Founding and Managing Partner, Arnava Legal
In the evolving landscape of data protection, terminology is not merely linguistic and about semantics. The distinction between Data Subject under the EU’s General Data Protection Regulation (GDPR) and Data Principal under India’s Digital Personal Data Protection Act (DPDP), 2023, reveals a foundational divergence in how privacy, agency and trust are conceptualized. Crucially, while both terms relate to individuals whose personal data is processed, the Data Principal may not be the same person whose data is being processed. This difference is not incidental—it is embedded in India’s fiduciary model of data governance, where trust, duty and representation shape the concepts of privacy rights and enforcement of data protection.
The GDPR defines a Data Subject as “an identified or identifiable natural person” whose personal data is collected, stored, or processed. This term is rooted in Europe’s post-war human rights tradition, where privacy is enshrined as a fundamental right under the Charter of Fundamental Rights of the European Union and the European Convention on Human Rights.
In this framework:
- The Data Subject is the direct bearer of rights.
- Consent, access, rectification and erasure are individual entitlements.
- The legal system presumes that the subject is autonomous and capable of exercising these rights.
This rights-based model is deeply individualistic, where privacy is a personal entitlement rooted in autonomy and dignity. It assumes that the person whose data is being processed is also the one who must authorize, challenge or revoke that processing.
India’s DPDP Act introduces the term Data Principal, defined as “the individual to whom the personal data relates.” Interestingly, the term Data Principal also includes parents or lawful guardians of a child, or a lawful guardian acting on behalf of a disabled person. Under GDPR, a data subject is specifically the identified or identifiable natural person.
Notably, the term Fiduciary and Controller both refer to the person or entity that determines the purpose or means of processing of the personal data.
At first glance, while a Data Principal under the DPDP appears synonymous with the GDPR’s Data Subject, the fact that the term Principal has two additional inclusions, carries a distinct legal and philosophical weight—especially when juxtaposed with the Data Fiduciary.
In Indian jurisprudence, the notion of a Fiduciary and Principal denotes a relationship of trust thereby implying:
- A delegated relationship, where a data subject may act through agents or representatives, who is treated as the Data Principal.
- A fiduciary framework, emphasizing trust, duty and accountability.
- A relational model of consent, where the right to authorize data processing may reside with someone other than the “data subject”.
This opens the door to scenarios where the Data Principal is not the person whose data is being processed, but rather someone legally empowered to act on their behalf.
For example, a parent or guardian consenting to the processing of their child’s or ward’s data, or a legal guardian authorising data for and on behalf of a person with disabilities.
The shift from Subject to Principal reflects a broader philosophical divergence whereby in India, a Principal can act for another, while the EU regulations are rooted in strong rights-based, individual autonomy.
This distinction is not merely semantic—it can potentially shape our understanding and approach to how consent, grievance redressal and data governance will be operationalized. Under GDPR, the subject must be informed and empowered. On the other hand, under DPDP, the fiduciary must act in the best interest of the principal, even if the principal is not the direct actor.
Europe’s privacy jurisprudence is anchored in autonomy, and refers to the right to control one’s personal sphere. India’s approach, especially after the judgement in the Puttaswamy case, frames privacy as a matter of dignity and a fundamental right that is embedded in constitutional values of equality, fraternity and protection of the vulnerable.
This cultural lens explains why:
- GDPR emphasizes individual control and data portability.
- DPDP emphasizes purpose limitation, lawful use and duty of care.
India’s regulatory language—Data Fiduciary, Data Principal, fair and reasonable purpose—signals a trust-based governance model, where the fiduciary is morally and legally bound to act in the principal’s interest, even in asymmetrical power relationships. This is also reflective of an Indian outlook of a family as one unit, rather than parents acting as agents of a child.
This conceptual divergence creates both friction and innovation in cross-border data governance:
- Interoperability: Global platforms must reconcile GDPR’s subject-centric rights with DPDP’s principal-centric duties.
- Consent Management: Indian systems may require layered consent architectures to accommodate delegated authority.
- Grievance Redressal: Who speaks for the principal in case of harm? The fiduciary’s duty may extend beyond the individual subject.
This also opens pathways for inclusive governance—especially in contexts like health data, education and financial inclusion, where individuals may lack digital literacy or legal capacity.
This concept also will also shape the future of grievance redressal and litigation.
Imagine a school seeking consent to post pictures of its students on social media. The parents are treated as the Data Principal along with the child and are empowered to grant such consent. Or take an example of a hospital treating a disabled person and the lawful guardian being authorised to provide consent. In both cases, the term Principal encompasses the parent or guardian along with the child or disabled person, as the case may be. In the event of a breach of privacy, the parent / guardian are equally vested with the right to sue the fiduciary in their capacity as parent / guardian, along with the child, rather than suing on behalf of the child / disabled person.
The transition from Data Subject to Data Principal marks a paradigmatic shift in how privacy is conceptualized and legislated, and consequently, enforced in India. It reflects India’s constitutional ethos—where rights are balanced by duties and autonomy is tempered by relational accountability. As global data governance evolves, understanding this distinction is crucial for legal harmonization, ethical design and strategic foresight. This distinction may also mark the development of a separate jurisprudence in India, around the concept of Data Principal, when the case involves rights of a child or disabled person.