Naavi.org

DPDPA 2023 has introduced a concept of “Nomination” of personal data. The Act defines “Nomination” as a right of a data principal and relates it to the “Personal Data”.

Section 14 of the Act states:

 Right to nominate.

(1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.

(2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body

Though “Nomination” as a word has not been defined in the Act or in the draft rules published so far, it is clear that the section 14 of the Act considers “Nomination” as a right that transfers the control on other rights such as “Right to Access”, “Right to Correction and erasure”, and “Right to Grievance Redressal” to the nominee. Perhaps we should consider that the “Right to nomination” also gets transferred to the nominee.

In this context we can debate what is the “Right to Nominate”, “How it can be executed in respect of personal data” and “What processes are to be introduced by the Data Fiduciary for registration of nomination and settlement of claim”. We have discussed some aspects of this earlier and now we shall discuss one offshoot of Nomination namely the property rights on Meta Data.

It is interesting at this stage to recognize the difference between a “Nominee” and a “Power of Attorney Holder” or a “Personal Consent Manager”.

Power of attorney or appointing a consent manager is an act of “Contract” and operates during the lifetime of an individual. However this should be considered as automatically revoked on the death of a person. On the other hand, the rights of a Nominee actually takes birth on the death of the data principal.

The introduction of the “Nomination” aspect in the Data Protection law has now introduced two specific Jurisprudential issues.

Firstly if there are some rights that survive the death of a person on some aspect, then that aspect takes the nature of a “Property” on which the data principal had rights prior to his death.

Thus, if DPDPA 2023 grants the four rights to a living individual about “Personal Data” meaning “Data about the individual who is identifiable by or in relation to such data”, all these rights are meant to be nominated to another individual in the contingent event of the death or incapacitation of the data principal. In other words the “Nominee” inherits all the four rights including the right to nominate the inherited personal data.

This has unintentionally also provided a status of a “Property” for personal data. If “Personal Data” is a property for “Nomination”, it should be so for any other purpose such as “Sale” or “Transfer”.

However, “Nomination” in tangible property scenario is normally considered as not a “Right” but an “Obligation” assigned to a person to receive the property on death and ensure its distribution to the legal heirs. The “Executor” of a “Will” is one such person nominated in the Will by the deceased person.

The need for “Nomination” is brought in to make it convenient for the asset holder to get rid of the responsibility of the asset which he is holding during the lifetime of an individual to the nominee. We therefore consider that the “Asset holder” is discharged from his liabilities by transferring the property to the nominee.

In the case of a physical property, the property transferred to the nominee ceases to be in the hands of the transferor. But the nature of data is such that even after transferring the property to the nominee, a copy will remain with the transferor. Hence “Transfer of Data to the Nominee” also involves “Deletion of Data by the Transferor”. In the DPDPA scenario, the rules should define whether the data transferred to the nominee should be immediately deleted by the data fiduciary or archived for a reasonable period.

There is a second jurisprudential challenge on the nomination which is related to the “Instrument of Nomination”. ITA 2000 does not recognize an electronic document that acts like a Will, transferring the rights of a property on the death of a person. Hence the most natural way of executing the nomination which is adding it as a part of the “Consent” in electronic form appears to be not feasible.

This means that we have to re-define the meaning of “Nomination” as restricted to “Transfer of the custody of the personal data from the Data Fiduciary who is permitted to make commercial use of the data to another Datta Fiduciary who is permitted to use it only for distribution to the legal heirs and not for exploitation himself.

If therefore the First Data Fiduciary offers to the nominee that the benefits of the data principal (say an account) will be transferred to him if he allows the continued to use the personal data, it may not be legally proper for him to accept it and continue to be the manager of the personal data of the deceased. (This situation may arise if the personal data has value even after the death of a person).

If Personal Data can be considered as an “Asset” whether it is intangible or only a licensable right, that can be “nominated” on death through an instrument, then the question of “who can nominate” the property also has to be settled.

If personal data is a property of the data principal, then obviously he is the person who has to nominate.

However there is one type of data that arises in the context of processing of personal data which relates to “Data about Data”. Eg: Transaction data in a E Commerce transaction or a Header information generated by a messaging service like WhatsApp or G Mail but is generated by the Data Fiduciary.

This meta data may also be identifiable with the individual but whether the ownership is to be assigned to the person or to the data fiduciary is a legal issue which needs to be settled.

This meta data is a combination of two parts namely information is generated by the data fiduciary and information contributed by the data principal. Hence it cannot be treated entirely as the property of the data principal and eligible for nomination and absolute transfer of property. The part contributed by the data fiduciary is his property and the mix of identifiable personal data of the individual, should be considered as “Jointly owned”.

The consequences of identifying “Meta Data” as joint property has other deeper implications of law that will be explored in future. For the time being let us leave it as a Privacy Jurisprudential thought.

One such consequence is when a disclosure of Meta Data is required whether the data fiduciary who is also an “Intermediary” under ITA 2000 can disclose without specific consent, the whole of Meta Data or only the part of Meta data that is created by him. Should the “Consent artifact” include a statement that Right on Meta Data is considered as jointly owned or singularly owned by the data fiduciary.

All these issues need to be discussed and clarified in the rules to DPDPA 2023. But the draft of the rules so far made available does not have this explanation. Hope it would be added in the next version.

Comments and Debate are welcome.

Naavi

FDPPI and Naavi thanks all the physical and virtual participants of the event held yesterday at Bangalore. Special thanks to the panellists for sharing their valuable views. It was a hybrid event with the physical event happening at Suchitra Auditorium, Bengaluru.

Chief Additional Metropolitan Magistrate Sri C.K. Veeresh Kumar inaugurated the event and shared important suggestions for the effective functioning of the Dispute Resolution Mechanism under DPDPA/ITA 2000. Professor N K Goyal and Mr Rakesh Maheshwari (former Senior Director of MeitY) participated in the inaugural session (virtually).

Sri Rakesh Maheshwari gave a brief overview of the DPPDA Act and the proposed rules.

Naavi anchored the five panel discussions posing nearly 100 different questions to highlight the concerns related to the implementation of the proposed rules and the industry experts a few of whom participated virtually shared their views. In the process important insights have been gathered and are being collated.

All the participants have also been requested to present their views on the presently available rules and the suggestions will be collated and submitted to the MeitY.

Naavi

DPDPA will change the course of every company in India. The Rules are here for public debate. Use this opportunity to share your views . We all would be helping MeitY with our suggestions.

Register today at : www.fdppi.in

Naavi

The Tele Communications Act 2023 which was passed by the Parliament in December 2023 and received presidential assent on December 24, 2023. Some sections of the Act were notified for effect on 26 th June 2024 and More on July 5th 2024.

One of the immediate observation is that instead of designating the TDSAT as the Appellate as the immediate appellate authority after Adjudication, there is another appeal committee in between. Both ITA 2000 and DPDPA 2023 makes TDSAT the first appellate authority after adjudication or DPB inquiry. This has some merit so that matters of technical nature can be handled by the appeal committee and TDSAT will be left to deal only with the advanced legal matters.

Another matter that has been discussed in the past and may surface again is whether the messaging services could come under the Telecommunications Act because the definition of “Telecommunication” is provided as

“Telecommunication” means transmission, emission or reception of any messages, by wire, radio, optical or other electro-magnetic systems, whether or not such messages have been subjected to rearrangement, computation or other processes by any means in the course of their transmission, emission or reception”

Chapter IX of this Act covers offences and could interfere with ITA 2000 offences. Appropriate explanations in the rules may help in resolving the differences between the two Acts.

Naavi

Following are the objections raised by Editor’s Guild of India on DPDPA which require some comments.

Objections have also been raised on ITA 2000 as follows.

Earlier on February 18, 2024 EGI had sent a more detailed note to MeitY a copy of which is available here

The objections raised were to “Need for Prior Consent”, ” Purpose declaration”, “Withdrawal of Consent” and” power to call for information”. To this the RTI, Surveillance and lack of exemption has been added in the recent representation sent to the leader of opposition.

This could therefore be a point of debate during the Parliamentary session starting from tomorrow and even lead to disruption of this session and walk out by the opposition.

Let us see whether these 7 demands of EGI is justified. Views may differ and EGI has every right to interpret the Act and the proposed rules in a manner that suits their narrative. Our discussion can be more neutral.

Lack of Exemption:

There are hundreds of professions and industries and granting exemption to one industry or class will certainly raise a claim of discrimination. Hence Exemptions have to be handled with circumspection.

It should be noted that Journalists can work for an organization as employees or independently. If they work for another agency, the liability will be on the media. If they work independently they will be data fiduciaries by themselves. They will also be handling information which is sensitive to national security, electoral democracy etc. Hence they would be “Significant Data Fiduciaries”.

There are similar issues in Medical Practitioners who work independently and as employees of a hospital or Lawyers who work for a firm or independently or Charted Accountants and Business Analysts who work for themselves or for other organization’s. All these “Professionals” belong to a common category.

As far as these professionals act for a “Business Purpose” they will not have exemptions.

Currently exemptions are provided under Section 17(2) as follows

(a) by such instrumentality of the State as the Central Government may notify,in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it; and

(b) necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a Data Principal and such processing is carried on in accordance with such standards as may be prescribed.

Apart from this Government may notify certain class of data fiduciaries to exempt them from “Prior Notice”, “Right to Access”, “Significant Data Fiduciary requirements” and “Erasure of personal data on withdrawal of consent or expiry of purpose”. However where the processing of data is likely to result in a decision that effects the Data Principal or disclosed publicly, the Government may not like to provide the exemption.

Investigative Journalism and Media Trials are always disputed and carry the risk of counter attack in the form of “Defamation”. In such cases, it is the responsibility of the Courts to come to the assistance of any unfair targeting of journalists and Indian Courts are more than obliging in this respect.

If an exemption is provided, the definition of a “Journalist” comes to a question and whether every YouTuber or Blogger should be treated as a Journalist needs to be resolved. The exemption is likely to be misused by that class of Journalists who are today commercial scribes and not part of the respected “Fourth Pillar of Democracy”. The leading fake news creators in India are funded from abroad and all of them are even registered as Journalists.

Hence providing “Exemption” does not seem to be a good idea. Government may still do it since it may not want to displease the Journalist community. This can be done easily through the rules where exemptions for “Research” may be defined as including “Journalistic Research”.

When journalists interview public and take their views, it can be considered as “Voluntary Provision of Data” and a “Legitimate use”. There are always situations where the source may request for anonymity and it is the duty of the journalist to provide it. Similarly when there is a “Withdrawal of Consent”, if the data has not yet been disclosed it can always be anonymised as media do at present. If it has already been published it has been my view that it becomes part of history and should not be tampered with. If there is a wrong reporting, it can be corrected with a counter view rather than tampering with a published information.

Other Objections

The other objections on surveillance, Censorship, RTI etc are political comments and can be ignored.

The objections on the “Fact Checking” are false and it was unfortunate that Bombay High Court went with the claim that the notification was meant to exercise power to curb genuine news. The Fact Checking unit was only to flag the fake news so that a Court may consider a complaint without the protection under Section 79 ITA 2000. It did not by itself penalized any organization.

Further the Government has given an option to Social media to create its own self regulatory mechanism to resolve complaints before it is escalated. Without using the provision, media is only complaining that their freedom has been affected.

The Right to erasure is subject to other laws and a journalist can always exercise his right to retain the data until his legal interests are not threatened. If we consider that after the data is made public through any disclosure through a journalist it would amount to making data publicly available, there would be no reason to worry. Let us remember that a journalist can always withhold the personal data (anonymise or pseudonymise) and release a news worthy story. If the information released is of a crime, it is for the law enforcement to take necessary action under due process of law.

I suppose no journalist has a right to suppress criminal information under his journalistic privileges since his basic commitment is to public good and protecting the identity of criminals is certainly not for “Public Good”

I therefore feel that the EGI’s contentions are borne out of mis conceptions and distrust of the regulation and there are ways and means to handle the concerns. For this purpose, Journalists should move towards self regulation.

Self Regulation

When FDPPI offered Bangalore journalists for creating a self regulatory body under the ITA 2000, there was no response and the Guild preferred to go to Court to get the notification itself scrapped. Even now FDPPI invites representatives of Press to join hands with FDPPI in creating a Special Interest Group (SIG) to discuss the impact of the Act and the Rules on the Journalists and be a part of the “DPDPA Advisory Group for the Media industry”.

FDPPI is inviting a discussion on DPDPA Rules on July 27 to form such SIGs for multiple industry segments and an invitation has been sent to EGI also to participate. An attempt has been made to invite some media persons in Bangalore through the Press Club and let us see if they respond.

Not doing anything when required and complaining later is the common problem with most of the professionals and I hope Journalists will be an exception.

Naavi

An interesting debate has ensued about the impact of DPDPA on the Journalists. The Editors Guild of India (EGI) has sent a representation to the Minister Mr Ashwini Vaishnav noting its objections on the Act which was passed more than an year back in August 2023 .

The objections have been well articulated by MediaNama in its article here. The article also provides a link to the copy of the representation made by EGI. Many other websites and NGOs have started stating “Press Freedom at risk”(Citizens for Justice and peace), “Concern over impact..” (greaterkashmir.com) etc.

The letter essentially says

“The fundamental role of the press and its ability to ensure transparency and accountability would be severely undermined by the data principal’s ability to simply refuse consent to the processing of their data.” Accordingly, the EGI has sought exemption to data fiduciaries undertaking processing for journalistic purposes .

We must appreciate that as a representative body of the Journalists, EGI has every right and perhaps even a duty to represent their concerns.

In fact, FDPPI has actually organized the event “Voice of the Industry on DPDPA Rules” on July 27 to keep industries informed about the upcoming DPDPA Rules and how they should be prepared to meet the regulations. This event is also expected to collate the views of the industry on the proposed rules and present it to MeitY with an object of getting proper clarifications where required or to suggest solutions where required. (eg: The solution to the Age-gating problem presented in yesterday’s article)

The main issue that confronts the implementation of DPDPA is that it is a regulation for the whole canvas of “Digital Personal Data Collectors, Processors and Disclosers”. It includes Journalists as well as every other profession including Medical Doctors, Law firms, Chartered Accountant firms etc. It includes the State Bank of India or the Apollo Hospital chain as much as the street side co-operative bank or my family doctor.

Some of the professionals like Journalists work as part of an organization in which case the organization will be a Data Fiduciary and the professional would be an employee. But when such a professional sets up his own business then he himself will become the “Data Fiduciary” and cannot escape liabilities.

It would be difficult to provide wholesale exemptions in which case the law will be amenable to abuse. We have already raised our voice against the concessions that are likely to be provided to organizations like Face Book and Google which will dilute the implementation. Similarly, we need to ensure that because of the “Fear of the Soros Media Group”, Government should not yield and start making concessions without proper application of mind.

Instead the DPB can ensure that while imposing penalties if any, the status of the Data Fiduciary would be taken as a key input.

While we acknowledge the concerns expressed by the EGI, it is necessary to point out that the “Voluntary Provision” and “Legitimate use” provisions are good enough to provide the freedom to the Journalists to go about their journalistic duties. The EGI will definitely be required to ensure that Journalists are properly informed and educated on how to navigate the DPDPA.

I invite the EGI to send their representative to the FDPPI’s event of July 27 at Bengaluru where they can share their concerns and also understand that this is not the exclusive problem of Journalists but it affects several others who are trying to find solutions and not escape from the responsibilities. (visit www.fdppi.in for details on the event)