In the highly evolving digital financial ecosystem, the Digital Personal Data Protection Act, 20231 (DPDPA) is being hailed as a revolutionary act tailored to protect citizens’ data and privacy. The Act’s structure is largely based on the European Unions (EU’s) General Data Protection Regulation (GDPR), incorporating concepts such as data fiduciaries (Controllers, as defined under the GDPR) and data processors. But a crucial gap looms above. The DPDPA does not expressly recognise joint fiduciaries: entities that share decision-making and liability over the purposes and means of data processing. This omission creates a potential for an “invisible risk” in the digital sector, but more importantly, in the financial ecosystems where multiple parties collaborate in processing the consumer data. In practice, overlapping regulatory requirements provided by sectoral silos like Reserve Bank of India (RBI)/Insurance Regulatory and Development Authority of India (IRDAI) add to this confusion by imposing obligations on their sector-specific roles rather than Data Controller roles.2 This deficiency could have far-reaching consequences for financial service providers that often collaborate in data processing.
This blog aims to investigate how this absence affects execution, particularly from the perspective of financial service providers, firstly, by identifying this ambiguity and how it creates uncertainty in compliance and then drawing on key provisions of the GDPR we aim to resolve these ambiguities for financial service providers under the DPDPA.
Legal framework under the DPDPA
To understand how this deficiency creates an environment of uncertainty, we must first comprehend where the issue originates. The problem arises from the duties outlined in the Act itself. While the Act offers a detailed structure of responsibilities for a data fiduciary and a data processor, the deficiency is caused by the identity crisis between them.
Under the Act, a data fiduciary is described as an entity that independently or in collaboration with others, proposes the method and purpose for processing personal data; they also have certain obligations attached to them, the main ones being:
(i) Consent: As per Section 6 of the DPDPA, the consent given by the data principal (the owner of the personal data) must be voluntary, specific, clear and unambiguous, and should relate directly to the purpose of processing.33 They additionally possess the right to withdraw. Once the same is invoked, the fiduciary must cease processing all their data.
(ii) Consent manager: To appoint a consent manager who acts on behalf of the data principal to review and facilitate the consent transaction.44 He shall be accountable to the data principal (the person to whom the personal data relates) and act as prescribed by him.
(iii) Processing: Section 7 of the DPDPA further permits the data fiduciary to process personal data for legitimate purposes even if not explicitly consented to.55
(iv) General responsibilities: The data fiduciary is liable to maintain certain general responsibilities towards the data principals as enshrined under Section 8 of the DPDPA, which include but are not limited to adhering to regulations, data accuracy and cyber safeguards. Furthermore, the personal data shall not be retained longer than its intended purpose.66
The DPDPA under Section 2(i) with its definitions addresses the phrase “alone or in conjunction with other persons”, although the Act provides for a reference for potential joint fiduciaries, but this remains a potential as the same concept is not recognised throughout the Act.77
Section 2(k) of the DPDPA also defines a data processor to mean any person who does the act of processing personal data on behalf of the data fiduciary.88 Data processors are primarily of 2 types: firstly, non-customer facing, which process personal data shared by a fiduciary; and secondly, customer-facing, which process personal data shared directly by a data principal.
The DPDPA does not provide for any direct obligations on the processors and mandates the data fiduciary to ensure processor compliance; however, this is in stark contrast with the previous drafts for the Act from 2018-2022, which prescribed certain direct obligations on processors and also provided for penal consequences for such non-compliance. For e.g. Section 3199 of the Personal Data Protection Bill, 2019 (2019 Bill) required processors to implement appropriate technical and organisational measures to secure data, Section 2510 imposed an obligation on processors to notify the Data Protection Authority (DPA) about any breach, further Section 5711 also empowered the DPA to initiate proceedings directly against the processors.12
The fiduciary-processor identity crisis
Now this is where the identity crisis comes into play and creates confusion in identifying the proper roles. In principle, the fiduciary is the one who determines the purpose and means of processing personal data collected, and the data processor is the one who processes the data on behalf of the data fiduciary but this fine line in identifying these roles becomes blurred in complex situations like those related to the financial service providers and creates the identity crisis, this can be seen in the following situations:
(i) Credit scoring agencies: Financial service providers, as a part of granting a loan, need to determine the eligibility and creditworthiness; for the same, they engage in the practice of credit scoring, for which they onboard agencies to extract the necessary information relating to the customers.13 In this situation, the credit agencies exercise discretion in determining the means of processing, such as algorithmic decisions, to achieve the broader purpose.
(ii) Marketplaces: In the context of e-commerce marketplaces, while the marketplaces determine the purpose, the sellers also process user data to process the orders and facilitate deliveries, often taking decision-making control limited to data fiduciaries. Hence, if sellers also decide purposes for data e.g. using the customer information for delivery or marketing, they too shall share the status of a fiduciary and henceforth be better suited as joint fiduciaries.
(iii) Fraud detection and prevention services: Financial service providers also engage third parties at the time of acquiring new customers to assess the risk and compliance with know your customer (KYC) and money laundering regulations.14 In these situations, the third-parties exercise a certain degree of decision-making control in processing over the essential means and the personal data to provide their insights and the extent of risk involved, and hence can be labelled as data fiduciaries and controllers as well.
These complex situations create a host of ambiguity wherein the distinction between a fiduciary and a processor is blurred e.g. the BNPL model or the buy now, pay later model even for payment processing has to undertake a lot of fraud checks, it has a position of a payment aggregator and a data fiduciary as it has access to the personal data of the customers which they use for processing. In this scenario, the lender or its payment aggregator both set forth the purpose and executed the processing of data, which blurs the role between a fiduciary and a processor. Similarly, credit networks like Visa and Mastercard can also be included in the category of data fiduciaries, even though they are merely processing.
This identity crisis leads to a situation of ambiguity during any misfortune: whom shall the person proceed against for fines, who is liable for the loss, and who bears the liability? Questions like these raise more confusion than answers due to the lack of any clause for joint and several liability in the Act.
Comparative jurisprudence
This is where the notion of a joint fiduciary comes in. The GDPR, which has been a staple and a benchmark for privacy laws for many, is not much different from the DPDPA; the rights and obligations of a data fiduciary are similar to the concept of a Controller under the GDPR. To solve the problem mentioned, the GDPR uses the concept of a Joint Controller, though not explicitly named in the GDPR, it is enshrined under Article 26(1), which provides for “where two or more Controllers jointly determine the purposes and means of processing, they shall be Joint Controllers”.15 This, when read with the Commercial Paper (CP) Guidelines issued by the European Data Protection Board, recognises that there exists room for processors to make decisions on the means of processing.16 Furthermore, GDPR Article 26 requires Joint Controllers to allocate responsibilities and to ensure that data subjects can exercise rights against each Controller. This provides an answer to the identity crisis by introducing the concept of Joint Controllers, which currently lacks in the DPDPA.
To simplify, they classify them as: (a) essential; and (b) non-essential means of processing.17
(i) Essential means refers to how certain decisions are closely linked to the purpose and scope, which essentially involve the task of critically deciding on what data is to be processed, whose data is to be processed, and which third parties may have access to the data, making them essential in the process.18 This can be illustrated by the case of a credit scoring agency, which possesses the decision-making authority regarding the means and manner of the information to be processed, while the financial institutions have little to no control over how the data is processed.
(ii) Non-essential means refer to the decisions made on the practical aspects, such as software; these decisions are not likely to impact the purpose or means of how the data is to be processed.19
This has been further aided by the adoption of the Guidelines 07/2020 on the concepts of Controller and processor in the GDPR, which provide for the general obligations in a relationship among Joint Controllers.20 It provides for:
(a) The Joint Controllers (fiduciaries under the DPDPA) shall, in a transparent manner, determine and agree on their respective responsibilities for compliance under the GDPR. Specifically, regarding the rights and duties to provide information.
(b) Each Controller would have the duty to ensure that they have a legal basis for the processing and that the data is not misused or processed in a manner not necessary for the purpose originally collected.
(c) It recommends that the legal arrangements be made in the form of a binding contract under the EU laws, as the GDPR does not provide for the legal form of arrangements. Further, the binding contract shall explicitly state the respective roles and duties.
(d) Most importantly, the data subjects can exercise their rights against each of the Controllers irrespective of the terms of the contract.
While the current Act provides for obligations and consequences for breach of the same to the data fiduciary, the lack of the same in situations where the data processor is acting as a fiduciary can be avoided with the concept of Joint Controller relationships or joint fiduciary relationships will provide a scenario where both entities that have the decision-making power will collaborate to determine the purpose and methods of data processing. The idea, though, can also be fulfilled by the regulatory setting precedent and its interpretation of the same in the current Act under Section 8 and the definition of the term data fiduciary itself. It would additionally require a mandated contract arrangement between the entities that specifies the responsibility of each entity to be explicitly stated. Furthermore, this shall also help avoid scenarios related to who to blame, as under the GDPR, all entities parties to the transaction are jointly and severally liable regardless of any internal arrangements.21 Whereas, the DPDPA assigns each fiduciary an independent responsibility and has no express provision for joint and several liability.22
Sectoral regulations versus the DPDPA
The complexity does not end here. Financial regulators in India already have rules in place for data protection; however, they assign responsibilities to these entities based on their regulatory function, like a bank/non-banking financial company (NBFC), rather than going by the data role set forth by the DPDPA.
The RBI’s Digital Lending Guidelines of 2022 place strict duties on lenders. These lenders or regulated entities must ensure that any data collected by their apps or by any third-party is obtained with the borrower’s explicit consent.23 This is also similar to the credit bureau case, which, per the RBI’s Master Direction of January 2025, mandates them to send alerts to their customers on any access to their credit reports and to safeguard data confidentiality.24
This is not a one-time occurrence; it can be seen under the Insurance Regulatory and Development Authority of India (IRDAI) Regulations of 2015, which impose strict consent and confidentiality duties on insurance aggregators and intermediaries.25 Aggregators must further preserve the electronic records of the entire sales process for at least 6 months after the policy term, treating the web aggregators as data custodians. Similarly, IRDAI’s rules label the insurance aggregator a regulated intermediary, yet it independently decides how to collect, use, and store prospect data. Under the DPDPA, it might qualify as a data fiduciary, but the IRDAI framework does not formally distinguish fiduciary versus processor for aggregators. This mismatch creates confusion: a company may comply with IRDAI as an “aggregator”, but under the DPDPA might function as a fiduciary.26
We can see this through some examples:
(i) In the digital lending space, a bank/NBFC would identify as a fiduciary under the DPDPA as it chooses the purpose and process of the role, the RBI’s digital lending rules, however, make them directly responsible for borrower data collected with any affiliated app or a fintech partner.27 Meaning that if a fintech lending service provider is merely processing the data on behalf of the lender, the RBI will hold the lender accountable for that data. This scenario under the DPDPA would be quite different, even though the lender would be the fiduciary, the fintech would view it merely as a processor, even if it designs part of the customer interface.
(ii) In the case of an insurance web aggregator that collects user data, it is treated as an aggregator as per the IRDAI and has to obtain explicit consent and secure the information, similar to the role of a fiduciary under the DPDPA.28 However, the insurer, which determines the final underwriting, would not be addressed by the DPDPA even though both determine the means and purpose of overlapping and collecting data.
This makes the identity crisis more complex because these financial regulators wrote their data rules in isolation, making it difficult for the entities to navigate a patchwork of requirements. The lack of a clear joint fiduciary concept means that in these scenarios, two entities can influence the same data, but neither is fully liable under the DPDPA.29 This crisis muddles the accountability. If a breach occurs, should it be reported to the RBI under the Lending Rules or the Data Protection Board under the DPDPA?
While the DPDPA does provide for a notwithstanding clause which provides for a higher degree of protection to prevail, this underscores the ambiguity and challenges that the new Act presents for the financial sector, and is unclear on the multiparty controls.30 This just deepens the identity crisis between fiduciaries and processors, wherein the entities end up juggling inconsistent definitions of who “owns” or controls the data and under what rules.
Conclusion
While the need for the addition of the concept is not yet realised due to the limited time the Act has been in force, it is not long before Pandora’s box opens and leads to a chaos of who to blame starts to show. The ideals and principles the DPDPA were built were to protect the citizens’ privacy in this digital age, while the Act has played more than its part in this, the identity crisis remains to show.
The DPDPA has tried to carry forward the legacy of the GDPR but failed in its execution due to the ambiguity it brings with itself, while we have the problem narrowed down and the solution available with the Joint Controller relationship in the GDPR, why is there a need for a wait and watch approach in this matter. The question posed is whether India is overlooking another chaotic execution of a regulation. There is a possibility that this looming threat can become a real one in the near future, and the answer is not long or complex rather just uniformity and explicit wording.
In many financial services, multiple parties jointly determine how a consumer’s data is to be handled. Unlike the GDPR, the DPDPA has no clear concept for joint fiduciary relationships, in an absence of such a construct, overlapping regulatory regimes can leave responsibilities unallocated and duplicated.
The solution is not complex; it lies in the alignment of the explicit rules of the DPDPA itself. This can be achieved in 2 ways, firstly, either by amending the Act to include an Article 26 type provision in addition to introducing guidelines similar to the ones adopted by the European Data Protection Board to streamline and uniform the duties and responsibilities of the joint fiduciary relationship,31 or by the Data Protection Board using its power to interpret the concept of a joint fiduciary relationship under Sections 2(i) and 8 of the DPDPA itself,32 wherein it can read the concept under the definition of a data fiduciary itself and adopt the duties under the general obligations.33
Recognising the construct and notion of a joint fiduciary relationship allows the framework to treat two entities as collaborators and make them accountable for complying with the data principles individually and jointly. This not only reinforces the fiduciary duties but also aligns with sectoral practices and eliminates any incentives to dodge liabilities.
Slide 2: “The DPDPA does not provide for any direct obligations on the processors and mandates the data fiduciary to ensure processor compliance; however, this is in stark contrast with the previous drafts for the Act from 2018-2022, which prescribed certain direct obligations on processors and also provided for penal consequences for such non-compliance.”
Slide 3: Read full article on SCC Times
*Student, National Law University, Jodhpur. Author can be reached at: shobitgoel224@gmail.com.
1. Digital Personal Data Protection Act, 2023.
2. Master Direction —Know Your Customer (KYC) Direction, 2016, Reserve Bank of India (rbi.org.in, 10-5-2024); see also, Master Circular on Protection of Policyholders’ Interests, 2024, Insurance Regulatory and Development Authority of India (irdai.gov.in, 5-9-2024).
3. Digital Personal Data Protection Act, 2023, S. 6.
4. Digital Personal Data Protection Act, 2023, S. 6(7).
5. Digital Personal Data Protection Act, 2023, S. 7.
6. Digital Personal Data Protection Act, 2023, S. 8.
7. Digital Personal Data Protection Act, 2023, S. 2(i).
8. Digital Personal Data Protection Act, 2023, S. 2(k).
9. Personal Data Protection Bill, 2019, S. 31.
10. Personal Data Protection Bill, 2019, S. 25.
11. Personal Data Protection Bill, 2019, S. 57.
12. Personal Data Protection Bill, 2019.
13. Supratim Chakraborty, Sumantra Bose and Siddharth Sonkar, “Who is in Control? Identifying Data Fiduciaries in Complex Processing Scenarios”, 2024 SCC OnLine Blog Exp 11.
14. “Decoding Fiduciaries and Processors: The DPDPA Lens”, Lakshmikumaran & Sridharan (lakshmisri.com).
15. General Data Protection Regulation (EU) 2016/679, Art. 26.
16. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR, European Data Protection Board (edpb.europa.eu, 7-7-2021).
17. Supratim Chakraborty, Sumantra Bose and Siddharth Sonkar, “Who is in Control? Identifying Data Fiduciaries in Complex Processing Scenarios”, 2024 SCC OnLine Blog Exp 11.
18. “Decoding Fiduciaries and Processors: The DPDPA Lens”, Lakshmikumaran & Sridharan (lakshmisri.com).
19. Supratim Chakraborty, Sumantra Bose and Siddharth Sonkar, “Who is in Control? Identifying Data Fiduciaries in Complex Processing Scenarios”, 2024 SCC OnLine Blog Exp 11.
20. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR, European Data Protection Board (edpb.europa.eu).
21. “DPDP Diaries: The Anatomy of a Data Fiduciary”, IDFY (idfy.com, 13-9-2024).
22. Supratim Chakraborty, Sumantra Bose and Siddharth Sonkar, “Who is in Control? Identifying Data Fiduciaries in Complex Processing Scenarios”, 2024 SCC OnLine Blog Exp 11.
23. Digital Lending Guidelines, Reserve Bank of India (rbi.org.in, 2-9-2022).
24. Master Direction — Reserve Bank of India (Credit Information Reporting) Directions, 2025, Reserve Bank of India (business-standard.com, 6-1-2025).
25. Insurance Regulatory and Development Authority of India (Maintenance of Insurance Records) Regulations, 2015.
26. “Data Fiduciary versus Data Processor: An Identity Crisis”, AZB & Partners (azbpartners.com).
27. “Google Cloud RBI Digital Lending Guidelines Whitepaper”, Google Cloud (cloud.google.com, February 2023).
28. Insurance Regulatory and Development Authority of India (Insurance Web Aggregators) Regulations, 2017 (financialservices.gov.in).
29. “Data Fiduciary versus Data Processor: An Identity Crisis”, AZB & Partners (azbpartners.com).
30. Arjun Goswami and Aayushi Bindal, “Need for Syncing Sectoral Regulations with Data Protection Law”, Cyril Amarchand Mangaldas (corporate.cyrilamarchandblogs.com, 29-5-2024).
31. General Data Protection Regulation (EU) 2016/679, Art. 26.
32. Digital Personal Data Protection Act, 2023, Ss. 2(i) and 8.
33. Guidelines 07/2020 on the Concepts of Controller and Processor in the GDPR, European Data Protection Board (edpb.europa.eu, 7-7-2021).
