The practice of attorney-client privilege and patient-doctor confidentiality crystallizes the nature of a fiduciary relationship. Trust is established based on understood rules of confidentiality and clarity in the motivations and boundaries of any commercial transaction. As various countries attempt to legislate comprehensive data protection for its citizens, the fiduciary standard surfaces as a potential construct to apply against the relationship between data controllers/processors and users. With its proposed Personal Data Protection Bill, 2018, India dives headfirst in this debate.

In this paper for Data Catalyst, CCG’s Smitha Krishna Prasad explores the concept of treating data controllers or processors as ‘fiduciaries’ as has been proposed by Indian lawmakers. First, it examines whether the concept of an ‘information fiduciary’ as discussed by leading scholars is relevant and applicable within the context of Indian constitutional law. Then, it delves into a deeper discussion on fiduciary duties and fiduciary law, particularly with regard to the Indian perspective. Finally, it explores the idea of ‘data fiduciaries’ within the Personal Data Protection Bill, and how fiduciary duties could be imported into data protection law and jurisprudence, based on existing legal principles and best practices.

In sum, several different approaches to fiduciary law and identification of fiduciary duties exist in this context, and the paper reviews three specific ways this could manifest. Importantly, this research illuminates the broader discussion happening in both the technology and policy communities about what types of organizations could and should act as fiduciaries within the context of digital data.

Author: Smitha Krishna Prasad