Key Definitions & Concepts
3.1 The Definitional Framework
Section 2 of DPDPA 2023 contains 28 definitions spanning clauses (a) through (zb). These definitions are the DNA of the statute—every substantive provision draws meaning from them. As Justice Holmes famously observed, "A word is not a crystal, transparent and unchanged; it is the skin of a living thought."
The great jurist Hans Kelsen taught us that legal definitions create "Grundnorm"—basic norms from which all other rules derive validity. In DPDPA, whether your client is a "Data Fiduciary" or merely a "Data Processor" determines their entire compliance burden. A ₹250 crore penalty might hinge on whether information constitutes "personal data." Master these definitions, and you master the Act.
Section 2 opens with the standard interpretive phrase: "In this Act, unless the context otherwise requires..." This is crucial. It means definitions can be departed from if the context demands a different meaning. In Reserve Bank of India v. Peerless General Finance (1987) 1 SCC 424, the Supreme Court held that statutory definitions must yield to context where a different meaning is clearly intended. Always check if context demands deviation.
3.2 Data Principal: The Protected Individual
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf
Scenario: A fintech app collects PAN numbers for KYC. The account holder is the Data Principal. If the account is for a 15-year-old (child), both the child AND the parent/guardian who gave consent are considered Data Principals for rights purposes.
Only Individuals: Unlike GDPR which allows member states to extend to legal persons, DPDPA protects only natural persons (individuals). Companies cannot be Data Principals.
Child Definition: §2(f) defines "child" as anyone under 18 years—higher than GDPR's default 16 years.
Guardian Extension: For children and persons with disability, the guardian is deemed the Data Principal for exercising rights, creating dual responsibility scenarios.
DPDPA doesn't explicitly address deceased individuals' data. However, §14 creates a nomination right for exercise of rights upon death or incapacity. Argue that the nominated person steps into the shoes of the Data Principal. Compare with Estate of Martineau v. BNSF Railway (2015) where U.S. courts held privacy rights survive death for limited purposes. This is an evolving area—watch for DPB guidance.
3.3 Data Fiduciary: The Duty-Bearer
Clear Fiduciary: E-commerce platform deciding what customer data to collect and how to use it for recommendations.
Joint Fiduciary: Two banks sharing a common KYC platform, jointly determining data processing purposes.
NOT a Fiduciary: Cloud service provider merely storing data per client instructions (that's a Data Processor).
The Srikrishna Committee deliberately chose "fiduciary" over GDPR's "controller." A fiduciary relationship (from Latin fiducia, meaning "trust") imports centuries of equity jurisprudence requiring the fiduciary to act in the beneficiary's interest. In Keech v. Sandford (1726), Lord Chancellor King established that fiduciaries must avoid conflicts of interest. By naming them "Data Fiduciaries," DPDPA signals that entities owe Data Principals a duty of trust, not mere regulatory compliance.
The "Purpose and Means" Test
The definition hinges on two determinations: (1) purpose of processing—WHY the data is processed, and (2) means of processing—HOW the data is processed. Control over either can establish fiduciary status.
| Factor | Indicates Fiduciary Status | Indicates Processor Status |
|---|---|---|
| Purpose Decision | Entity decides why data is collected | Entity implements another's purpose |
| Means Decision | Entity selects collection methods, storage | Entity follows technical specifications |
| Contractual Position | Direct relationship with Data Principal | Sub-contractor relationship |
| Data Subjects' Perception | Data Principals would expect this entity to control data | Data Principals unaware of this entity |
The phrase "alone or in conjunction with other persons" creates joint fiduciary liability. When two entities jointly determine purposes and means, both are fiduciaries with full compliance obligations. Unlike GDPR Article 26 which requires joint controller agreements, DPDPA is silent on formalities—joint liability arises by conduct. In Fashion ID v. Verbraucherzentrale (CJEU, 2019), the court found joint controllership even for entities implementing Facebook "Like" buttons. Apply this reasoning to joint fiduciary determinations.
3.4 Personal Data: The Protected Subject Matter
Limb 1: "Data about an individual" — The data must relate to a natural person. Data about companies, objects, or abstract concepts is excluded.
Limb 2: "Identifiable by or in relation to" — The individual must be identifiable. This includes direct identification (name, photo) and indirect identification (data that, combined with other data, reveals identity).
What Constitutes Identifiability?
In Patrick Breyer v. Bundesrepublik Deutschland (C-582/14), the CJEU held that dynamic IP addresses constitute personal data even when the website operator cannot directly identify the user, IF the operator has legal means to obtain additional information (e.g., from ISP through court order) to identify the user. Apply this reasoning: if your client can lawfully obtain identification, the data is "personal data" under DPDPA.
Unlike GDPR (Article 9) or India's earlier SPDI Rules 2011, DPDPA 2023 does NOT create a separate category of "sensitive personal data" with heightened protection. All personal data receives the same treatment. However, the Schedule penalizes children's data breaches at ₹200 crore, signaling implicit sensitivity recognition. Practitioners should still treat health, financial, and biometric data with enhanced safeguards as best practice.
3.5 Processing: The Regulated Activity
This is an inclusive definition—the word "includes" means the listed operations are illustrative, not exhaustive. Virtually any action on digital personal data constitutes processing.
The Processing Lifecycle
| Stage | Operations | Example |
|---|---|---|
| Acquisition | Collection, recording | User fills registration form |
| Organisation | Organisation, structuring, alignment, combination, indexing | Data entered into CRM system, tagged by category |
| Storage | Storage, adaptation | Data stored in database, format converted |
| Use | Retrieval, use | Data accessed for customer service call |
| Disclosure | Sharing, disclosure, transmission, dissemination, making available | Data shared with payment gateway |
| Termination | Restriction, erasure, destruction | Account deleted, data purged |
The definition requires processing to be "wholly or partly automated." Pure manual processing of paper records falls outside DPDPA's scope. However, if you manually read a digital document on screen, that's "partly automated" processing. If you print a digital file and store the printout, the initial digital storage was automated processing—the Act applied when it was digital.
Yes. "Retrieval" and "use" are processing operations. When an employee views a customer's profile on screen, that's processing. This has implications for access controls—every viewing should be logged, authorized, and purposeful. In Wm Morrison Supermarkets v. Various Claimants [2020] UKSC 12, unauthorized employee access constituted a data protection breach. Design access policies accordingly.
3.6 Consent & Consent Manager
While "consent" itself isn't defined in §2, the Act's consent requirements in §6 effectively define its characteristics. The Consent Manager, however, is a defined intermediary unique to DPDPA.
Think of a Consent Manager as a "digital consent dashboard"—like BHIM UPI aggregates multiple bank accounts, a Consent Manager aggregates consent across multiple Data Fiduciaries. The Data Principal logs into one platform to see all consents given, modify them, or withdraw.
Consent Characteristics (from §6)
Consent Managers are separately liable under DPDPA. §13 gives Data Principals grievance rights against Consent Managers. If a Consent Manager fails to properly record or communicate consent withdrawal, the Consent Manager faces penalties independent of the Data Fiduciary's liability. This is an emerging compliance risk area—clients acting as Consent Managers need dedicated compliance programs.
3.7 Data Processor: The Service Provider
Cloud Provider: AWS storing data per client's instructions—Processor
Payroll Vendor: Third-party processing salaries per employer's data—Processor
Marketing Agency: Sending emails using client's customer list—Processor
Data Analytics Firm: Analyzing data but not deciding what to analyze—Processor
Fiduciary-Processor Relationship
The critical question: Who decides WHY and HOW?
• If the entity decides the purpose and means → Data Fiduciary
• If the entity follows another's instructions → Data Processor
A cloud provider that merely stores data per customer specifications is a Processor. But if that provider uses the data for its own analytics or AI training, it becomes a Fiduciary for that purpose—creating dual status.
§8(2) mandates that Data Fiduciaries can only engage Processors "under a valid contract." This mirrors GDPR Article 28. Draft processor agreements with: (1) subject matter and duration, (2) nature and purpose of processing, (3) type of personal data, (4) obligations and rights of fiduciary, (5) security requirements, (6) sub-processor restrictions, (7) audit rights, (8) deletion/return requirements. The DPA (Data Processing Agreement) is now a compliance essential.
3.8 Significant Data Fiduciary (SDF)
Section 10: Notification Criteria
Section 10(1) provides the factors for SDF notification:
Additional Obligations (§10(2))
| Obligation | Requirement | Details |
|---|---|---|
| DPO Appointment | §10(2)(a) | India-based, Board representative, point of contact for grievances |
| Data Auditor | §10(2)(b) | Independent auditor for compliance evaluation |
| DPIA | §10(2)(c)(i) | Periodic Data Protection Impact Assessment |
| Periodic Audit | §10(2)(c)(ii) | Regular compliance audits |
| Other Measures | §10(2)(c)(iii) | As prescribed by Rules |
Breach of §10 obligations attracts penalties up to ₹150 crore per the Schedule. This is separate from other breach penalties—an SDF facing a data breach could face §8(5) penalty (₹250 Cr) + §8(6) notification penalty (₹200 Cr) + §10 penalty (₹150 Cr). Cumulative exposure is enormous. SDF compliance is non-negotiable.
3.9 Personal Data Breach
Breach Elements Analysis
The definition adopts the classic information security triad:
Confidentiality: Unauthorized disclosure, sharing, acquisition—data accessed by those who shouldn't
Integrity: Unauthorized alteration—data modified without authorization
Availability: Loss of access, destruction—data no longer accessible when needed
A breach need only compromise ONE element. Ransomware that encrypts data (availability) is a breach even if data isn't exfiltrated.
| Breach Type | CIA Element | Example |
|---|---|---|
| Unauthorized Processing | Confidentiality/Integrity | Employee accesses data without authorization |
| Accidental Disclosure | Confidentiality | Email sent to wrong recipient |
| Unauthorized Acquisition | Confidentiality | Hacker downloads customer database |
| Unauthorized Sharing | Confidentiality | Third-party vendor receives data without consent |
| Unauthorized Alteration | Integrity | Medical records modified by attacker |
| Destruction | Availability | Database deleted by malware |
| Loss of Access | Availability | Ransomware encrypts files |
Upon breach, Data Fiduciary must notify: (1) the Board, and (2) each affected Data Principal. Timeline and manner to be prescribed in Rules. Failure attracts ₹200 crore penalty. Draft incident response plans NOW. The 72-hour GDPR timeline may be indicative—prepare for similar stringency. In British Airways (ICO, 2020), delayed notification was a factor in the £20 million fine.
3.10 Other Key Definitions
The definition of "State" under §2(zb) imports Article 12's expanded meaning: Government, Parliament, State Legislatures, local authorities, and "other authorities" (including instrumentalities of State). This means PSUs, statutory corporations, and entities substantially controlled by government are "State" for DPDPA purposes—their exemptions under §17 must be narrowly construed following Puttaswamy proportionality requirements.
3.11 Entity Relationships Under DPDPA
Understanding how DPDPA entities relate to each other is crucial for structuring compliance programs and identifying liability allocation.
Complete DPDPA Entity Ecosystem
Primary Liability: Data Fiduciary—responsible for all processing, including that done by Processors (§8(1))
Contractual Liability: Data Processor—liable to Fiduciary per contract; indirectly to Principal
Independent Liability: Consent Manager—liable directly to Data Principal under §13
Enhanced Liability: Significant Data Fiduciary—additional §10 obligations and penalties
3.12 GDPR Comparison: Key Definitional Differences
| Concept | DPDPA 2023 | GDPR |
|---|---|---|
| Data Subject → Principal | Data Principal (§2(j)) | Data Subject (Art. 4(1)) |
| Controller → Fiduciary | Data Fiduciary—fiduciary duty implied | Controller—control relationship |
| Child Age | Under 18 years (§2(f)) | Under 16 years (Art. 8, states can lower to 13) |
| Sensitive Data | No separate category | Special Categories (Art. 9) |
| Consent Manager | Defined intermediary (§2(g)) | No equivalent |
| Processing Scope | Digital personal data only | All personal data (digital + manual filing systems) |
| Data Principal Duties | Yes, with penalties (§15) | No—rights only |
GDPR's "controller" is a neutral term describing the entity that controls data. DPDPA's "fiduciary" imports trust law obligations. In Bristol & West Building Society v. Mothew [1998] Ch 1, Millett LJ defined fiduciary duty as requiring: (1) loyalty, (2) no conflict of interest, (3) no unauthorized profit. When advising clients, emphasize that DPDPA compliance isn't just about data handling rules—it's about maintaining a relationship of trust with Data Principals.