(1) A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder.
(2) A Significant Data Fiduciary shall cause the person carrying out the Data Protection Impact Assessment and audit to furnish to the Board a report containing significant observations in the Data Protection Impact Assessment and audit.
(3) A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals.
(4) A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India.
The Digital Personal Data Protection (DPDP) Rules, 2025, through Rule 12, impose a heightened set of responsibilities on entities classified as Significant Data Fiduciaries (SDFs). These obligations reflect the critical role such entities play in processing vast volumes of personal data and influencing public trust. Companies like Amazon, Flipkart, Meta, and Google fall squarely under this definition due to their massive data handling capabilities and far-reaching impact on consumers.
What Are Significant Data Fiduciaries?
Before diving into the specifics, it's crucial to understand who qualifies as an SDF. In simple terms, an SDF is a data fiduciary with high processing volumes, complex algorithms, or systemic influence that could impact the privacy rights of a large number of individuals. Think of tech giants like Google managing search data, Amazon processing millions of transactions daily, or Meta hosting billions of user profiles—these entities exemplify the scale and influence of an SDF.
1. Annual Data Protection Impact Assessment and Audit
Under Rule 12(1), SDFs must conduct a Data Protection Impact Assessment (DPIA) and an audit every 12 months. This ensures that these organizations maintain robust data protection mechanisms and comply with the DPDP Act and its rules.
Practical Example:
Imagine Amazon assessing the data flow of its Prime subscription service. The DPIA would evaluate whether the data collected during sign-ups and usage aligns with the principles of transparency, purpose limitation, and minimization. An audit would then verify whether Amazon's practices meet legal requirements, such as secure encryption during transactions and consent compliance for personalized ads.
2. Reporting Significant Observations to the Board
Rule 12(2) mandates that SDFs submit a report to the Data Protection Board highlighting significant findings from their DPIAs and audits. This ensures accountability and regulatory oversight.
Practical Example:
Consider Flipkart conducting an audit that reveals a vulnerability in its payment gateway system. The report submitted to the Board would outline the identified risks, remedial actions taken, and measures to prevent recurrence. Such transparency builds trust among users while demonstrating regulatory compliance.
3. Algorithmic Due Diligence
Under Rule 12(3), SDFs must verify that their algorithms don’t compromise data principals' rights. This means algorithms used for processing personal data must be scrutinized for fairness, accuracy, and compliance with data protection principles.
Practical Example:
Meta, for instance, deploys algorithms to curate user feeds and target advertisements. Due diligence would require ensuring these algorithms don’t lead to biased content display or unauthorized profiling. If an algorithm inadvertently prioritizes certain ads based on sensitive personal data without explicit consent, Meta could face significant legal and reputational repercussions.
4. Restrictions on Cross-Border Data Transfers
Rule 12(4) introduces stringent restrictions on the transfer of specified personal data and traffic data outside India. This aligns with India's goal to exercise sovereignty over critical personal data and enhance data localization.
Practical Example:
Google’s Maps service, which processes sensitive location data, might be required to store and process such data within Indian borders if it falls under the specified category. Similarly, Flipkart could face restrictions on exporting user purchase histories to overseas servers.
The Broader Implications of Rule 12
Rule 12 isn’t merely a regulatory burden—it’s an opportunity for SDFs to showcase their commitment to privacy. By implementing robust safeguards and transparent practices, companies like Amazon, Meta, Flipkart, and Google can enhance their reputations as ethical stewards of data.
Challenges Faced by Significant Data Fiduciaries
- Operational Costs: Annual audits and DPIAs require significant resources.
- Technical Challenges: Algorithmic verification isn’t straightforward, especially for dynamic and complex systems.
- Data Localization: Setting up data centers within India is a time-intensive and expensive process for global companies.
These challenges, while daunting, also provide opportunities for innovation. SDFs can pioneer cutting-edge solutions, such as AI-driven audit tools and adaptive algorithms that prioritize user rights.
Conclusion
Rule 12 of the DPDP Rules 2025 isn’t just about imposing obligations—it’s about fostering a culture of accountability and trust among Significant Data Fiduciaries. For global giants like Amazon, Flipkart, Meta, and Google, compliance isn’t merely a legal requirement; it’s a testament to their commitment to ethical data handling. By embracing these obligations, SDFs can lead the way in setting new standards for privacy protection, balancing user trust with innovation in the ever-evolving digital landscape.