Naavi.org

DPDPA 2023 has introduced “Nomination” as a right of a data principal. We have in our two previous articles discussed certain aspects of nomination.

Why Privacy cannot survive the death of an individual?

Relationship between IPR and Privacy

It is now observed that “Digi Locker” has already introduced the system of “Nomination” for its application. While the Digi Locker mobile has a “privacy Policy” which does not seem to have been updated since March 14, 2017, but refers mostly to the Digit Locker portal, the privacy policy on the website is undated . There is no reference to the “Nomination” in the Privacy Policy or the Terms and Conditions. However,nomination has been introduced as a new link in the App some time back.

The nomination link leads to a form which collects the Name, e Mail address, Mobile number and the Aadhaar number of the nominee.

Digilocker being an entity of the MeitY, this method may be considered as a “Precedence” for other Data Fiduciaries to collect nomination.

This however raises two issues.

Firstly the issue is whether Digi Locker should have provided for collection of Virtual Aadhaar number instead of original Aadhaar number .

Secondly like in the True Caller case, it is a moot point whether the Digi Locker owner/registrant has the right to disclose the aadhar number of the nominee. Possibility of stretching the non applicability clause in DPDPA 2023 for “Personal Domestic use” to the declaration of the nominee’s information is also a matter to be explored.

It is noted that there is no notice to the nominee that he is being designated as the nominee and that his personal information has been provided to Digi Locker. There is not even a request for OTP from the nominee so that he remains informed.

Under DGPSI, if a similar system has to be introduced, it is recommended that only the e-mail and mobile number of the nominee may be collected and the request for Virtual Aadhaar has to be sent by Digilocker directly to the nominee. The disclosure of the e-mail address or mobile number is less sensitive and the notice may perhaps be considered as a reasonable compliance to the use of these identity parameters.

A better technical method would be for enabling a real time check for permission to be recorded as a nominee at the time of registering the nomination through an API which can be initiated by the registrant without revealing the email address or mobile number to the service provider. On receipt of permission, the service provider may initiate the identity verification process by directly contacting the nominee for the virtual aadhaar or any other means such as the OTP. In the meantime the nomination request may be kept pending.

A sample nomination form has been created for FDPPI which incorporates the definition of the role of a Nominee and his relationship with FDPPI. This is an important Jurisprudential observation and open for debate .

(Comments welcome)

Naavi

One of the requirements of DPDPA 2023 as a law of Digital Personal Data Compliance is that Personal Data shall be processed only for lawful purpose. Hence it is a compliance requirement that a Data Fiduciary shall adopt necessary measures to ensure that all their employees remember that “Making Profits” is only a goal secondary to “Being Lawful”.

In terms of compliance the Board should establish the norm through a resolution mandating DPDPA 2023 compliance that the organization shall take such measures as are required to be compliant with all laws of the land in their activities.

At the operational level, the compliance specification would require that all “Project Managers” who prepare new project proposals whether in Business, R&D, Finance etc., shall add an assurance that the “Project proposal is within legal boundaries of all applicable laws”.

For this purpose adherence to laws such as the ITA 2000 becomes mandatory for compliance of DPDPA 2023. If the new IPC (Bharatiya Nyaaya Sanhita 2023) or Telecom Act or the new Evidence Act (Bharatiya Nyaaya Adhiniyam) has any provisions applicable to Digital personal data, they shall also be complied with as part of DPDPA 2023 compliance.

Naavi

DGPSI or Data Governance and Protection Standard of India is an approach that follows the principles of compliance that is indicated in the DPDPA 2023.

Compliance to DGPSI means not only being in compliance with DPDPA 2023 but also to ITA 2000 as well as the BIS standard for Data Governance.

Just as Lord Rama is a symbol of Good Governance , DGPSI endeavours to be the symbol of a Good Compliance Framework that towers over other compliance frameworks.

Our next physical program is at Pune on 6th January 2024.

Watch out for DGPSI training sessions at your city or online. Contact FDPPI at fdppi4privacy[@gmail.com]

Naavi

We wish all the visitors of Naavi.org a very happy and prosperous new year. At the same time we welcome the emergence of the Ayodhya Rama Mandira to be in Bharat.

In the last few months of 2023 we saw a spate of new laws being passed including DPDPA 2023 which is of direct interest to the Data Protection community. The new Criminal Code, IPC and Evidence Act also are very significant and are connected with DPDPA 2023 and ITA 2000. Probably we may see in 2024, rules of DPDPA 2023 being notified, new ITA 2000 being introduced and many other laws such as the Broadcast Bill being passed. Let us watch the legal space as it develops.

Naavi

The Discussion on “Nomination” gave rise to a debate on Linked In why we should consider that the “Right to Privacy” is only for living persons. I would like to explore this further.

DPDPA 2023 is not specific about whether the Act applies to only living persons like what GDPR has stated. The reason is that DPDPA 2023 is not a “Privacy Protection Legislation”. It is only a “Digital Personal Data Protection” regulation. Hence there was no need to clarify this point.

DPDPA 2023 expects that data needs to be protected under the CIA concept. This responsibility starts from the collection as a “Fiduciary” and continues until the data is effectively given back to a legal heir of the deceased. DPDPA 2023 imposes additional obligations such as “Notice”, “Consent”,”Data Breach Notification” etc. which also the Fiduciary has to fulfill.

Notice and Consent are obligations to the Data Principal while data breach notification is an obligation for the regulator and the data principal. The Notice and Consent are relevant only if there is a living being to whom the notice can be given and consent obtained. If the individual who can give his consent is not alive, no consent can be given. Hence this right has to be considered as extinguished on the death of the data principal.

What survives after the death is a need to dispose of the property of the deceased that the “Fiduciary” obtained on trust for a certain purpose. During the lifetime of the individual he had the right of withdrawal of the consent and death snatches away this right. Hence the permission granted while the right to withdraw consent was available becomes infructuous on the death of the data principal.

Now coming to the “Right of Nomination”, it is the desire of the data principal expressed during his life time but exercisable only after the death. It is therefore a complex thought that has an inherent contradiction that has to be sorted out by a Jurisprudential thought process.

To be consistent with the ITA 2000 which does not recognize any electronic document of the nature of a testate document and assuming that it is impractical to get written paper nomination in the digital personal data scenario, we need to give an acceptable meaning to the word “Nomination”.

If we consider “Nomination” as a “Transfer of right in a property”, it contradicts ITA 2000 (in electronic form). On the other hand, it is a burden for the data fiduciary to obtain paper instruction for nomination nor implement a claim settlement.

The legal status of “Nomination” is that it is a method to transfer the responsibility of disposal of property to the legal heirs through an intermediary who is trusted by the erstwhile property owner. Just as a Will provides a “Executor” of the will who is a trusted person of the deceased when he was alive the power to collect, encash and distribute the property to the legal heirs, the Nominee is expected to discharge a similar responsibility. This responsibility has two steps. First is the taking custody of the property without doing anything else with it such as encashing it. Second is encashing it.

In the digital personal data scenario where “Nomination form” is not a “Will” and “Nominee” is not an “Executor” of the Will, we must recognize only a limited responsibility for the nominee to take custody of the property without discharging any responsibility other than safe custody. He may have to send a suitable notification to the legal heirs to take over the property with rights of further disposal including monetization.

In summary, the jurisprudence that develops out of this chain of thoughts is

1. Nomination is indicating the choice of the data principal while he was alive of to whom his property should be given for safe custody after his death. This indicates that the permission given for processing to the data fiduciary is terminated and it has to be safely handed over to the nominee.
2. The Nominee cannot further instruct for continuation of the processing or monetize the data in any other form.
3. The nominee as a “Trustee” similar to the “Executor” of the will has the responsibility to find out the legal heirs and transfer the digital property to them.
4. Just as an executor is entitled to cover his expenses for discharging his duties, the nominee can recover costs if any from the legal heirs.

In case of a will, Courts can grant a “Letter of Probate”. At present there is no equivalent document that can be called a “Letter of Administration of digital personal data issued by any judicial authority”.

A jurisprudential advise in this regard is that the Data Fiduciary shall issue a “Letter of Administration of Nomination” to the nominee which entitles him to contact the legal heirs and dispose of the property. It should be his discretion to approach a Court and validate the “Letter of Administration of Nomination” with a civil court and convert it into a “Letter of Probate” like document.

This would be a suggestion in the DGPSI toolkit by Ujvala Consultants Pvt Ltd.

It would be good if the MeitY incorporates such thoughts in the form of its own rules. Once the full set of rules are released by the MeitY, Naavi will release a toolkit for compliance of DPDPA 2023 based on DGPSI framework in which such thoughts would be included.

In the meantime, comments are welcome.

Naavi

The passage of DPDPA 2023 with a provision for “Nomination” of personal data as a right of the Data Principal has given raise to a debate on what is the nature of “Personal Data” in law.

“Nomination” obviously means that personal data is a “Property” that can be transferred on the death of a person. The instrument of transfer is the “Nomination form which has to identify the property being nominated and the identity of the person to whom it is nominated for further disposal to legal heirs.

It is the principle of “Nomination” that the “Nominee” is an agent for disposal of the property and not necessarily the undisputed owner of the property. The ownership of the property on death should get transferred as per the laws of transfer of property.

“Nomination” is considered as an instruction to the custodian of a third party property that in the event of the death of the owner, the property should be entrusted to the nominee for disposal to the rightful owners of the property. The rightful owners of the property would be determined by the “Will”or in the absence of the “Will”, by the provisions of the appropriate law.

A question arises if “Nomination” document itself can be considered as a Will. But this is not the accepted legal position. The purpose of “Nomination” is to help the custodian of the property to easily dispose of the property from his custody to another person chosen by the deceased during his life time. It is meant to discharge the custodian from any claims of wrongful disposal by persons other than the nominee who may have ownership rights on the property.

The nomination document should be more appropriately considered as a document that creates a “Trust” of the property of the deceased in the hands of the custodian for the rightful beneficiaries of the property. The trust gets created on the contingent event of death of the owner of the property.

In the Indian law, immovable properties are transferred as per the transfer of property act. Movable properties and actionable claims are transferred during life time through contractual instruments. Any document that transfers the title on the contingent event of the death of the owner is called the “Will”. Under ITA 2000, “Will” cannot be in electronic form and hence a nomination document taken as a part of the “Consent” for personal data collection is not valid in law.

On the other hand, “Intellectual Property” is a separate category of property recognized as an intangible property associated with “Creativity”. The derivative of “Intellectual Property Right” can be physical or virtual. The law related to intellectual property is fairly well developed from the point of view of valuation and transferability as well as sharing of value during the life cycle of the development of intellectual property.

The principles of valuation, used in intellectual property can be a good guide even for valuation of “Personal Data” as has been used in the Naavi’s theory of data, as hypothesis 3 titled “Additive Value Hypothesis”.

The uniqueness of “Personal Data” as property recognized by DPDPA 2023 is that it is a unique property which can neither be considered as physical or virtual, neither movable or immovable. Hence we can not confidently apply either the immovable property related laws or movable property related laws or intellectual property laws to personal data.

Jurisprudence on what kind of property is “Personal Data” needs to be developed over time.

If we consider the definition of “Personal Data” as any information that is about an individual that includes the name, address, the IDs such as biometric, Government IDs like PAN or Aadhaar numbers, or Employee numbers, Phone numbers, E-Mail addresses , Health information, Financial information, Educational information etc., we can say that it is created by a number of individuals other than the individual to whom it relates. Hence the ownership assignment is ambiguous.

For example A sees B and creates a mental profile of B. Is this the property of B to whom it relates or to A who creates it is a question which is not easy to answer. A Health report may be paid for by the individual so that the ownership can be considered as bought by the individual from the hospital that creates it. But an Employee ID/E-Mail etc , which is assigned by an employer to the employee is not created by the employee nor paid for by him. It is created and extinguished at the discretion of the employer. In such a situation, is it correct to conclude that the property belongs to the employer?. If so, unless the employer declares through a contractual document that the property right is transferred to the employee either as a limited period right until he/she is in employment or permanently, it remains the property of the employer.

The same dilemma confronts a mobile or an e-mail service provider who may exercise right over the mobile number or email ID and decide to re-allocate it to another person under certain circumstances. In such a situation, what happens to the PII nature of the information?

Similarly can a parent who has assigned the name to his child withdraw the name at some point of time in the life of an individual?

Can we consider some information like “Address” to be “Temporarily personal”?

What are the identifiers which can be considered wholly owned by the individual or assigned by the parents, assigned for temporary use by employers?

It appears that personal information that is wholly owned by an individual is close to being called an “Intellectual Property” of the individual or “Bought out property” from other creators.

…..Open for debate

Naavi