CBDC or E Rupee and the Data Protection Bill 2022

We  are aware that RBI is implementing a pilot project to introduce E Rupee as its CBDC. The E-Rupee or CBDC-Retail will be a tokenized version of a currency denomination. It will therefore be a digital document that is stored in a digital container which can be a software wallet or a hardware device.

The critical part of the implementation which we are not certain if the RBI  has sorted out is the ability for the public to view the Digital Token, identify it as a digital currency, validate  its authenticity and transfer it from one wallet to another.

As long as there is a Bank as an intermediary, the transferee can rely on the Bank to confirm the authenticity of the transaction. This happens in the Virtual currency transactions today. But the RBI seems to have a necessity to introduce a Digital Currency that may or may not have  an intermediary like the Bank

The undersigned is not in favour of complete disintermediation which will enable the digital currency to be “Anonymous” since it may then be used easily like cash for corruption and holding of black wealth.

Whether RBI finally adopts an anonymous version or an identifiable version of the digital currency, the E Rupee will be ultimately an electronic information which is stored somewhere.

If it is associated with the identity of the owner it would be “Personal Data”, If it is completely anonymous, it would be “Non personal Data”.

There will be  in future some instances where a owner of a digital currency may die leaving the  Digital Currencies held by him in his wallet with a bank or a private sector service provider or on his personal digital wallet device. This needs to be passed on to the legal heir like any other property.

In case there is no claimant to such digital currency, it cannot be left to be used by the wallet service provider but surrendered to the Government.

If the digital currency is held in a bank Wallet, it can be settled just like settling a claim on the Bank accounts.

While a “Will” cannot be made in digital form, a “Will” can be made in writing for a “Digital Property” and hence the owner may leave a written will and the digital currency would become a property that is settled through a succession certificate or a probate.

Since it is possible that non banking institutions may hold the digital currency and it may even be found as attachments to an e-mail or whatsApp message etc, the digital currency assets will be left with private people and  in case of death of the owner, the asset may illegally be appropriated by such intermediaries.

In the DPDPB 2022, a provision has been introduced for “Nomination” of personal data and this may apply to e-mails or WhatsApp accounts or other digital data. Legally this nomination may also include the digital currencies and will be subject to the limitations imposed by Section 1(4) of ITA 2000 which requires a written will to be made for digital assets.

The recent changes made on October 4 2022, removing the immovable property documents from exceptions under Section 1(4) which we consider as an ill advised move has also increased the financial stake in digital documents since we may now find a property worth crores of rupees for which a digital document may exist as sale deed or partition deed and may surface after the death of the property owner. This will be a new form of Cyber Crime which the Government has now unleashed on the public in India with the amendment of Section 1(4) of ITA 2000 and deletion of one of the sub clauses on immovable property.

It is possible that the DPDPB 2022 has not taken into account the huge values that may be contained in the personal data that may lie around or may be fraudulently created to commit frauds related to property.

Even if “Nomination” is considered only an authority to operate the property and not to transfer the ownership, the current provisions on “Nomination” is not robust enough to take care of the risks.

It would be necessary to ensure that DPDPB 2022 either deletes the nomination feature completely and makes it an obligation on the Data Fiduciary to settle the claim on personal data like settling the Bank assets.

Alternatively the DPDPB2022 should  make specific mention that “Nomination” does not amount to transfer of the right to the digital property, Will cannot be made in digital form and the responsibilities of the Data Fiduciary to ensure that the genuine legal heirs receive the property is not extinguished because of nomination.

Further any consent to Nomination should be suitably witnessed and not be subject to the usual “Click here” option.

Hope the MeitY takes note of this aspect when they finalize the draft of DPDPB 2022.

Naavi

Comments are welcome.

 

 

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.