What is Data Fiduciary in the Digital Personal Data Protection Bill, 2023?

In the context of personal data protection, a “Data Fiduciary” refers to any entity or individual that determines the purpose and means of processing personal data. In simpler terms, it’s the entity that decides why and how personal data should be used. The concept can be likened to a trustee who holds a responsibility to manage assets (in this case, data) for the benefit of someone else, ensuring that it’s used in their best interest.

The role of the data fiduciary comes with various obligations and responsibilities, primarily to ensure the protection of personal data and respect for the rights of the data principal (the individual whose data is being processed). These obligations can include ensuring transparency about:

• how data is used,
• implementing proper security measures,
• seeking consent from data principals when required, and so on.

The term “Data Fiduciary” has been notably used in the context of India’s Digital Personal Data Protection Bill, 2023, but similar concepts exist in data protection regulations worldwide, often under different designations. For instance, in the General Data Protection Regulation (GDPR) of the European Union, a similar role is referred to as the “Data Controller.”

What is a Data Fiduciary in the DPDP Bill 2023?

A Data Fiduciary is a person or organization that determines the purpose and means of processing personal data under the Digital Personal Data Protection Bill, 2023 (DPDP Bill). This means that the Data Fiduciary is responsible for ensuring that personal data is processed in a lawful, fair, and transparent manner, and that the rights of data principals are protected.

The DPDP Bill defines a Data Fiduciary as follows:

“Data Fiduciary” means any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data.”

EGazette, Government of India

Some examples of Data Fiduciaries under the DPDP Bill include:

• Social media platforms
• E-commerce websites
• Online payment gateways
• Telecom operators
• Banks
• Hospitals
• Educational institutions

The DPDP Bill 2023 imposes a number of obligations on Data Fiduciaries, including:

• Obtaining consent from data principals before processing their personal data
• Limiting the collection of personal data to what is necessary for the specified purpose
• Keeping personal data accurate and up-to-date
• Protecting personal data from unauthorized access, use, or disclosure
• Notifying data principals of any data breaches

Data Fiduciaries that fail to comply with the DPDP Bill can be subject to a number of penalties, including fines, imprisonment, or both.

The DPDP Bill is a significant piece of legislation that will have a major impact on the way personal data is processed in India. By establishing a framework for regulating the processing of personal data, the DPDP Bill aims to protect the privacy of data principals and to promote responsible data management practices.

What are the obligations of Data Fiduciaries under the DPDP Bill 2023?

• Data Fiduciaries must obtain verifiable consent from data principals before processing their personal data. Verifiable consent means that the data principal must be able to prove that they have given their consent to the processing of their personal data.
• Data Fiduciaries must limit the collection of personal data to what is necessary for the specified purpose. This means that Data Fiduciaries should not collect more personal data than they need to achieve the purpose for which they are collecting it.
• Data Fiduciaries must keep personal data accurate and up-to-date. This means that Data Fiduciaries should take steps to ensure that the personal data they hold is accurate and up-to-date.
• Data Fiduciaries must protect personal data from unauthorized access, use, or disclosure. This means that Data Fiduciaries should implement appropriate security measures to protect personal data from being accessed by unauthorized individuals or organizations.
• Data Fiduciaries must notify data principals of any data breaches. This means that Data Fiduciaries must promptly notify data principals if there has been a breach of security that has resulted in the unauthorized access, use, or disclosure of their personal data.

The DPDP Bill is a complex piece of legislation, and there are many nuances to the obligations of Data Fiduciaries. If you are a Data Fiduciary, it is important to carefully review the DPDP Bill 2023 to ensure that you are in compliance with its requirements.

What are the differences between data principal and data fiduciary?

The key difference between a data principal and a data fiduciary is that the data principal is the individual whose personal data is being processed, while the data fiduciary is the organization that is responsible for processing that data.

The Data Protection Bill of India, 2022 (DPDP Bill) defines a data principal as:

“Data Principal” means the individual to whom the personal data relates and where such an individual is a child includes the parents or lawful guardian of such a child.

The DPDP Bill defines a data fiduciary as:

“Data Fiduciary” means any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data.”

In other words, the data principal is the person who owns the personal data, while the data fiduciary is the person who has control over the personal data.

The DPDP Bill gives data principals a number of rights, including the right to:

• Know what personal data is being processed about them
• Access their personal data
• Rectify their personal data
• Delete their personal data
• Object to the processing of their personal data
• Port their personal data

The DPDP Bill also imposes a number of obligations on data fiduciaries, including the obligation to:

• Obtain consent from data principals before processing their personal data
• Limit the collection of personal data to what is necessary for the specified purpose
• Keep personal data accurate and up-to-date
• Protect personal data from unauthorized access, use, or disclosure
• Notify data principals of any data breaches

The DPDP Bill is a significant piece of legislation that will have a major impact on the way personal data is processed in India. By establishing a framework for regulating the processing of personal data, the DPDP Bill aims to protect the privacy of data principals and to promote responsible data management practices.

What are the key differences between data principals and data fiduciaries?

1. Definition:
   • Data Principal: The individual whose personal data is being processed.
   • Data Fiduciary: The entity or individual that determines the purpose and means of processing personal data.
2. Role:
   • Data Principal: Provides data, either actively or passively, and has rights over their own data.
   • Data Fiduciary: Decides why (purpose) and how (means) the data should be processed.
3. Responsibilities:
   • Data Principal:
     • Exercising their rights such as access, correction, deletion, etc.
     • Giving or withdrawing consent when required.
     • Being informed about how their data is used.
   • Data Fiduciary:
     • Ensuring data protection and respect for the data principal’s rights.
     • Implementing appropriate security measures.
     • Obtaining valid consents.
     • Providing transparency and information about data use.
4. Rights:
   • Data Principal:
     • Right to access their data.
     • Right to correct inaccuracies in their data.
     • Right to delete or erase their data under certain conditions.
     • Right to object to or restrict processing in certain scenarios.
     • Right to portability (to transfer their data from one service provider to another).
   • Data Fiduciary: Typically doesn’t have “rights” over the data but has obligations and duties regarding its processing and protection.
5. Examples:
   • Data Principal: John, whose personal details are stored by an online retailer.
   • Data Fiduciary: The online retailer storing and using John’s details for order processing or marketing.

It’s worth noting that the relationship between a data principal and a data fiduciary is central to most data protection frameworks. While the data principal owns their personal data, the data fiduciary is responsible for ensuring its protection and ethical use.