Searching Case Laws & Precedent on Legal Query..!
Scanned Judgements…!
Searching Case Laws & Precedent on Legal Query..!
Scanned Judgements…!
Identification of a Data Fiduciary - A data fiduciary is an entity that determines the purpose and means of processing personal data, and has a duty to handle data responsibly. To qualify, the entity must have control over data collection, processing, and usage, often established through contractual or statutory obligations. For example, under BIPA, biometric data must be used in ways that can identify individuals to be considered under the law, implying a fiduciary role in managing such data responsibly ["Clayton Zellmer vs Meta Platforms Inc. - Ninth Circuit"].
Biometric Data and Identification - Biometric data that cannot identify an individual is not considered an identifier and thus not covered by certain laws like BIPA. Courts have clarified that face signatures or biometric data used solely for recognition purposes, without creating or storing identifying information, do not establish a fiduciary relationship unless the data is used to identify or process individuals directly ["Clayton Zellmer vs Meta Platforms Inc. - Ninth Circuit"].
Data Handling and Investigation Responsibilities - Data fiduciaries are responsible for investigating disputes or inaccuracies related to personal data they control. For instance, under the Fair Credit Reporting Act, data furnishers must investigate disputes about credit information, indicating a fiduciary duty to ensure data accuracy and integrity ["Tamara Frazier vs Dovenmuehle Mortgage Inc. - Seventh Circuit"].
Categories of Data and Regulatory Oversight - Data categorized by its nature, such as OMIT data, is subject to specific licensing and usage restrictions. The government may grant licenses for certain data types, and entities must adhere to regulations governing data use, which defines the fiduciary scope concerning data categories and their management ["Flightsafety International Inc. vs Air Force - Federal Circuit"].
Data Collection, Sharing, and Security Protocols - Entities that collect and share data, such as in road condition analysis or health data, often act as data fiduciaries when they determine how data is processed and used for specific purposes. They are also responsible for implementing data security and management protocols as specified by regulations, like those under the Aadhaar Act or similar legislation ["AUDERTEC SOLUTIONS LLP Vs CONTROLLER GENERAL OF PATENTS DESIGNS AND TRADE MARKS & ANR. - Delhi"], ["Prashant Reddy T VS Cpio, Unique Identification Authority of India - Delhi"].
Handling of Personal Data in Practice - Cases involving data sharing for customer or health information demonstrate that data fiduciaries must ensure data accuracy, prevent misuse, and maintain confidentiality. For example, companies sharing customer data or health records are expected to follow proper procedures, verify data authenticity, and comply with legal standards to uphold fiduciary duties ["In Re: Niaspan Antitrust Litigation v. - Third Circuit"], ["Indadi Utama (M) Sdn Bhd vs Kwah Peng Kun"].
Implications of Data Deletion and Data Integrity - When data is deleted or altered, fiduciaries must document and justify such actions, especially if data is crucial for legal or regulatory compliance. Failure to clarify data nature or maintain records can undermine fiduciary responsibilities ["Indadi Utama (M) Sdn Bhd vs Kwah Peng Kun"].
Regulatory Frameworks and Data Security - Regulations like the Aadhaar Act specify processes for data management, security protocols, and safeguards, emphasizing the fiduciary's role in protecting data integrity and confidentiality over specified retention periods ["Prashant Reddy T VS Cpio, Unique Identification Authority of India - Delhi"].
A data fiduciary is characterized by control over personal data, responsibility for its lawful and secure processing, and accountability for data accuracy and dispute resolution. Identifying such a role involves examining whether the entity determines processing purposes, manages data responsibly, and complies with relevant regulations. Entities handling biometric, credit, health, or operational data are often fiduciaries if they influence how data is used and are subject to legal duties to protect and accurately manage that data ["Clayton Zellmer vs Meta Platforms Inc. - Ninth Circuit"], ["Tamara Frazier vs Dovenmuehle Mortgage Inc. - Seventh Circuit"], ["Flightsafety International Inc. vs Air Force - Federal Circuit"].
In an era where data drives business decisions, understanding your role in data processing is crucial. With India's Digital Personal Data Protection Act (DPDP Act) reshaping how organizations handle personal information, many entities are asking: How to identify yourself as a Data Fiduciary? This question is pivotal for compliance, avoiding penalties, and building trust with data principals (individuals whose data you process).
This blog breaks down the legal framework, key responsibilities, and practical steps to assess your status. Drawing from statutory provisions and judicial insights, we'll help you navigate this landscape. Note: This is general information; consult a legal expert for tailored advice.
A data fiduciary is any entity—individual, company, or organization—that determines the purpose and means of processing personal data. Personal data includes any information that can identify a living individual, such as name, address, email, or biometrics. Vysakh K. G. , S/o. Gokuldas VS Union Of India - 2022 Supreme(Ker) 950 Personal data is any information about a living individual that can be used to identify them, for instance, name, address, date of birth, email address, qualifications.
If your operations involve collecting, storing, using, or sharing such data (e.g., customer databases, employee records, or user analytics), you likely qualify. Establishing data fiduciary status hinges on demonstrating processing governed by statutory obligations like lawful processing, consent, and accountability. Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902
To self-identify, evaluate these core elements:
Checklist for Identification:- Maintain records of data flows?- Obtain user consent for marketing?- Implement security for stored data?- Respond to data access requests?
If yes, you're likely a fiduciary.
Under the DPDP Act (referenced as Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902), Section 4 mandates processing based on consent or legitimate purposes. Key duties include:
Section 5 requires notices before consent, detailing data held, purposes, and rights. Consent must be free, informed, specific, unconditional, and unambiguous. Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902 Section 6 reinforces this, ensuring voluntariness.
Stick to stated purposes (Section 7: consent, legal obligations, employment). Implement safeguards against breaches (Section 8), notifying principals and the Board if incidents occur. Erase data post-purpose (Section 8(7)).
Facilitate access, correction, erasure (Sections 11-15). Maintain grievance mechanisms.
If designated 'Significant' (based on data volume, sensitivity, risk), appoint a Data Protection Officer (DPO), independent auditors, and conduct impact assessments. Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902 Designation as a 'Significant Data Fiduciary' involves additional responsibilities such as appointing Data Protection Officers and independent Data Auditors.
Courts emphasize privacy as fundamental. In the landmark Puttaswamy case, privacy protects informational autonomy under Article 21. JUSTICE K S PUTTASWAMY (RETD. ) VS UNION OF INDIA - 2017 Supreme(SC) 772 Right to privacy – Intrinsic element of right to life and personal liberty under Article 21... Privacy is a sub set of liberty.
Aadhaar judgments highlight data minimization and safeguards. Justice K. S. Puttaswamy (Retd. ) VS Union of India - 2018 7 Supreme 129 UIDAI's authentication avoids profiling, with retention limits. The Supreme Court mandated amendments for metadata retention (6 months max). This underscores fiduciaries' duty to prevent misuse.
Fraud cases warn against unauthorized sharing. Haresh Kumar Choudhary VS State NCT of Delhi - 2023 Supreme(Del) 2238 Data supplied for loans led to cheating charges under IPC Sections 419/420. Custodial interrogation revealed fake companies stealing loan-seeker data— a stark reminder of breach consequences.
Privacy in judgments: Vysakh K. G. , S/o. Gokuldas VS Union Of India - 2022 Supreme(Ker) 950 Courts protect identities in sensitive cases, balancing open justice with 'right to be forgotten.'
Exemptions apply to personal/domestic use or public data. Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902 However, commercial sharing (e.g., lead generation) triggers fiduciary duties. PAN-Aadhaar linking upheld for de-duplication, but proportionality tested. Binoy Viswam VS Union of India - 2017 4 Supreme 673
Karthick Theodore VS Registrar General Madras High Court - 2024 0 Supreme(Mad) 902 Entities should implement comprehensive data governance policies aligned with statutory obligations... Maintain detailed records of processing activities, consent, and breach management.
Identifying as a data fiduciary isn't just regulatory—it's ethical. Non-compliance risks fines, reputational harm, and litigation. Generally, proactive steps mitigate these. This overview draws from key statutes and cases; for specific scenarios, seek professional legal counsel.
#DataFiduciary #DataProtectionIndia #DPDPAct
In other words, if either form of biometric data cannot identify an individual, it is not an identifier and thus not covered by BIPA. ... The Hazlitt court rejected Apple’s interpretation as too narrow because “[t]he word ‘identifier’ modifies the word ‘biometric’ to signal that the types of data listed could be used to identify a person.” Id. (emphasis in original). ... The creation of face signatures “do[es] not create or store any other data from the detected faces of non-users . . . that ....
When a consumer notifies a credit reporting agency that information on a credit report is incorrect, the agency will identify the relevant data furnisher and transmit to it an Au- tomated Consumer Dispute Verification (ACDV) form. ... The ACDV form presents the furnisher with account payment data the credit reporting agency currently possesses and the relevant data items the consumer disputes. Upon notice of a dispute, the data furnisher has a statutory duty to investigate the disputed data#HL_E....
categories of data—including OMIT data—which the statute defined by the character of the data, not the purpose for which that data may be used. ... Under the Commercial Data Clause, what mat- tered was the category of data at issue and, being para- graph (b)(1) data, OMIT data were not subject to the procurement prohibition. ... may use in marking its data. ... could use paragraph (b)(1) data, including OMIT ....
retrieved target road condition data to identify potential road imperfections. ... Additionally, the pattern recognition module may be configured to similarly analyze infrared data (e.g. to identify iced roads) and noise data (e.g., to identify debris or road imperfections). ... -208 for all received road condition data in order to continuously identify potential road hazards. ... The pattern recognition system may also be configured to ide....
She said, “OnPoint would be able to merge the data from various sources, identify and eliminate data errors, transform the data to standardize fields, eliminate duplicates, and compile a list reflecting the identities of the class members contained in the data.” (J.A. at 704.) ... Dietz stated that this determination “cannot be done with the available data.” (J.A. at 460.) Ms. Craft later admitted in a deposition that PBM data “is not designed to id....
that during the course of his duties, as and when a call was received for sharing of data, such data in support of potential customers was supplied as per the package rate of the company. ... During interrogation done in question-answer form, the applicant accepted that he provided data to the accused persons, opened companies/vendors based on fake documents. ... It means that the applicant, with the intention to cheat, opened these fake companies and stole the data of loan seekers, and provided the same to the accused p....
The mobile phones were seized and sent to FSL to retrieve the data. iv. ... to the customers on demand and it was submitted that during the course of his duties, as and when a call was received for sharing of data, such data in support of potential customers was supplied as per the package rate of the company. ... It was further submitted that the applicant is stated to have shared data with co- accused persons from 2018 to 2021. ... It was further argued that the present applicant is in no manner connecte....
Adakh ia melibatkan satu perniagaan atau perusahaan yang istimewa yang ada data-data khas. Adakah maklumat yang disimpan dalam lap top tersebut merupakan data-data khas atau yang dikatakan harta intelek tersebut? Ini semua tidak dapat dijelaskan oleh Plaintif. ... [53]Tiada data sulit atau data penting yang Defendan miliki secara eksklusif. ... pemadaman semua fail dan data g. ... [81]Nazirah tidak menyatakan apakah data-data yang....
Without such information, it would be impossible to identify the alleged purchases or imports that were subject matter of dispute. ... Plainly, if the Assessing Officer could not identify the expenditure made, it could not make an addition on account of unexplained Signature Not Verified Digitally Signed expenditure. 10. ... Further, assessee was told that in order to refute the data, it should get the certificate from customs department/CBIC saying that the data provided has been wrong. However, assessee has failed mise....
23(2)(m) specifying, by regulations, various processes relating to data management, security protocols and other technology safeguards under this Act. ... 54(2)(p) various processes relating to data management, security protocol and other technology safeguards under clause (m) of sub-section (2) of section 23. ... Per contra, Learned Counsel for the Respondent contends that Section 23(2)(m) of the Aadhaar Act provides that the authority can specify by regulations, various processes relating to data management, security protocols and oth....
Personal data is any information about a living individual that can be used to identify them, for instance, name, address, date of birth, email address, qualifications. It may also include what are known as special categories of personal data.
UIDAI posited that identification took place through its yes/no mechanism by which the centralised database would provide a response to whether the biometric details submitted for authentication match those in the repository. Data analysis is carried out to identify non-filers about whom specific information was available in AIR, CIB data and TDS/TCS returns. In a large number of cases (more than 10 lakh PANs every year) it is seen that the PAN holder neither submits the response and in many cases the letters are return unserved. Email/SMS and letters are sent to the identi....
“Given the nature and the amount of personal information contained in cellular samples, their retention per se must be regarded as interfering with the right to respect for the private lives of the individuals concerned. The Government accepted that all three categories are “personal data” within the meaning of the Data Protection Act 1998 in the hands of those who are able to identify the individual.” Regarding the retention of cellular samples and DNA profiles, it was held that: “The Court notes at the outset that all three categories of the personal information retained ....
Email/SMS and letters are sent to the identified non-filers communicating the information summary and seeking to know the submission details of Income tax return. In a large number of cases (more than 10 lac PAN every year) it is seen that the PAN holder neither submits the response and in many cases the letters are return unserved. Data analysis is carried out to identify non-filers about whom specific information was available in AIR, CIB data and TDS/TCS Returns. Under Non-filers Monitoring System (NMS), Income Tax Department identifies non-filers with potential tax liab....
This is described as the 'random occurrence ratio' (Phipson 1999, 15th Edn. Para 14.32). In the latter part of the report, it has been observed thus: “If the samples match, that does not mean the identity is conclusively proved. Rather, an expert will be able to derive from a data base of D.N.A. samples, an approximate number reflecting how often a data base of D.N.A. samples, an approximate number reflecting how often a similar D.N.A. 'profile' or 'fingerprint' is found. It may be, for example, that the relevant profile is found in 1 person in every 100,000:
An indispensable Tool for Legal Professionals, Endorsed by Various High Court and Judicial Officers
Please visit our Training & Support
Center or Contact Us for assistance
Scan Me!
India’s Legal research and Law Firm App, Download now!
For Daily Legal Updates, Join us on :
Back to top
