The article is written by Aryan Jha of National Law University, Orissa

Introduction

The Ministry of Electronics and Information Technology (MeitY) has recently notified the Digital Personal Data Protection Rules 2025 (Rules) on November 13, 2025. The notified rules have been enacted pursuant to the powers conferred on the Central Government under Section 40 of the Digital Personal Data Protection Act 2025 (Act). The rules encompass and abridge various procedural aspects of the act, setting out compliance mandates for different entities under it. One of the most anticipated and noteworthy aspects of the rules involves the additional compliance requirements for Significant Data Fiduciaries (SDFs). The DPDP Act and Rules recognise three entities that play an important role in data management and processing: Consent Managers, Data Fiduciaries, and Data Subjects. Section 2(j) of the Digital Personal Data Protection Act defines data fiduciaries as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. The Act also covers data fiduciaries who possess large volumes of sensitive data and the adequate safeguards that are required against the breach of such sensitive data; therefore, the Act went on to recognise certain data fiduciaries based on the volume of the data they possess and categorises them as “Significant Data Fiduciaries” (SDFs). The Act imposes certain additional obligations on such SDFs, which they must fulfil in addition to the general obligations of the Data Fiduciaries, comprehensively set out under the Act. The Act does not explicitly define the term “Significant Data Fiduciary” but rather gives the power to the central government to designate entities as Significant Data Fiduciaries (SDFs) under Section 10 based on the nature of the data possessed by such data fiduciaries.

Significant Data Fiduciaries and Their Additional Obligations

The Additional Obligations of the Significant Data Fiduciaries (SDFs) are outlined in Section 10 of the Act. These obligations include appointing an Independent Data Auditor, a Data Protection Officer, and conducting periodic Data Protection Impact Assessments (DPIAs). Rule 13 of the DPDP Rules supplements these duties by requiring SDFs to conduct DPIA, ensure data localisation within the territory of India and carry out audits once every 12 months. The person conducting the DPIA is required to provide the report and their observations to the Data Protection Board created under the Act. On the basis of the suggestions made by the committee constituted by the central government, the SDFs shall also carry out additional duties and fulfil such regulations as may be specified. The DPDP Act and Rules have various provisions that find their semblance from the European Union’s General Data Protection Regulations (GDPR), such as consent management, verifiable consent, data localisation, etc. However, the additional obligations of the Significant Data Fiduciaries, though inspired by certain compliance mandates under GDPR, are unique to the DPDP Act. The GDPR does not explicitly provide for any additional obligations upon data fiduciaries on the basis of the nature, volume, and sensitivity of data. Article 30(5) of the GDPR provides for certain relaxation with respect to record keeping related to data processing activities for micro, small, and medium-sized enterprises employing less than 250 employees, but the applicability of other obligations remains the same irrespective of the nature of data processed.

The DPDP act states that the nature and risk associated with the data shall be one of the determining factors for designating an entity as significant data fiduciaries which gives discretion to the authorities and the board to determine which category of data shall be considered to be “sensitive” for the purposes of the act however, Article 9(1) of the GDPR explicitly prohibits irrespective of its volume and nature certain categories of data such as those related to revealing persons “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and the processing of genetic data biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation” provided that it does not fall under any of the exemptions laid down under Article 9(2). The general focus of the DPDP Act and Rules with respect to Significant Data Fiduciaries lies upon the volume of data processed by the fiduciaries, in contrast with the GDPR and California Consumer Privacy Act (CCPA), which emphasise the nature, category, and sensitivity of the data processed.

Article 35 of the GDPR mandates a Data Protection Impact Assessment for all entities, irrespective of the volume of data processed, if the use of new technology or data processing is likely to pose a high risk to the rights and freedoms of natural persons. Article 35(3) requires DPIA, particularly for processing of data related to personal aspects of a natural person, including profiling and automated processing, which is likely to produce a legal effect. In contrast, Article 35(4) requires the supervisory authority to make public a list of the kind of processing activities for which Data Protection Impact Assessment is mandatory. On the other hand, the DPDP Act provides for a Data Protection Impact Assessment only with respect to SDFs. In contrast, any sensitive data processing by other data fiduciaries need not undergo the assessment.

CRITICAL ANALYSIS

One of the crucial aspects of obligations related to significant data fiduciaries involves processing by multiple fiduciaries. In cases involving a single operator or fiduciary, the burden shall fall on the particular entity; however, in cases involving significant data fiduciaries that deal with large volumes of data and involve joint processing by multiple processors and fiduciaries, the burden shall be shared. Article 26 of the GDPR places the burden on the processors and controllers that primarily process the data and have “dominant influence” over the other processing undertakings. Even though the term “dominant influence” has not been defined, it somehow provides a mechanism for joint processors that may have access to several forms of sensitive data, and the same mechanism shall be needed for Indian legislation on Data Protection. The DPDP Act provides for the appointment of a data protection officer for all entities involved in data processing to ensure systematic monitoring of data subjects and compliance with the rules. This might pose a compliance burden upon entities not having systematic data processing algorithms in place. The economics of processing and appointment of such office shall be unfavourable to such entities. At the same time, in the case of large-scale enterprises, there may be various subsidiary enterprises involved in data processing, and the appointment of a separate data protection officer for each entity may end up posing an additional compliance burden. Article 37(3) of the GDPR allows a group of undertakings to appoint a single data protection officer, provided that the officer is easily accessible to each establishment, thereby facilitating compliance.

The DPDP Rules have laid down the data residency requirements; however, they do not provide for express provision relating to the sale of personal data by various entities. Similarly, the GDPR does not prohibit the sale of personal data. Therefore, both regulations provide general prohibitions and associated penalties for the processing and sale of personal data. On the other hand, the CCPA adopts a focused and targeted approach to the sale of personal data as a reactive measure in response to Data Processing Activities by Cambridge Analytica. This UK-based company sought to influence national elections through data processing and procurement from entities with access to large volumes of sensitive data. Section 1798.120. of the CCPA provides for consumer’s right to opt-out of sale or sharing of personal information by a business that sells or shares personal information about the consumer to third parties and even in cases of bankruptcy, mergers, acquisitions or other transactions the transferee shall abide by the restrictive term related to transfer or sale of personal data which the consumer had opted for with the transferor. The CCPA also provides an additional safeguard under Section 1798.125 by ensuring that the consumer does not face retaliatory discrimination by the business following the opt-out or exercise of other rights. This ensures that the exercise of rights by the data fiduciary is free of apprehensions about losing access to the services.

WAY FORWARD

The DPDP Act and Rules are a crucial step in a service-oriented economy like India's, which has a large population. The earlier legislation did provide a mechanism; however, with the revolution in information technology, the processing of personal data took place on a large scale, requiring dedicated legislation to regulate it. The recent enactment and enforcement of data protection regulations provided us with an opportunity to draft our own dedicated legislation tailored to our requirements, while also drawing inspiration from the GDPR and CCPA. Even though, a stringent compliance structure has been put in place so as to regulate the large scale data fiduciary however, the central government upon notification of SDFs shall ensure that equivalent emphasis is also laid upon the nature and sensitivity of personal data and provide adequate safeguard not only against the security concerns but also with respect profiling based on certain individual characteristics of data subjects thereby, acting in dissonance with the rights of data subjects. One of the most notable aspects of SDF Regulations under the Indian Data Protection regime is that, unlike the CCPA, which regulates the processing of personal data within the territories of California, the DPDP aims to regulate the processing of personal data of Indians by entities established outside the country. These reforms, with certain additional measures, shall act as a major acceleration in protecting the rights of natural persons alongside ensuring the free flow of information across the territories, which shall aid the growth of a service-based economy.

The global data protection regime has always grappled with the central question related to what constituted heightened regulatory safeguards. The special category data structure of the GDPR and the treatment of sensitive personal information under the CCPA are both based on a logic of harm: the closer and more exploitative the data, the higher the obligations imposed on its processors. This method is philosophically consistent. It ties regulatory pressure to prove weakness, such that increased protection is granted to the data subject, and not to the data processor. By comparison, the SDF framework of the DPDP Act is entity-based as opposed to being data-based. A platform that handles enormous amounts of apparently non-sensitive data - browsing behaviour, purchase history, patterns of geolocation, etc. can be labelled SDF not due to its knowledge about you, but due to the number of people it knows about. Although there is logic in this argument in terms of addressing systemic risks that data-dominant market actors can create, the normative issue is a critical question: does volume-based designation better protect the individual data principal or does it serve the aim of the State in controlling the large-scale private entities?