The very definition of a keeper of data has ramifications for how the relationship between users and processors in India will evolve, and in turn how laws must adapt to protect and regulate, writes Anand and Anand corporate partner Shailyamanyu Singh
India’s data protection law has used the term “data fiduciary” to refer to entities that determine the purpose and means of processing of personal data. But what does this mean? Is “fiduciary” just a fancy term or a properly considered legislative product? If it is the latter, it will be interesting to see how common law, which sees a data processor as a “trustee” of an individual’s data, will evolve.
Many countries have implemented or are implementing new laws around the digital collection, storage and use of information on individuals and organisations. The UK and European laws call it a “data controller”, the Australian law terms it an “APP entity”, and the Singaporean law has kept the language simple by referring to “organisations collecting data of individuals”.
Let’s consider a simple example to illustrate the concept of data fiduciary/data principal in India. When someone, Dhanraj Sharma in Noida, for example, downloads the Ludo King game app on his phone, he grants permission for notifications before logging in on the app through his Facebook or Google account.
Through this process, Ludo King’s owner, Gametion Technologies, collects his name, profile photo, email ID, location and other personal information. This makes Gametion Technologies a data fiduciary along with Google or Facebook, as the case may be. Sharma becomes the data principal in this scenario.
Let’s look at the origin of the term “data fiduciary” in Indian law. It was first used in India in 2017 by a government-appointed committee of experts in a first draft report on a data protection legislation. The expert committee, led by Justice BN Srikrishna, was asked to frame a data protection framework and draft legislation.
The committee’s report, submitted in 2018, suggests that the experts specifically looked into the “terminology”, i.e. “data subject” and “data controller/data fiduciary”, and concluded that: “the relationship between ‘data subject’ and the ‘data controller’ is to be reformulated as a fiduciary relationship between the ‘data principal’ and ‘data fiduciary’.” The Personal Data Protection Bill, 2019, was also released by the committee, which stated that the “objective” of this first iteration of the law was:
“To provide for the protection of the privacy of individuals relating to their data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data is processed, to create a framework for organisational and technical measures in the processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and matters connected therewith or incidental thereto.”
Since its first draft, the Data Protection law has been through multiple changes until August 2023, when the Indian legislature enacted the Digital Personal Data Protection Act of 2023 (the DPDP Act), formally adopting the term “data fiduciary”, which has persisted in all iterations of the legislation.
Section 2(i) of the DPDP Act defines this term as: “Any person who alone, or in conjunction with other persons, determines the purpose and means of processing of personal data.” On the other hand, the European and UK legislation, i.e. the General Data Protection Regulation (GDPR), defines data controller as: “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
Comparing the two definitions, the operating part of the definition of data fiduciary and data controller is nearly identical, probably because the later iterations of the law may have been influenced by the GDPR.
However, it is also a fact that Justice Srikrishna’s committee deliberately used the term “data fiduciary” to establish a relationship of trust between entities collecting and using data and individuals whose data is being collected. Given that the word fiduciary has made it to the final statute after various changes, it appears that the legislative intent was to have a relationship of trust as stated in the objective in the law’s first iteration.
In addition, the concept of “legitimate interests” under the GDPR allows data controllers to prioritise their interests, potentially conflicting with the interests of the data subjects. This is far from the relationship of trust as alluded to by the term “fiduciary”. Accordingly, Indian courts may see “trust” as an equitable responsibility of a data fiduciary, possibly beyond the scope of the DPDP Act.
The Ludo King example implies the Indian Data Protection law intended companies like Gametion Technologies, Facebook and Google to act as the “trustees” of Dhanraj Sharma’s personal information, and a breach of his personal information beyond that scope could lead the courts to apply existing precedents on fiduciary duties in the material world to the data breach context. However, the consequences of this trust-based relationship and possible breaches remain to be seen.
The Data Protection Board of India, or enforcement agencies, or constitutional courts, could potentially view data fiduciaries as having a “trust” obligation toward data subjects, leading to civil and/or criminal liability. Additionally, constitutional remedies in certain cases of the mishandling of an individual’s data, or for failing to comply with the obligations/requirements under the DPDP Act, could be implemented. These possibilities could play out in the manner described below.
Civil liability for breaches of fiduciary duty may result in financial losses and damages for the affected party or parties. The DPDP Act specifies the powers of the Data Protection Board, but doesn’t yet address equitable remedies for breach of trust by company directors, company officers or data protection officers.
While the act prescribes an embargo on a civil court from hearing matters for which the board is empowered, it does not exclude civil liability of all kinds. This could include awards of damages or remedies for breach of fiduciary duty towards a data subject that could be deemed outside the Data Protection Board’s scope, and potentially matters better suited for sectoral quasi- judicial bodies such as consumer forums to deal with.
Criminal liability for breach of trust could come into play in certain cases of the dishonest misappropriation of data. Section 405 of the Indian Penal Code/section 316 of the Bhartiya Nyaya Sanhita codifies it as: Whoever, being in any manner entrusted with property, or with any dominion over property, dishonestly misappropriates or converts to his own use that property, or dishonestly uses or disposes of that property in violation of any direction of law prescribing the mode in which such trust is to be discharged, or of any legal contract, express or implied, which he has made touching the discharge of such trust, or wilfully suffers any other person so to do, commits “criminal breach of trust”.
As the DPDP Act works alongside the existing laws of India [section 38(1)], criminal penalties for breach of trust may apply simultaneously to the available remedies under the act if the ingredients of section 405 of the Indian Penal Code or Bhartiya Nyaya Sanhita are met.
Constitutional remedies may also come into play as inherent powers of the court, particularly when the data fiduciary is a government body and fails to protect the fundamental right to privacy (as recognised by a full bench of the Supreme Court of India in the Justice Puttaswamy case).
Some recent examples where various high courts or the Supreme Court of India may either hear public interest litigations or take suo moto (on its own motion) cognisance could be of the nature of the ICMR data leak of 815 million Indians, or threat actor Tanaka’s hack of the Ministry of Ayush’s medical data.
The data protection statute of India has undergone multiple iterations and changes before taking its recent final shape, but the ongoing evolution, as it is considered in conjunction with existing common law, has yet to be seen.
