Authors: Rishab Bailey and Trishee Goyal
In this paper we attempt to analyse the use of fiduciary law as a method to protect privacy of personal data in the draft Personal Data Protection Bill, 2018. We find that the PDP Bill does impose duties that are akin to traditional fiduciary obligations. However, the standard of loyalty expected of data fiduciaries is low. There is no requirement for the data fiduciary to act in the interests of or for the benefit of the data principal, merely a requirement to act in good faith. A higher standard could ensure greater rights protection. Instead the law chooses to empower the data protection authority to protect individuals from particularly significant risks.
Further, the fiduciary framing in the PDP Bill appears largely cosmetic. The use of the terms “data fiduciary” and “data principal” in itself adds little to the law. The law also does not implement any particularly novel rights or duties when compared to modern data protection laws (that do not use the fiduciary concept) such as the European General Data Protection Regulation.