India enacted ITA 2000 (Information Technology Act 2000) with effect from 17th October 2000 and amended it in 2008 with effect from 27th October 2009. The provisions of ITA 2000/8 included legal recognition for a binary expression which we refer to as an “Electronic Document”, and how such electronic documents can be used and the consequences of its mis-use.
In the amendments of 2008, the act was sharpened with the introduction of how sensitive personal data is expected to be protected through a “Reasonable Security Practice” and the consequences for negligence in the process.
The Personal Data Protection Act (PDPB 2021) and the Crypto Currency Regulation bill which are presently being considered in the Parliament for passage have opened up some discussions on what is the legal nature of some special kinds of electronic documents.
Arguments in the context of Crypto Currency bill revolve around the need to ban Crypto currencies from private entities since it could destroy the legit economy by undermining the central bank currency. However when it comes to the legal status of a Crypto Currency, it has its recognition as an “Electronic Document” and hence one argument is that it should be considered as a separate Asset Clause and allowed to be traded in the stock markets like a “Commodity”.
The now abandoned draft Bill DISHA (Digital Information Security for Health Act) had provided that “Health Data” is owned by the health data subject as if it was a “Property”.
The PDPB 2021 considers “Personal Data” as a special kind of data and ascribes a whole lot of regulations on how it can be collected, used and disposed along with the consequences of contravention of the provisions.
In perception, Personal Data is a separate asset clause in the Corporate Data Asset store and to be compliant with PDPB 2021, an organization needs to recognize its “Personal Data Asset”, classify it as Personal, Sensitive personal, critical personal etc, create an inventory tag it with the country of origin of the data principal, the notice and consent associated with its collection and usage and so on. The personal data is not a single piece of data and is often an aggregation of data elements from different sources at different points of time. It has depth and width. It also has a quality tag and an erosion of quality over a period of time.
In view of the fact that personal data like all data has an economic value to the user organization, different types of personal data have different values and the “Data Valuation Standard of India” (refer www.dvsi.in/wp) has developed a tentative methodology for valuing the data in the control of organizations and bring it to the books of account.
However, in the midst of these activities, the treatment of the data of “Deceased” data principals has been an issue that required attention. Under several articles in naavi.org (Refer here)we have discussed this issue in the past.
One of the issues discussed there in is whether ITA 2000/8 Section 1(4) Schedule can be amended to include the feasibility of a “Will” for data assets. The other option is to provide for a “Nomination” facility under law.
In financial assets there is both the provision of a “Will” through which the financial assets can be passed on to legal inheritance as well as nomination of Bank accounts.
The nomination facility for Bank held assets were brought in through section 45Z (introduced in 1985) of the Banking regulation Act which states as follows:
45ZA. Nomination for payment of depositors’ money.—
The legal jurisprudence on the nomination facility in the banking system is that payment or deliver of articles to a nominee discharges the Bank of its liabilities though it is not a legal settlement of the title. The legal heirs are open to settle their claims separately through the testate instruments such as a Will or through other measures available under the transfer of property provisions of law. Nomination does not settle legal ownership and is only a procedural facilitation for the convenience of the Banking system.
Now, PDPA 2021 introduces the concept of Nomination in respect of “Personal Assets” through a provision in the Bill.
Under the proposed Section 17 (4) regarding Rights of the Data Principal,
it is provided that
“The data principal shall have the following options, namely:-
(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.”
Reading this along with the current provisions of ITA 2000, we need to interpret that this provision is only for “Nomination” and not to transfer “Legal Ownership” of the data. Hence this does not also confer the status of “Property” to the data.
This provision also has another anomaly since it tries to provide rights of amendment to a contract signed when the person was alive and in respect of a right that does not subsist after the death of a person.
This needs to be corrected by changes to this amendment failing which this provision could be considered as “Ultra Vires” the established process of law and introduce an ambiguity that will become a focus of end less litigation in future.
If this section survives the passing of the Bill, then watch out for the amendments to be made to PDPSI (Personal Data Protection Standard of India) implementation specifications where we may suggest how this anomaly may be handled.
Naavi
(Comments welcome)
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data