about a specific individual that can be used to identify that individual, processing is a broad term used to capture any kind of activity involving, or operation performed on, that personal data. It means that a ‘Data Fiduciary’ is a role defined in relation to a particular set of personal data and of processing operations involving that data in particular; it is not a context-agnostic or static concept that applies at an organisation-wide level or across all types of data handled by an organisation. An organisation’s role can vary across different types of personal data processed by it.

Person

Section 2(s)[6] of the DPDPA defines the term “person” as inclusive of any individual, any ‘artificial juristic persons’ (including a company, a partnership firm, or a Hindu Undivided Family) as well as the “State” - which means that any of the above can be regarded as a “Data Fiduciary” in relation to particular personal data.

Section 2(zb)[7] further defines the term “State” by referring to Article 12[8] of the Constitution of India. This implies that the “Data Fiduciary” can be interpreted to apply to any agency, authority or organization that can be regarded as the “State” under Article 12[9].

Legal Provisions Relating to Data Fiduciary under DPDPA, 2023

General Obligations of Data Fiduciary

Chapter II[10] deals with General Obligations of Data Fiduciary during data processing, which are highlighted below.

Grounds for Processing Personal Data

Section 4[11] permits the processing of personal data only in accordance with the Act and strictly for a lawful purpose, meaning any purpose not expressly prohibited by law. Such processing is allowed either when the Data Principal has given valid consent or when the activity qualifies as one of the Act’s specified legitimate uses.

Notice to Data Principal

Section 5[12] requires the Data Fiduciary to give a clear notice to the Data Principal before seeking Consent. The notice shall lay out clearly the personal data to be collected, the purpose of its processing, the manner in which the Data Principal can exercise their rights (such as withdrawing consent or accessing her data), and how they may lodge a complaint with the Data Protection Board. If a person had already given consent before the Act came into force, the Data Fiduciary must later issue the same notice, as soon as reasonably possible, informing the individual about the data being processed, her rights, and complaint mechanisms.

Consent Requirements

Section 6[13] mandates that consent must be free, informed, specific, given through a clear affirmative action, limited only to data necessary for the stated purpose,[14] capable of being withdrawn by Data Principal,[15] and any part of consent that violates the Act or any other law is invalid.[16] After withdrawal, the Data Fiduciary and its Data Processors must stop processing the data unless further processing is legally required.[17] Consent may be given, managed, reviewed, or withdrawn through a registered Consent Manager,[18] who is accountable to the Data Principal and must act on her behalf as per prescribed obligations.[19]In any dispute about consent, the Data Fiduciary bears the burden to prove that proper notice was given and valid consent obtained.[20]

Processing of Personal Data of Children

Section 9[21]mandates Data Fiduciaries to obtain a verifiable consent from a child’s parent/lawful guardian before processing the child’s personal data,[22] while ensuring that the processing carried out does not harm the child’s well-being.[23] They are further prohibited from tracking, behaviourally monitoring, or targeting advertisements at children.[24] However, the government may prescribe specific classes of Data Fiduciaries or purposes where the requirements of sub-secs (1) and (3) do not apply.[25] Moreover, if a Data Fiduciary demonstrates that its processing of children’s data is verifiably safe, the Central Government may notify an age threshold beyond which that Data Fiduciary may be exempted from obligations under sub-secs (1) and (3), as specified in the notification.[26]

Specific Compliance Duties of Data Fiduciary

Section 8[27] provides for duties or operational responsibilities that Data Fiduciaries must follow while carrying out processing of Data.

  1. A Data Fiduciary is fully responsible for complying with the Act, even if the Data Principal fails in their duties or even if the data is processed by a Data Processor on its behalf. A Data Fiduciary may hire a Data Processor, but only through a valid contract and only for offering goods or services.
  2. When personal data is used for decisions affecting the Data Principal or shared with another Data Fiduciary, the Data Fiduciary must ensure the data is complete, accurate, and consistent. It must also implement proper technical and organisational safeguards to ensure compliance, and take reasonable security measures to prevent breaches.
  3. If a personal data breach occurs, the Data Fiduciary must notify both the Data Protection Board and every affected Data Principal as prescribed.
  4. A Data Fiduciary must delete personal data once consent is withdrawn or when the purpose is no longer served, whichever comes earlier, unless a law requires longer retention. It must also ensure that its Data Processor deletes the data provided to it.
  5. The purpose is assumed to no longer be served when the Data Principal neither engages with the Data Fiduciary for that purpose nor exercises any related rights for a prescribed period.
  6. A Data Fiduciary must publish the contact details of its Data Protection Officer (if applicable) or another authorized person to answer Data Principal queries. It must also establish an effective grievance-redressal mechanism.
Additional Obligations for Significant Data Fiduciary (SDF)

It is worth noting that the DPDPA distinguishes between ‘Data Fiduciaries” and “Significant Data Fiduciaries” (SDF). As per Section 10(1) of the DPDPA,[28] the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as an SDF. Upon notification, SDFs are subject to additional obligations specified in section 10(2), which they must comply with over and above all the obligations that are applied on Data Fiduciaries in general. This distinction is intended to bring in flexibility under the DPDPA, where obligations may be asymmetrically imposed on organisations based on the potential risks and harms associated with different data processing operations.

Digital Personal Data Protection Rules, 2025

Digital Personal Data Protection Rules, 2025,[29] do not define Data fiduciary but they change the role from a principle-based statutory entity into an operationally regulated one.

Legal Provisions Relating to Data Fiduciary under DPDP Rules, 2025

Notice by Data Fiduciary

DPDP Rules, 2025, prescribe how a Data Fiduciary must issue notice to a Data Principal, something that the DPDP Act, 2023 had left open by using the phrase “in such manner as may be prescribed”. Rule 3[30] states that the notice issued shall be understandable on its own, presented independently of any other information, must contain a clear and plain account of the personal data being processed, including an itemised description of such data and the specific purposes for which it is processed, along with the goods or services enabled by such processing. It further obligates the Data Fiduciary to provide a specific communication link to its website or application, through which the Data Principal can withdraw consent, exercise her rights under the Act, and make a complaint to the Data Protection Board.

Time Period for Retention and Erasure of Personal Data

Rule 8(1)[31] states that a Data Fiduciary belonging to specified classes must erase personal data after the expiry of the corresponding time period mentioned in the Third Schedule,[32] provided the Data Principal has neither approached the Data Fiduciary nor exercised her rights during that period. It also mandates that the Data Fiduciary must inform the Data Principal, at least 48 hours before such erasure, that her data will be erased unless she initiates contact or exercises her rights. Additionally, the Rule requires the Data Fiduciary to retain personal data, associated traffic data and processing logs for a minimum period of one year for purposes specified in the Seventh Schedule[33].

Contact Information of Person Answering Queries

Rule 9[34] of the DPDP Rules, 2025 strengthens the obligation given in Section 8(9)[35] of the DPDP Act, 2023, which requires a Data Fiduciary to publish the business contact information of a Data Protection Officer or another authorized person. It obligates the Data Fiduciary not only to prominently publish such contact information on its website or application, but also to mention it in every response to a communication made by a Data Principal for the exercise of her rights.

Verifiable Consent for Processing Personal Data of Children

The DPDP Act, 2023 imposes the obligation of obtaining verifiable parental consent for processing personal data of children but do not specify how such consent would be verified. The DPDP Rules, 2025 fill this gap by prescribing mechanisms for obtaining verifiable consent. The Rules 10[36] and 11[37] obligates the Data Fiduciary to adopt appropriate measures to verify that consent is given by the parent or lawful guardian, and they recognise specific lawful means for such verification.

Exemptions for Certain Data Fiduciaries Processing Children’s Data

Rule 12[38] provides exemptions from certain obligations under section 9 of the Act for specific classes of Data Fiduciaries and purposes listed in the Fourth Schedule[39]. These exemptions apply only subject to conditions specified in the Schedule, providing a rule-level clarification of section 9(4)[40] of the Act and is significant because it legally recognises that not all Data Fiduciaries processing children’s data are treated uniformly, provided they satisfy the prescribed conditions.

Additional Obligations of Significant Data Fiduciaries

Rule 13[41] requires a Significant Data Fiduciary [SDF] to conduct a Data Protection Impact Assessment, an audit at least once every 12 months and to ensure that the person carrying out such assessment submits a report to the Data Protection Board. It also imposes due diligence obligations regarding technical measures, including algorithmic software, to ensure that such measures do not pose a risk to the rights of Data Principals. Furthermore, it introduces a conditional restriction on cross-border transfer of specified personal data, subject to directions of the Central Government.

Rights of Data Principal

Rule 14[42] places an express obligation on Data Fiduciaries to publish, on their website or application, the means through which Data Principals may exercise their rights and the particulars required for identification. It also mandates that grievances be responded to within a reasonable period not exceeding ninety days.

Data Fiduciary as defined in International Instruments

General Data Protection Regulation (GDPR), European Union

The General Data Protection Regulation (GDPR)[43], effective since 2018, is one of the most comprehensive data protection laws globally, and it defines the "Controller" similarly to the Data Fiduciary under India’s DPDPA. The regulation offers extensive rights to individuals regarding their personal data. Article 4(7) of the GDPR defines a controller as “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”. This matches the definition under section 2(i)[44] of the DPDPA.  

Article 4(8) of the GDPR defines Processor as "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller".

Responsibility and Accountability of the Controller

Article 24 GDPR makes the controller responsible for ensuring that personal data is processed in accordance with the GDPR and for being able to demonstrate that such processing is compliant. Reference could be made to the accountability principle in Article 5(2) GDPR, which states that the controller is responsible for compliance with the data protection principles in Article 5(1) and must be able to demonstrate such compliance. Together, these provisions establish that the controller is the primary addressee of GDPR obligations and carries both operational responsibility and evidentiary burden.

Furthermore, Recital 74 establishes that the controller bears responsibility and liability for all processing of personal data, whether the processing is carried out directly by the controller or on its behalf. To discharge this responsibility, the controller is required to put in place measures that are appropriate and effective, and must also be capable of demonstrating that its processing activities comply with the Regulation, including showing that such measures function in practice. In determining these measures, due regard must be given to the nature, scope, context and purposes of the processing, as well as the level of risk posed to the rights and freedoms of natural persons.

Appropriate Technical & Organisational Measures

Under Article 24, the controller must implement technical and organisational measures that are appropriate having regard to the nature, scope, context and purposes of processing and the risks to the rights and freedoms of natural persons.

Article 25 GDPR requires the controller to apply data protection by design and by default, meaning that safeguards must be integrated into processing systems and practices from the outset.

Article 32 GDPR requires the controller to ensure a level of security appropriate to the risk, including measures such as confidentiality, integrity and resilience of systems. These Articles together clarify that the controller’s duty is preventive, risk-based and continuous rather than static or formalistic.

Compliance and Support Mechanism

Article 24(3) GDPR allows the controller to rely on adherence to approved codes of conduct under Article 40 GDPR, which provides for sector-specific rules approved by supervisory authorities, and approved certification mechanisms under Article 42 GDPR, which provide voluntary compliance certifications. These mechanisms may be used as elements to demonstrate compliance but do not replace the controller’s independent responsibility. The controller remains fully accountable even where such mechanisms are relied upon.

European Data Protection Board (EDPB)

While the GDPR itself does not formally define either term, we note that the European Data Protection Board (EDPB), which is considered an authoritative source of guidance on European data protection law, has issued guidance in 2020 of relevance[45][46]. They note that:

Determining the purposes and means amounts to deciding respectively the “why” and the “how of the processing: given a particular processing operation, the controller is the actor who has determined why the processing is taking place (i.e., “to what end”; or “what for”) and how this objective shall be reached (i.e. which means shall be employed to attain the objective).

From the above, we can note that, in simple terms, for the EDPB, the data controller will be that actor who determines the ‘why’ and ‘how’ of a processing operation. This provides an indication of how the definition of a ‘data fiduciary’ may be interpreted in India as well. It is also worth noting that the DPDPA was introduced to replace a framework under the Information Technology Act of 2000 (IT Act), namely, section 43A read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[47]. Under that framework, entities processing personal data were identified using the term “body corporate”. This indicated that the earlier IT Act framework was limited to the private sector. The relevance of the term “data controller” from European data protection law also emerges from the legislative and policymaking history of the process of drafting a data protection law for India[48].

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013)[49] were among the first international efforts to establish a framework for safeguarding personal data while allowing its free flow across borders. These guidelines have formed the basis for privacy laws globally and have been periodically updated to reflect evolving standards. The Accountability Principle states that "A data controller should be accountable for complying with measures which give effect to the principles stated above".[50]

Data Fiduciary as defined in Official Documents

Justice A.P Shah Committee, 2011

The first effort to evolve a personal data protection framework for India was undertaken in 2011 by the A.P. Shah Committee, formally known as the Group of Experts on Privacy. In their report, the A.P. Shah Committee used the term “data controller” throughout the report and especially when framing various privacy principles. A reading of their report indicates that, though they did not formally define the concept of a ‘data controller’, they were referring to and relying on the European conception of the term[51]. By using this term, the AP Shah Committee underscored the need for a formal legal concept to attach obligations relating to personal data protection to specific entities that were using personal data – which is the role performed by the definition of a “Data Fiduciary” in the DPDPA today.

Justice BN Srikrishna Committee Report, 2018

The term “Data Fiduciary” was coined by the Committee of Experts on a Data Protection Framework for India (Srikrishna Committee), established in 2017 by the Ministry of Electronics and Information Technology, Government of India pursuant to the Puttuswamy judgment which recognised the fundamental right to privacy[52]. The Srikrishna Committee, tasked with developing a personal data protection law for India, released a draft Personal Data Protection Act of 2018 (PDP 2018), which used the term “Data Fiduciary” for the first time. In their accompanying report, the Srikrishna Committee justified using the term “data fiduciary” instead of the term “data controller” to emphasize the trust-based relationship between the individual being identified by the personal data (i.e., the “data principal”) and the entity using their data (i.e., the “data fiduciary”). The Committee felt that the former term better reflects a fiduciary responsibility to act in the best interests of data principals.[53]

It identified data fiduciary as an entity which, in the digital economy, handles personal data in circumstances where data principals place varying degrees of trust and loyalty in it, depending on the nature of the data shared, the purpose of such sharing, and the entities with whom the data is shared. This relationship of trust imposes a duty of care on the entity to process and deal with the data fairly, responsibly, and only for purposes that the data principals can reasonably expect, thereby placing the entity in a fiduciary position vis-à-vis the data principal.

TRAI's Consultation Paper

According to Telecom Regulatory Authority of India's consultation paper on "Regulatory Framework for Promoting Data Economy Through Establishment of Data Centres, Content Delivery Networks, and Interconnect Exchanges in India" describes Data Fiduciary as an "entity or an individual who decides the means and purpose of processing personal data." However this processing is subjected to a certain purpose, collection, and storage limitations. It also provides for obligations that all data fiduciaries must undertake some measures to maintain transparency and accountability such as:

  1. Implementing security safeguards (such as data encryption and preventing misuse of data)
  2. Instituting grievance redressal mechanisms to address complaints of individuals etc.

International Experiences

As discussed above, the concept of a ‘data controller’ used in many other jurisdictions is a key reference point for interpreting and applying the definition of a “Data Fiduciary”. Both concepts are similarly defined using the “purpose and means” test. In addition, two other useful international reference points are:

Singapore

Under the Singaporean Personal Data Protection Act of 2012 (SPDPA), the equivalent of the term “Data Fiduciary” is the term “organisation”, which is defined as including any ‘individual, company, association or body of persons, corporate or unincorporated’.[54] Instead of the ‘purpose and means’ test, obligations apply to organisations based on the specific data processing activities performed by them in question – that is, some obligations apply to the activities of collection or disclosure, while others apply to storage or transfers. The SPDPA term is a similarly wide definition as that of a ‘Data Fiduciary’ to the extent that both capture the private sector exhaustively. However, the Singaporean term does not capture the State, a key difference from the DPDPA term. This is because the SPDPA only applies to the private sector.

Core Obligations

Under Sections 11-20 of the PDPA, organisations must comply with the following core obligations:

  1. Consent Obligation - Before collection, usage or disclosure of personal data and stop processing if consent is withdrawn.
  2. Purpose Limitation - Collection, usage or disclosure of personal data reasonable person would consider appropriate and that have been communicated to the individual.
  3. Notification Obligation - Providing information to the individuals the purpose for collection, usage or disclosure of personal data.
  4. Accuracy Obligation - Ensuring the accuracy and wholeness of personal data.
  5. Protection Obligation - Requires Organisations to make reasonable security arrangements for the protection of personal data.
Limitations

Under Sections 21 and 22 of PDPA, organisations must provide individuals with access to their personal data and allow corrections to inaccurate information. Section 25 of PDPA puts up a retention limitation that organisations retaining personal data must cease it when the data is no longer needed for the purpose (for which it was originally collected). Additionally, Section 26 of PDPA ensures that personal data transferred outside Singapore is afforded comparable standards of protection.

California

Under the Californian Consumer Privacy Act of 2018 (CCPA)[55], the equivalent is the term “business”, which is defined as any for-profit entity that does business in California, collects consumers’ personal data and meets certain qualifying thresholds[56]. Businesses meeting these thresholds must comply with the obligations under the CCPA as applicable to their services and/or business activities. The CCPA is a narrower definition than that of a ‘Data Fiduciary’ under the DPDPA due to these qualifying thresholds; consequently, the CCPA does not apply to the entirely of the private sector as the default. It also does not capture the State, another key difference from the DPDPA term.

Australia

Australia’s Privacy Act of 1988[57]  has been a cornerstone of personal data protection in the country and aligns with the rights of Data Principals through its Australian Privacy Principles (APPs). These principles govern how organizations should handle personal information, with specific rights for individuals.

Title Purpose
APP 1: Open and Transparent Management An APP entity must take reasonable steps to implement practices, procedures and systems that ensure compliance with the Privacy Act and the APPs. It must also maintain a privacy policy explaining how personal information is managed.
APP 3: Collection of Solicited Information Restricts collection of personal information to what is reasonably necessary for the entity’s functions or activities. Collection must be lawful and fair, and sensitive information generally requires consent.
APP 5: Notification of Collection of Personal Information Describes when and under what circumstances APP entities must inform individuals about the collection of their personal information.
APP 6: Use or Disclosure Defines the conditions under which APP entities may use or disclose personal information they hold.
APP 8: Cross-Border Disclosure Requires an APP entity, before transferring personal information overseas, to take reasonable steps to ensure the foreign recipient does not breach the APPs. Importantly, the Australian entity remains accountable for the overseas recipient’s conduct unless an exception applies.
APP 10: Quality of Information Obligates APP entities to ensure personal information collected, used, or disclosed is accurate, up-to-date, complete, and relevant to its purpose.
APP 11: Security of Information Requires APP entities to protect personal information from misuse, interference, loss, and unauthorized access, and to destroy or de-identify it when necessary.
APP 12: Access to Information Establishes obligations for APP entities to provide access to personal information upon request unless a specific exception applies.
APP 13: Correction of Information Mandates APP entities to correct inaccurate or incomplete personal information they hold.


Section 15 of the Privacy Act requires that an APP entity must not engage in any act or practice that breaches an APP. The Office of the Australian Information Commissioner (OAIC) enforces compliance, handles complaints, and can issue determinations and penalties for serious interferences with privacy.

Research that engages with "Data Fiduciary"

Fiduciary relationships as a means to protect privacy: Examining the use of the fiduciary concept in the draft Personal Data Protection Bill, 2018

This study, focusing on the use of the term ‘fiduciary’ in Indian law, has been authored by Bailey and Goyal (2019), who were focusing on the framework of the PDP 2019[58]. They noted that, while the inspiration for the term may have come from conventional fiduciary relationships that demand obligations of loyalty and care, such those between physicians and patients, the PDP 2019 did not impose similar obligations. As such, the PDP 2019 did not strictly compel organisations to operate in the best interest of the user; instead, it places more emphasis on good faith and reasonableness, akin to the fair dealing requirements found in contract law. According to their paper, the PDP 2019’s usage of the fiduciary concept may be more of a symbolic move to denote a high degree of rights protection rather than significantly altering notice-and-consent-based laws like the GDPR.

Can we trust trust-based data governance models?

This paper by Bart van der Sloot and Esther Keymolen[59] discusses how fiduciary agents and trust-based institutions are increasingly being considered in legal, regulatory, and ethical discussions as an alternative or addition to traditional data control models. Rather than placing responsibility on individuals to manage their own data and protect their interests, the paper explains that an independent person or organisation could act on behalf of individuals, while also taking the broader public interest into account. The paper notes that such trust-based arrangements are expected to increase public confidence in data sharing, thereby supporting data-driven initiatives. However, it also cautions that these models are not without risks, and highlights that certain approaches, particularly data trusts, may have wide-ranging and significant consequences.

Data Controllers as Data Fiduciaries: Theory, Definitions & Burden of Proof

This legal article by Noelle Wilson and Amanda Reid explores the integration of fiduciary theory into modern U.S. consumer privacy laws.[60] The authors analyze how American states are adopting "data controller" and "data processor" definitions from the European GDPR, yet often fail to provide robust protection or enforcement mechanisms. To address these gaps, they propose a hybrid model that treats data controllers as information fiduciaries with specific duties of loyalty and care. A central argument of the paper is that businesses should be presumed to be data controllers by default in legal disputes. This shift in the burden of proof is justified by the fact that corporations possess superior access to evidence regarding their own data practices. Ultimately, the text argues that merging fiduciary principles with existing regulatory frameworks creates a more flexible, future-proof system for safeguarding personal information.

Challenges

  1. Open-Ended Reasonableness of Security Safeguards
  2. Incomplete Cross-Border Transfer Framework as Data fiduciaries remain dependent on future government notifications to determine permissible jurisdictions for data transfers.
  3. The Rules operationalize obligations for Significant Data Fiduciaries, but they do not eliminate uncertainty regarding when and how an entity will be classified as significant. The designation remains discretionary and notification-based, limiting regulatory predictability.
  4. The DPDP Rules, 2025 suffer from vagueness and over-delegation, particularly in relation to DPIAs, data localisation, and cross-border transfers, leading to regulatory uncertainty and weak rights protection.

Way Ahead

As noted above, the term ‘Data Fiduciary’ serves as the Indian equivalent of the term ‘data controller’ found in the data protection laws of several jurisdictions (including those in the European Union). The substance of the definition is the same as that found in the GDPR, and the use of the term ‘fiduciary’ is more of a symbolic move. Going forward, it remains to be seen how the DPBI will interpret and apply the term and the ‘purpose and means’ test that is the crux of the definition, and the extent to which it will rely on the European conception of the term.

With reference to Significant Data Fiduciaries [SDFs], the core concern is that while the DPDP Rules, 2025 strengthen oversight of Significant Data Fiduciaries, they lack substantive clarity and proportional safeguards. Key obligations such as DPIAs, data localisation, and cross-border transfers are framed in vague terms and heavily delegated to future executive action, creating compliance uncertainty. To make the regime effective and rights-centric, the Rules must clearly define the scope of DPIAs, reintroduce data classification (sensitive and critical personal data), mandate record-keeping, and explicitly set out conditions for international data transfers, rather than leaving these to notifications. Without such clarity, the protection of data principals risks becoming procedural rather than real.

References

  1. [1]
  2. The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023.
  3. 3.0 3.1 The Digital Personal Data Protection Act, 2023, § 2(i), No. 22, Acts of Parliament, 2023.
  4. The Digital Personal Data Protection Act, 2023, § 2(t), No. 22, Acts of Parliament, 2023.
  5. The Digital Personal Data Protection Act, 2023, § 2(x), No. 22, Acts of Parliament, 2023.
  6. The Digital Personal Data Protection Act, 2023, § 2(s), No. 22, Acts of Parliament, 2023.
  7. The Digital Personal Data Protection Act, 2023, § 2(zb), No. 22, Acts of Parliament, 2023.
  8. INDIA CONST. art. 12.
  9. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4051127
  10. Supra at 2.
  11. The Digital Personal Data Protection Act, 2023, § 4, No. 22, Acts of Parliament, 2023.
  12. The Digital Personal Data Protection Act, 2023, § 5, No. 22, Acts of Parliament, 2023.
  13. The Digital Personal Data Protection Act, 2023, § 6, No. 22, Acts of Parliament, 2023.
  14. The Digital Personal Data Protection Act, 2023, § 6(1), No. 22, Acts of Parliament, 2023.
  15. The Digital Personal Data Protection Act, 2023, § 6(4), No. 22, Acts of Parliament, 2023.
  16. The Digital Personal Data Protection Act, 2023, § 6(2), No. 22, Acts of Parliament, 2023.
  17. The Digital Personal Data Protection Act, 2023, § 6(6), No. 22, Acts of Parliament, 2023.
  18. The Digital Personal Data Protection Act, 2023, § 6(7), No. 22, Acts of Parliament, 2023.
  19. The Digital Personal Data Protection Act, 2023, § 6(8), No. 22, Acts of Parliament, 2023.
  20. The Digital Personal Data Protection Act, 2023, § 6(10), No. 22, Acts of Parliament, 2023.
  21. The Digital Personal Data Protection Act, 2023, § 9, No. 22, Acts of Parliament, 2023.
  22. The Digital Personal Data Protection Act, 2023, § 9(1), No. 22, Acts of Parliament, 2023.
  23. The Digital Personal Data Protection Act, 2023, § 9(2), No. 22, Acts of Parliament, 2023.
  24. The Digital Personal Data Protection Act, 2023, § 10(3), No. 22, Acts of Parliament, 2023.
  25. The Digital Personal Data Protection Act, 2023, § 10(4), No. 22, Acts of Parliament, 2023.
  26. The Digital Personal Data Protection Act, 2023, § 10(5), No. 22, Acts of Parliament, 2023.
  27. The Digital Personal Data Protection Act, 2023, § 8, No. 22, Acts of Parliament, 2023.
  28. The Digital Personal Data Protection Act, 2023, § 10(1), No. 22, Acts of Parliament, 2023.
  29. Digital Personal Data Protection Rules, 2025.[2]
  30. Digital Personal Data Protection Rules, 2025, Rule 3.
  31. Digital Personal Data Protection Rules, 2025, Rule 8.
  32. Digital Personal Data Protection Rules, 2025, Schedule III.
  33. Digital Personal Data Protection Rules, 2025, Schedule VII.
  34. Digital Personal Data Protection Rules, 2025, Rule 9.
  35. The Digital Personal Data Protection Act, 2023, § 8(9), No. 22, Acts of Parliament, 2023.
  36. Digital Personal Data Protection Rules, 2025, Rule 10.
  37. Digital Personal Data Protection Rules, 2025, Rule 11.
  38. Digital Personal Data Protection Rules, 2025, Rule 12.
  39. Digital Personal Data Protection Rules, 2025, Schedule IV.
  40. The Digital Personal Data Protection Act, 2023, § 9(4), No. 22, Acts of Parliament, 2023.
  41. Digital Personal Data Protection Rules, 2025, Rule 13.
  42. Digital Personal Data Protection Rules, 2025, Rule 14.
  43. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, available at https://eur-lex.europa.eu.
  44. Supra at 3.
  45. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  46. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  47. https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf
  48. https://icrier.org/pdf/IPCIDE-Policy_Brief_4.pdf
  49. OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (Sept. 23, 1980).
  50. OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, art 14.
  51. https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf
  52. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  53. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  54. https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=Sc1-#:~:text=(2)%20Where%20the%20organisation%20collects,the%20collection%2C%20use%20or%20disclosure%2C
  55. https://oag.ca.gov/privacy/ccpa
  56. https://oag.ca.gov/privacy/ccpa
  57. Privacy Act 1988 (Cth).
  58. https://www.datagovernance.org/report/fiduciary-relationships-as-a-means-to-protect-privacy
  59. [3]https://www.cambridge.org/core/journals/data-and-policy/article/can-we-trust-trustbased-data-governance-models/A611C1C5EB7BA012396316FC6229A714
  60. Noelle Wilson & Amanda Reid, Data Controllers as Data Fiduciaries: Theory, Definitions & Burdens of Proof, 95 U. Colo. L. Rev. 175 (2024).
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Fiduciary&oldid=11106"