Data Fiduciary

From Justice Definitions Project

What is a Data Fiduciary?

The Digital Personal Data Protection Act of 2023 (DPDPA) is India’s first cross-sectoral law for personal data protection. It recognizes certain rights of individuals over their personal data and imposes various obligations on organizations using or seeking to collect, use, store, share, handle, or otherwise carry out any operations in relation to that data. To operationalize those rights against and target those obligations on relevant organizations vis-à-vis particular sets of data, the DPDPA defines the concept of a "Data Fiduciary".

A "data fiduciary" is an individual or organization entrusted with the custody, control or management of personal data in a relationship of trust, akin to more traditional fiduciary relationships (for example, between a lawyer and a client, or a physician and a patient). In practice, this means that a data fiduciary is not just someone who collects or processes data mechanically, but a custodian or steward of personal information, as they carry responsibilities including but not limited to; determining why and how data is processed, ensuring lawful and fair handling, minimizing risks of misuse, and maintaining transparency and accountability toward data-subjects.[1]

The need for this definition arises from the fact that, in practice, activities involving the use of personal data often involve multiple actors performing different roles, functions, or services, and not all will have the same degree of responsibility or decision-making power.

Official definition of Data Fiduciary

Data Fiduciary as defined in Legislation(s)

Digital Personal Data Protection Act, 2023

Under the Digital Personal Data Protection Act, 2023[2] (India), Section 2(i)[3] defines Data Fiduciary as: "Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data". Data Fiduciary is a person who ascertains the purpose and means of processing personal data. Under this framing, a data fiduciary has an ethical and often legal responsibility to act in the best interests of the 'data principal', rather than merely as a commercial counterparty or neutral technical processor.

Interpretation of the Definition of Data Fiduciary under DPDPA, 2023

Understanding the interpretation, application, and operation of the definition of a “Data Fiduciary” requires reading Section 2(i)[3] together with several other definitions in the DPDPA, which are highlighted below:

Processing of Personal Data

Sections 2(t)[4] and 2(x)[5] of the DPDPA define the terms ‘personal data’ and ‘processing’, respectively. While personal data is data about a specific individual that can be used to identify that individual, processing is a broad term used to capture any kind of activity involving, or operation performed on, that personal data. It means that a ‘Data Fiduciary’ is a role defined in relation to a particular set of personal data and of processing operations involving that data in particular; it is not a context-agnostic or static concept that applies at an organisation-wide level or across all types of data handled by an organisation. An organisation’s role can vary across different types of personal data processed by it.

Person

Section 2(s)[6] of the DPDPA defines the term “person” as inclusive of any individual, any ‘artificial juristic persons’ (including a company, a partnership firm, or a Hindu Undivided Family) as well as the “State” - which means that any of the above can be regarded as a “Data Fiduciary” in relation to particular personal data.

Section 2(zb)[7] further defines the term “State” by referring to Article 12[8] of the Constitution of India. This implies that the “Data Fiduciary” can be interpreted to apply to any agency, authority or organization that can be regarded as the “State” under Article 12[9].

Legal Provisions Relating to Data Fiduciary under DPDPA, 2023

General Obligations of Data Fiduciary

Chapter II[2] deals with General Obligations of Data Fiduciary during data processing, which are highlighted below.

Grounds for Processing Personal Data

Section 4[10] permits the processing of personal data only in accordance with the Act and strictly for a lawful purpose, meaning any purpose not expressly prohibited by law. Such processing is allowed either when the Data Principal has given valid consent or when the activity qualifies as one of the Act’s specified legitimate uses.

Notice to Data Principal

Section 5[11] requires the Data Fiduciary to give a clear notice to the Data Principal before seeking Consent. The notice shall lay out clearly the personal data to be collected, the purpose of its processing, the manner in which the Data Principal can exercise their rights (such as withdrawing consent or accessing her data), and how they may lodge a complaint with the Data Protection Board. If a person had already given consent before the Act came into force, the Data Fiduciary must later issue the same notice, as soon as reasonably possible, informing the individual about the data being processed, her rights, and complaint mechanisms.

Consent Requirements

Section 6[12] mandates that consent must be free, informed, specific, given through a clear affirmative action, limited only to data necessary for the stated purpose,[13] capable of being withdrawn by Data Principal,[14] and any part of consent that violates the Act or any other law is invalid.[15] After withdrawal, the Data Fiduciary and its Data Processors must stop processing the data unless further processing is legally required.[16] Consent may be given, managed, reviewed, or withdrawn through a registered Consent Manager,[17] who is accountable to the Data Principal and must act on her behalf as per prescribed obligations.[18]In any dispute about consent, the Data Fiduciary bears the burden to prove that proper notice was given and valid consent obtained.[19]

Processing of Personal Data of Children

Section 9[20]mandates Data Fiduciaries to obtain a verifiable consent from a child’s parent/lawful guardian before processing the child’s personal data,[21] while ensuring that the processing carried out does not harm the child’s well-being.[22] They are further prohibited from tracking, behaviourally monitoring, or targeting advertisements at children.[23] However, the government may prescribe specific classes of Data Fiduciaries or purposes where the requirements of sub-secs (1) and (3) do not apply.[24] Moreover, if a Data Fiduciary demonstrates that its processing of children’s data is verifiably safe, the Central Government may notify an age threshold beyond which that Data Fiduciary may be exempted from obligations under sub-secs (1) and (3), as specified in the notification.[25]

Specific Compliance Duties of Data Fiduciary

Section 8[26] provides for duties or operational responsibilities that Data Fiduciaries must follow while carrying out processing of Data.

  1. A Data Fiduciary is fully responsible for complying with the Act, even if the Data Principal fails in their duties or even if the data is processed by a Data Processor on its behalf. A Data Fiduciary may hire a Data Processor, but only through a valid contract and only for offering goods or services.
  2. When personal data is used for decisions affecting the Data Principal or shared with another Data Fiduciary, the Data Fiduciary must ensure the data is complete, accurate, and consistent. It must also implement proper technical and organisational safeguards to ensure compliance, and take reasonable security measures to prevent breaches.
  3. If a personal data breach occurs, the Data Fiduciary must notify both the Data Protection Board and every affected Data Principal as prescribed.
  4. A Data Fiduciary must delete personal data once consent is withdrawn or when the purpose is no longer served, whichever comes earlier, unless a law requires longer retention. It must also ensure that its Data Processor deletes the data provided to it.
  5. The purpose is assumed to no longer be served when the Data Principal neither engages with the Data Fiduciary for that purpose nor exercises any related rights for a prescribed period.
  6. A Data Fiduciary must publish the contact details of its Data Protection Officer (if applicable) or another authorized person to answer Data Principal queries. It must also establish an effective grievance-redressal mechanism.
Additional Obligations for Significant Data Fiduciary (SDF)

It is worth noting that the DPDPA distinguishes between ‘Data Fiduciaries” and “Significant Data Fiduciaries” (SDF). As per Section 10(1) of the DPDPA,[27] the Central Government may notify any Data Fiduciary or class of Data Fiduciaries as an SDF. Upon notification, SDFs are subject to additional obligations specified in section 10(2), which they must comply with over and above all the obligations that are applied on Data Fiduciaries in general. This distinction is intended to bring in flexibility under the DPDPA, where obligations may be asymmetrically imposed on organisations based on the potential risks and harms associated with different data processing operations.

Digital Personal Data Protection Rules, 2025

Legal Provisions Relating to Data Fiduciary under DPDP Rules, 2025

Data Fiduciary as defined in International Instruments

General Data Protection Regulation (GDPR), European Union

The General Data Protection Regulation (GDPR)[28], effective since 2018, is one of the most comprehensive data protection laws globally, and it defines the "" similarly to the Data Fiduciary under India’s DPDPA. The regulation offers extensive rights to individuals regarding their personal data. These include:

Data Fiduciary as defined in Official Documents

Srikrishna Committee Report, 2017

The DPBI may look to rely on global interpretations of these concepts as they are relatively well-established and well-understood in other jurisdictions. The most relevant reference point is the GDPR, which uses the same key operative phrase to define the equivalent concept of a ‘data controller’. Article 4(7) of the GDPR defines a controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. This matches the definition under section 2(i) of the DPDPA.  

While the GDPR itself does not formally define either term, we note that the European Data Protection Board (EDPB), which is considered an authoritative source of guidance on European data protection law, has issued guidance in 2020 of relevance[29][30]. They note that:

“Determining the purposes and means amounts to deciding respectively the “why” and the “how of the processing: given a particular processing operation, the controller is the actor who has determined why the processing is taking place (i.e., “to what end”; or “what for”) and how this objective shall be reached (i.e. which means shall be employed to attain the objective).”

From the above, we can note that, in simple terms, for the EDPB, the data controller will be that actor who determines the ‘why’ and ‘how’ of a processing operation. This provides an indication of how the definition of a ‘data fiduciary’ may be interpreted in India as well.

  • It is also worth noting that the DPDPA was introduced to replace a framework under the Information Technology Act of 2000 (IT Act), namely, section 43A read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011[31]. Under that framework, entities processing personal data were identified using the term “body corporate”. This indicated that the earlier IT Act framework was limited to the private sector.

The relevance of the term “data controller” from European data protection law also emerges from the legislative and policymaking history of the process of drafting a data protection law for India[32]. As we discuss below, throughout this history, the term “Data Fiduciary” has been intended to be an Indian equivalent of the term “data controller”.

  • The first effort to evolve a personal data protection framework for India was undertaken in 2011 by the A.P. Shah Committee, formally known as the Group of Experts on Privacy. In their report, the A.P. Shah Committee used the term “data controller” throughout the report and especially when framing various privacy principles. A reading of their report indicates that, though they did not formally define the concept of a ‘data controller’, they were referring to and relying on the European conception of the term[33]. By using this term, the AP Shah Committee underscored the need for a formal legal concept to attach obligations relating to personal data protection to specific entities that were using personal data – which is the role performed by the definition of a “Data Fiduciary” in the DPDPA today.
  • The term “Data Fiduciary” was coined by the Committee of Experts on a Data Protection Framework for India (Srikrishna Committee), established in 2017 by the Ministry of Electronics and Information Technology, Government of India pursuant to the Puttuswamy judgment which recognised the fundamental right to privacy[34]. The Srikrishna Committee, tasked with developing a personal data protection law for India, released a draft Personal Data Protection Act of 2018 (PDP 2018), which used the term “Data Fiduciary” for the first time. In their accompanying report, the Srikrishna Committee justified using the term “data fiduciary” instead of the term “data controller” to emphasize the trust-based relationship between the individual being identified by the personal data (i.e., the “data principal”) and the entity using their data (i.e., the “data fiduciary”). The Committee felt that the former term better reflects a fiduciary responsibility to act in the best interests of data principals[35].
  • In all subsequent drafts of a personal data protection law for India, the term “Data Fiduciary” as defined in the PDP 2018 has been used. This includes the Personal Data Protection Bill of 2019 (PDP 2019), the Data Protection Bill of 2021, and the draft Digital Personal Data Protection Bill of 2023[36][37]. The DPDPA also retains that definition, giving us the official definition stated in Section 2(i) (see above).

International Experiences

As discussed above, the concept of a ‘data controller’ used in many other jurisdictions is a key reference point for interpreting and applying the definition of a “Data Fiduciary”. Both concepts are similarly defined using the “purpose and means” test. In addition, two other useful international reference points are:

Singapore

Under the Singaporean Personal Data Protection Act of 2012 (SPDPA), the equivalent of the term “Data Fiduciary” is the term “organisation”, which is defined as including any ‘individual, company, association or body of persons, corporate or unincorporated’.[38] Instead of the ‘purpose and means’ test, obligations apply to organisations based on the specific data processing activities performed by them in question – that is, some obligations apply to the activities of collection or disclosure, while others apply to storage or transfers. The SPDPA term is a similarly wide definition as that of a ‘Data Fiduciary’ to the extent that both capture the private sector exhaustively. However, the Singaporean term does not capture the State, a key difference from the DPDPA term. This is because the SPDPA only applies to the private sector.  

California

Under the Californian Consumer Privacy Act of 2018 (CCPA)[39], the equivalent is the term “business”, which is defined as any for-profit entity that does business in California, collects consumers’ personal data and meets certain qualifying thresholds[40]. Businesses meeting these thresholds must comply with the obligations under the CCPA as applicable to their services and/or business activities. The CCPA is a narrower definition than that of a ‘Data Fiduciary’ under the DPDPA due to these qualifying thresholds; consequently, the CCPA does not apply to the entirely of the private sector as the default. It also does not capture the State, another key difference from the DPDPA term.

Research that engages with the term "Data Fiduciary"

Fiduciary relationships as a means to protect privacy: Examining the use of the fiduciary concept in the draft Personal Data Protection Bill, 2018

A particular relevant research paper, focusing on the use of the term ‘fiduciary’ in Indian law, has been authored by Bailey and Goyal (2019), who were focusing on the framework of the PDP 2019[41]. They noted that, while the inspiration for the term may have come from conventional fiduciary relationships that demand obligations of loyalty and care, such those between physicians and patients, the PDP 2019 did not impose similar obligations. As such, the PDP 2019 did not strictly compel organisations to operate in the best interest of the user; instead, it places more emphasis on good faith and reasonableness, akin to the fair dealing requirements found in contract law. According to their paper, the PDP 2019’s usage of the fiduciary concept may be more of a symbolic move to denote a high degree of rights protection rather than significantly altering notice-and-consent-based laws like the GDPR.

Can we trust trust-based data governance models? by Bart van der Sloot and Esther Keymolen[42]

Way Ahead

As noted above, the term ‘Data Fiduciary’ serves as the Indian equivalent of the term ‘data controller’ found in the data protection laws of several jurisdictions (including those in the European Union). The substance of the definition is the same as that found in the GDPR, and the use of the term ‘fiduciary’ is more of a symbolic move. Going forward, it remains to be seen how the DPBI will interpret and apply the term and the ‘purpose and means’ test that is the crux of the definition, and the extent to which it will rely on the European conception of the term.

References

  1. [1]
  2. 2.0 2.1 The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023.
  3. 3.0 3.1 The Digital Personal Data Protection Act, 2023, § 2(i), No. 22, Acts of Parliament, 2023.
  4. The Digital Personal Data Protection Act, 2023, § 2(t), No. 22, Acts of Parliament, 2023.
  5. The Digital Personal Data Protection Act, 2023, § 2(x), No. 22, Acts of Parliament, 2023.
  6. The Digital Personal Data Protection Act, 2023, § 2(s), No. 22, Acts of Parliament, 2023.
  7. The Digital Personal Data Protection Act, 2023, § 2(zb), No. 22, Acts of Parliament, 2023.
  8. INDIA CONST. art. 12.
  9. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4051127
  10. The Digital Personal Data Protection Act, 2023, § 4, No. 22, Acts of Parliament, 2023.
  11. The Digital Personal Data Protection Act, 2023, § 5, No. 22, Acts of Parliament, 2023.
  12. The Digital Personal Data Protection Act, 2023, § 6, No. 22, Acts of Parliament, 2023.
  13. The Digital Personal Data Protection Act, 2023, § 6(1), No. 22, Acts of Parliament, 2023.
  14. The Digital Personal Data Protection Act, 2023, § 6(4), No. 22, Acts of Parliament, 2023.
  15. The Digital Personal Data Protection Act, 2023, § 6(2), No. 22, Acts of Parliament, 2023.
  16. The Digital Personal Data Protection Act, 2023, § 6(6), No. 22, Acts of Parliament, 2023.
  17. The Digital Personal Data Protection Act, 2023, § 6(7), No. 22, Acts of Parliament, 2023.
  18. The Digital Personal Data Protection Act, 2023, § 6(8), No. 22, Acts of Parliament, 2023.
  19. The Digital Personal Data Protection Act, 2023, § 6(10), No. 22, Acts of Parliament, 2023.
  20. The Digital Personal Data Protection Act, 2023, § 9, No. 22, Acts of Parliament, 2023.
  21. The Digital Personal Data Protection Act, 2023, § 9(1), No. 22, Acts of Parliament, 2023.
  22. The Digital Personal Data Protection Act, 2023, § 9(2), No. 22, Acts of Parliament, 2023.
  23. The Digital Personal Data Protection Act, 2023, § 10(3), No. 22, Acts of Parliament, 2023.
  24. The Digital Personal Data Protection Act, 2023, § 10(4), No. 22, Acts of Parliament, 2023.
  25. The Digital Personal Data Protection Act, 2023, § 10(5), No. 22, Acts of Parliament, 2023.
  26. The Digital Personal Data Protection Act, 2023, § 8, No. 22, Acts of Parliament, 2023.
  27. The Digital Personal Data Protection Act, 2023, § 10(1), No. 22, Acts of Parliament, 2023.
  28. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, available at https://eur-lex.europa.eu.
  29. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  30. https://www.edpb.europa.eu/system/files/2023-10/EDPB_guidelines_202007_controllerprocessor_final_en.pdf
  31. https://www.meity.gov.in/writereaddata/files/Information%20Technology%20%28Intermediary%20Guidelines%20and%20Digital%20Media%20Ethics%20Code%29%20Rules%2C%202021%20%28updated%2006.04.2023%29-.pdf
  32. https://icrier.org/pdf/IPCIDE-Policy_Brief_4.pdf
  33. https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy.pdf
  34. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  35. https://www.meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf
  36. https://prsindia.org/files/bills_acts/bills_parliament/2019/Personal%20Data%20Protection%20Bill,%202019.pdf
  37. https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill%2C%202022.pdf
  38. https://sso.agc.gov.sg/Act/PDPA2012?ProvIds=Sc1-#:~:text=(2)%20Where%20the%20organisation%20collects,the%20collection%2C%20use%20or%20disclosure%2C
  39. https://oag.ca.gov/privacy/ccpa
  40. https://oag.ca.gov/privacy/ccpa
  41. https://www.datagovernance.org/report/fiduciary-relationships-as-a-means-to-protect-privacy
  42. [2]https://www.cambridge.org/core/journals/data-and-policy/article/can-we-trust-trustbased-data-governance-models/A611C1C5EB7BA012396316FC6229A714
Retrieved from "https://jdc-definitions.wikibase.wiki/w/index.php?title=Data_Fiduciary&oldid=10555"