A fiduciary relationship typically requires the fiduciary to act for the benefit of or in the interests of the beneficiary. Prompted by a need to balance business and individual interest, the PDP Bill doesn't utilise the fiduciary concept to its fullest. The PDP Bill casts a relatively low standard of loyalty on data processing entities - similar to the "good faith" requirements in contract law of many countries, or in insurance contracts in India. There is no requirement for the data fiduciary to act in the interests of or for the benefit of the data principal, merely a requirement to act in good faith. A higher standard could ensure greater rights protection. Instead the law chooses to empower the data protection authority to protect individuals from particularly significant risks. Further, the fiduciary framing in the PDP Bill appears largely cosmetic. The use of the terms “data fiduciary” and “data principal” in itself adds little to the law. The law also does not implement any particularly novel rights or duties when compared to modern data protection laws (that do not use the fiduciary concept) such as the European General Data Protection Regulation. NIPFP, as part of the Data Governance Network, analyse the use of fiduciary law as a method to protect privacy of personal data in the draft Personal Data Protection Bill, 2018. You can find the paper here: https://bit.ly/3dZpcRQ