In designing the Data Protection regulations, problem areas have been
a) Deceased data principals
b) Legacy holdings of personal data
c) Personal data of minor children.
Having adopted “Consent” as a basic form of establishing lawfulness of processing, it is essential that the “Consent” itself should be lawful.
As we have repeatedly held, a “Consent is a contract” and its validity expires on the death of the person. hence personal data of a deceased person moves out of the contours of a data protection law. This is also reasonable since the basic purpose of such legislation is to protect the privacy of a citizen of a country and I presume that it is not in the citizenship act to recognize a deceased person to have rights equivalent to a living citizen.
In the pdpa 2021, an attempt has been made to introduce a concept of “Nomination” where in the data principal can record his instructions for handing over the personal data to the nominated person. The legality of such nomination would be debated separately by experts. At present, we consider that this is only an operational instruction and does not amount to legal inheritance of the deceased digital assets by the nominee. This issue needs a more serious consideration than what has been done now in the form of a minor modification of Section 17 . (Recommendation 39).
This recommendation suggests that a legal heir or legal representative may be nominated by the data principal to exercise the right to be forgotten, or to append the terms of agreement with regarding to processing of personal data in the event of death of such data principal.
This provision is ultra-vires the ITA 2000 and survives only because DPA 2021 is a more recent special law. But it presumes that “Data” is a “Property” the rights of which survive death and can be transferred to another person. Section 17(4) does not specifically mention that the right is limited to carrying out some duties towards bringing back the data asset for the use of legal heirs and not to enjoy the benefits of the data by the nominee.
Further “Right to Processing of data” by consent is like transfer of a “Right to use” for a limited purpose and similar to an “Assignment”. The nomination is therefore an exercise of the right of assignment already exercised. This clarity is also not present in the amendments.
However, presence of 17(4) does provide an outlet for data of deceased persons to be brought to open.
On the treatment of legacy holding of personal data and how to handle it after the new act comes into effect, the recommendations are not clear.
However, an indication of the thinking of the committee is available in the suggestions related to the handling of the consent in respect of the children. While the consent for a child (person of less than 18 years of age) is to be obtained from the parent, 3 months before the personal attaining the majority, the Data Fiduciary should start making an attempt to get a fresh consent from the erstwhile minor. But this consent can be obtained effectively only after the minor completes 18 years. Hence sending of a notice 3 months in advance can only to prepare the parent to give up his consent.
In the contingent event that no renewal of consent is received, the section 17(4) DPA 2021 suggests that the “Discontinuity of service should be avoided”. This is a contradiction since this would mean that the consent provided earlier would continue to be held valid even after the minor attains majority and not specifically opted in.
This however may be considered as a practical decision to ensure that “Mere silence” of the minor should not be considered as “Withdrawal of consent”.
If this principle is extended to cases of personal data collected and processed before the law comes into existence, it appears that there is a case to argue that
“In the case of legacy personal data in which valid consents are available from data principals (though under notice issued prior to DPA 2021), a notice for renewal with a new notification has to be sent and after three months if there is no opt out request, the processing may continue”. … (This is only an interpretation of Naavi)
We can await if the DPAI gives any clarity on this interpretation.
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
5. PDPA 2021: The Data Protection Officer is now in an elevated professional status
4. PDPA 2021: The nature of Data as an Asset and nomination facility
3. PDPA 2021: Regulating the human perceptions
2. PDPA 2021: Definition of Harm to include psychological manipulation
1. PDPA 2021: Should Big Data and Data Analytics industry be worried?