Skip to main content

Q9 - What happens when multiple Fiduciaries share data — who carries liability if something goes wrong?

Answer

When multiple Data Fiduciaries share or exchange personal data, each one is responsible for ensuring compliance with the Digital Personal Data Protection Act, 2023 (DPDPA) for the part of processing it controls. Liability depends on which Fiduciary’s actions (or failures) caused the breach, misuse, or non-compliance.

1. Independent Obligations of Each Data Fiduciary

Under Section 8(1), every Data Fiduciary is independently responsible for complying with the Act — even if data is shared with, or received from, another Fiduciary.
Each organization must:

  • Ensure that the data was lawfully collected and processed.
  • Use the data only for the specified or consented purpose.
  • Maintain adequate security safeguards and access controls.
  • Respond appropriately to withdrawal of consent or data-breach notifications.

There is no concept of “joint immunity” under the DPDPA — meaning one Fiduciary cannot escape responsibility by claiming that another handled the data.

2. Determining Liability When a Breach Occurs

If a personal data breach, misuse, or unauthorized disclosure occurs:

  • The Data Fiduciary responsible for the breach (e.g., the one that lost, leaked, or misused the data) will bear primary liability.
  • If multiple Fiduciaries are involved in a connected chain of processing, the Data Protection Board of India may examine each entity’s role to determine accountability.
  • Under Section 33(1), the Board may impose monetary penalties on one or more Fiduciaries depending on their degree of negligence or non-compliance.

3. Shared or Sequential Processing Scenarios

In many real-world cases, multiple Data Fiduciaries handle the same data for related purposes (for example, between a bank, an insurance company, and a credit bureau).
Each Fiduciary must independently satisfy the conditions of lawful processing and must not rely solely on another party’s compliance.

Example

A bank shares verified customer information with an insurance company for providing an insurance-linked credit card.

  • The bank acts as a Data Fiduciary for collecting and verifying the data.
  • The insurance company becomes a separate Data Fiduciary once it uses that data for issuing the policy.
    If the insurance company later exposes the data through a breach, it alone will be liable for that incident — not the bank.

However, if the bank failed to obtain proper consent for sharing the data in the first place, the bank would also share liability.

4. Oversight and Penalties

The Data Protection Board of India (under Sections 27–28) has the authority to:

  • Investigate multi-party breaches.
  • Determine the extent of each Fiduciary’s fault.
  • Impose proportional penalties as specified in the Schedule (up to ₹250 crore for severe violations).

Referenced Provisions:

  • Section 8(1) – Responsibility of Data Fiduciary for compliance.
  • Section 27–28 – Powers and procedure of the Data Protection Board of India.
  • Section 33(1) – Monetary penalties for significant breaches.
  • Schedule – Penalty amounts for different categories of non-compliance.