DPDPA 2023 has introduced “Nomination” as a right of a data principal. We have in our two previous articles discussed certain aspects of nomination.
Why Privacy cannot survive the death of an individual?
Relationship between IPR and Privacy
It is now observed that “Digi Locker” has already introduced the system of “Nomination” for its application. While the Digi Locker mobile has a “privacy Policy” which does not seem to have been updated since March 14, 2017, but refers mostly to the Digit Locker portal, the privacy policy on the website is undated . There is no reference to the “Nomination” in the Privacy Policy or the Terms and Conditions. However,nomination has been introduced as a new link in the App some time back.
The nomination link leads to a form which collects the Name, e Mail address, Mobile number and the Aadhaar number of the nominee.
Digilocker being an entity of the MeitY, this method may be considered as a “Precedence” for other Data Fiduciaries to collect nomination.
This however raises two issues.
Firstly the issue is whether Digi Locker should have provided for collection of Virtual Aadhaar number instead of original Aadhaar number .
Secondly like in the True Caller case, it is a moot point whether the Digi Locker owner/registrant has the right to disclose the aadhar number of the nominee. Possibility of stretching the non applicability clause in DPDPA 2023 for “Personal Domestic use” to the declaration of the nominee’s information is also a matter to be explored.
It is noted that there is no notice to the nominee that he is being designated as the nominee and that his personal information has been provided to Digi Locker. There is not even a request for OTP from the nominee so that he remains informed.
Under DGPSI, if a similar system has to be introduced, it is recommended that only the e-mail and mobile number of the nominee may be collected and the request for Virtual Aadhaar has to be sent by Digilocker directly to the nominee. The disclosure of the e-mail address or mobile number is less sensitive and the notice may perhaps be considered as a reasonable compliance to the use of these identity parameters.
A better technical method would be for enabling a real time check for permission to be recorded as a nominee at the time of registering the nomination through an API which can be initiated by the registrant without revealing the email address or mobile number to the service provider. On receipt of permission, the service provider may initiate the identity verification process by directly contacting the nominee for the virtual aadhaar or any other means such as the OTP. In the meantime the nomination request may be kept pending.
A sample nomination form has been created for FDPPI which incorporates the definition of the role of a Nominee and his relationship with FDPPI. This is an important Jurisprudential observation and open for debate .
(Comments welcome)
Naavi