The Government as a Data Fiduciary under Digital Personal Data Protection Act: Obligations and Challenges

[Aanchal, Devesh and Gauravjeet are Advocates practicing in Delhi.]

India’s Digital Personal Data Protection Act 2023 (DPDP Act) marks a watershed moment in the nation’s journey toward establishing robust safeguards for personal data in an increasingly digitized society. As both a regulator and a custodian of vast datasets, the government assumes a dual role under this framework—overseeing compliance while simultaneously acting as a data fiduciary responsible for managing citizen data ethically and securely. When acting in the capacity of a data fiduciary, the government assumes responsibilities akin to private-sector entities but with added complexities due to its role in public welfare and national security. The government is obligated to prioritize transparency, invest in cyber-resilient infrastructure, and foster inter-agency collaboration to uphold its fiduciary duties. This article examines the complexities of this role, analyzing the government’s obligations, and operational challenges.

Key Obligations of the Government as a Data Fiduciary under the DPDP Act

Lawful processing and legitimate uses

The DPDP Act permits the government to process personal data without explicit consent for 'legitimate uses', a category encompassing welfare schemes, licensure, and national security. For instance, data collected for subsidized healthcare programs or disaster relief initiatives falls under this exemption. However, this exemption is not absolute, the government must still ensure that data processing aligns with predefined purposes and complies with procedural fairness and notify individuals about data usage purposes. The National Health Mission leverages health data to deliver targeted medical services during epidemics, relying on the legitimate use clause to bypass individual consent during emergencies.

Transparency and notice requirements

Even when processing data under legitimate uses, the government must notify individuals about:

• the categories of personal data being processed;

• the purpose of processing;

• their rights under the DPDP Act, including access, correction, and grievance redressal.

The draft rules under the DPDP Act emphasize that the notice by the data fiduciary must be presented and be understandable independently of any other information that has been provided to the data principal. This obligation ensures citizens remain informed about how their data is utilized, fostering trust in digital governance. Large-scale programs like DigiLocker, LoKOS, MyBharat, etc. face difficulties in providing granular notifications to millions of citizens, thus necessitating automated systems for bulk communication.

Data minimization and purpose limitation

Government agencies must collect only the data strictly necessary for specified purposes and retain it only until those purposes are fulfilled. The draft rules mandated the data fiduciary to provide an itemized description of personal data and the specific purpose for which such data is collected and/or processed. The Soil Health Card scheme, which collects agricultural data to advise farmers, exemplifies purpose-bound data collection. However, legacy systems, such as those used in the National Land Records Modernization Programme, often retain outdated land ownership records beyond statutory periods, violating purpose limitation mandates.

Security safeguards and breach accountability

The DPDP Act mandates 'reasonable security measures' to prevent unauthorized access, including encryption, access controls, and regular audits. Government databases storing sensitive information—such as biometric data in Crime and Criminal Tracking Network and Systems—must adopt advanced safeguards like quantum-resistant encryption and role-based access. In the event of a breach, the government must promptly notify the Data Protection Board (DPB) and affected individuals. For example, the 2022 ransomware attack on the servers of All India Institute of Medical Sciences, Delhi, reportedly involved approximately 40 million records. Such a breach must be reported to the DPB.

The draft rules states that the government while intimating DPB of any personal data breach shall within 72 hours of becoming aware of the same, shall provide the description of such breach, broad circumstances and reason leading to the breach, measures implemented to mitigate risk, remedial measures taken to prevent such breach, etc., to the board.

Rights of data principals

Data principals have rights to:

• access their personal data held by the government. The data principal must be provided with the details of the means using which she may make a request to exercise her rights;

• request corrections or deletions (subject to exemptions for national security or public order);

• nominate representatives in accordance with the terms of service of the concerned government department/organization; and

• file grievances through accessible mechanisms. The concerned government department/organization must publish details of their grievance redressal system and provide clear timelines for responding to requests or grievances.

  
  

For example, the e-District Portal automated these rights by embedding self-service dashboards for data access and erasure requests, reducing grievance resolution times by 40% in Kerala.

Special provisions for vulnerable groups

Processing data of children or individuals with disabilities requires verifiable consent from parents or legal guardians. The government is further prohibited from engaging in behavioural monitoring or targeted advertising directed at minors. Educational platforms like Digital Infrastructure for Knowledge Sharing, SWAYAM, etc. must implement age-verification tools to prevent unauthorized data collection from minors.

Institutional accountability measures

Data Protection Officer (DPO) appointment

As a significant data fiduciary (SDF), the government must appoint a DPO based in India to oversee compliance, liaise with the DPB, and manage grievance redressal. The DPO role is critical in ministries handling sensitive data, such as defense, education, or healthcare. If the concerned department/organization of the government does not qualify as an SDF, it shall still be required to publish on its website/app, and mention in every response to a communication, the business contact information of a person who is able to answer on behalf of the data fiduciary, the questions about the processing of the personal data.

Data protection impact assessments (DPIAs)

High-risk projects like Crime and Criminal Tracking Network and Systems, DigiLocker, Aadhaar, etc. require periodic DPIAs to evaluate risks to citizen rights. These assessments must outline mitigation strategies, such as anonymizing data including details such as name with address or criminal records accessed by law enforcement, etc.

Cross-border data transfers

While the DPDP Act does not restrict data localization, the government must ensure offshore data processors (e.g., cloud providers) comply with Indian standards. The GI Cloud Initiative (MeghRaj) enforces this by mandating that critical datasets remain within domestic servers.

Challenges in Fulfilling the Data Fiduciary Role

Balancing national security exemptions with privacy rights

The DPDP Act grants the government broad exemptions for national security, public order, and law enforcement, allowing it to bypass consent requirements. However, these exemptions risk enabling disproportionate surveillance or data misuse, undermining public trust. For instance, programs like the Crime and Criminal Tracking Network and Systems have faced criticism for sharing biometric data with third parties without transparency. The lack of judicial oversight for such exemptions complicates efforts to align state interests with privacy rights, raising concerns about accountability.

Securing massive-scale data repositories

Government databases like Aadhaar (1.3 billion biometric records) and DigiLocker (millions of identity documents) can be prime targets for cyberattacks. Legacy systems, such as those used in state healthcare portals, often lack modern encryption or access controls, making breaches inevitable. Implementing 'reasonable security safeguards' (as mandated by the DPDP Act) across such vast systems requires unprecedented investments in quantum-resistant encryption and zero-trust architectures.

Fragmented compliance across agencies

With over 50 central and state agencies processing citizen data, harmonizing compliance is a logistical nightmare. For example:

• The National Land Records Modernization Programme struggles with inconsistent data formats across states, delaying digitization.

• Digital Infrastructure for Knowledge Sharing, an educational platform, lacks uniform age-verification tools to protect minors’ data.

  
  

Such fragmentation leads to uneven adoption of data minimization and breach notification protocols, violating the DPDP Act’s consistency requirements.

Inadequate institutional independence

The DPB, tasked with enforcing the DPDP Act, is appointed by the Central Government, creating conflicts of interest. Critics argue that the DPB’s lack of autonomy undermines its ability to hold government agencies accountable. For example, investigations into breaches involving Aadhaar or Crime and Criminal Tracking Network and Systems could be compromised if the DPB’s members are politically aligned. This structural flaw erodes public confidence in the enforcement mechanism.

Ambiguity in security standards

While the DPDP Act mandates 'reasonable security measures', it fails to define specific technical or organizational safeguards. Government agencies like the National Health Mission rely on subjective interpretations, leading to inconsistent practices. Some departments use AES-256 encryption, while others retain outdated SSL protocols, increasing breach risks.  Without clear guidelines, compliance becomes a moving target.

Timely breach detection and notification

The draft rules under the DPDP Act require breach notifications to the DPB and affected individuals within 72 hours. However, many government portals lack real-time monitoring tools. For instance, the recent ransomware attack on MP's e-Nagarpalika portal, wherein the attack began on 21 December 2023, and it wasn't until 11 January 2024, that the extent of the damage was fully realized thus leading to delaying notifications and exacerbating harm of 20 days of revenue loss, leading back to the compromise of the server. Scaling incident response mechanisms across thousands of agencies remains a critical challenge.

Cross-border data transfer restrictions

The DPDP Act empowers the government to restrict offshore data transfers, but agencies like the National Informatics Centre often rely on global cloud providers (e.g., AWS, Microsoft Azure). Ensuring foreign processors comply with Indian standards—such as data localization under the GI Cloud Initiative—requires complex contractual negotiations and audits, straining resources.

Capacity and workforce gaps

Appointing DPOs across all major departments is mandated for SDFs. However, a 2024 survey revealed that 60% of state agencies lack personnel with expertise in data governance or cybersecurity. Training programs through the National e-Governance Division are nascent, leaving compliance efforts understaffed and underfunded.

Public trust deficits

Historical breaches, such as the Aadhaar data leak (2018) and PM-KISAN beneficiary data exposure (2023), have eroded citizen confidence. Despite DPDP Act’s transparency mandates, agencies like the Election Commission of India seldom publish DPIAs, fueling skepticism about governmental accountability.

Technological modernization costs

Upgrading legacy systems to meet DPDP Act requirements demands substantial funding. For example, in response to an increasing number of cyberattacks that have occasionally disrupted or stopped businesses from operating, the Employees' Provident Fund Organization (EPFO) intends to establish an internal next-generation security operations center (SOC). In order to accomplish this, the EPFO has put out a call for bids, asking companies with experience in SOC implementation and commission to submit their best offers for setting up, commissioning, and running this kind of center for retirement fund managers. Such a burden cannot be replicated by smaller departments. Budgetary constraints force agencies to prioritize critical services over compliance, creating systemic vulnerabilities.

The DPDP Act is not merely a regulatory hurdle but a catalyst for reimagining citizen-state trust in the digital age. The government acting as data fiduciary must proceed with the underlying objective that compliance fosters innovation which enhances both security and accessibility. As custodians of vast amounts of sensitive citizen data, government bodies must adopt comprehensive mitigation strategies to ensure compliance.