Who owns Meta Data?

DPDPA 2023 has introduced a concept of “Nomination” of personal data. The Act defines “Nomination” as a right of a data principal and relates it to the “Personal Data”.

Section 14 of the Act states:

 Right to nominate.

(1) A Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.

(2) For the purposes of this section, the expression “incapacity” means inability to exercise the rights of the Data Principal under the provisions of this Act or the rules made thereunder due to unsoundness of mind or infirmity of body

Though “Nomination” as a word has not been defined in the Act or in the draft rules published so far, it is clear that the section 14 of the Act considers “Nomination” as a right that transfers the control on other rights such as “Right to Access”, “Right to Correction and erasure”, and “Right to Grievance Redressal” to the nominee. Perhaps we should consider that the “Right to nomination” also gets transferred to the nominee.

In this context we can debate what is the “Right to Nominate”, “How it can be executed in respect of personal data” and “What processes are to be introduced by the Data Fiduciary for registration of nomination and settlement of claim”. We have discussed some aspects of this earlier and now we shall discuss one offshoot of Nomination namely the property rights on Meta Data.

It is interesting at this stage to recognize the difference between a “Nominee” and a “Power of Attorney Holder” or a “Personal Consent Manager”.

Power of attorney or appointing a consent manager is an act of “Contract” and operates during the lifetime of an individual. However this should be considered as automatically revoked on the death of a person. On the other hand, the rights of a Nominee actually takes birth on the death of the data principal.

The introduction of the “Nomination” aspect in the Data Protection law has now introduced two specific Jurisprudential issues.

Firstly if there are some rights that survive the death of a person on some aspect, then that aspect takes the nature of a “Property” on which the data principal had rights prior to his death.

Thus, if DPDPA 2023 grants the four rights to a living individual about “Personal Data” meaning “Data about the individual who is identifiable by or in relation to such data”, all these rights are meant to be nominated to another individual in the contingent event of the death or incapacitation of the data principal. In other words the “Nominee” inherits all the four rights including the right to nominate the inherited personal data.

This has unintentionally also provided a status of a “Property” for personal data. If “Personal Data” is a property for “Nomination”, it should be so for any other purpose such as “Sale” or “Transfer”.

However, “Nomination” in tangible property scenario is normally considered as not a “Right” but an “Obligation” assigned to a person to receive the property on death and ensure its distribution to the legal heirs. The “Executor” of a “Will” is one such person nominated in the Will by the deceased person.

The need for “Nomination” is brought in to make it convenient for the asset holder to get rid of the responsibility of the asset which he is holding during the lifetime of an individual to the nominee. We therefore consider that the “Asset holder” is discharged from his liabilities by transferring the property to the nominee.

In the case of a physical property, the property transferred to the nominee ceases to be in the hands of the transferor. But the nature of data is such that even after transferring the property to the nominee, a copy will remain with the transferor. Hence “Transfer of Data to the Nominee” also involves “Deletion of Data by the Transferor”. In the DPDPA scenario, the rules should define whether the data transferred to the nominee should be immediately deleted by the data fiduciary or archived for a reasonable period.

There is a second jurisprudential challenge on the nomination which is related to the “Instrument of Nomination”. ITA 2000 does not recognize an electronic document that acts like a Will, transferring the rights of a property on the death of a person. Hence the most natural way of executing the nomination which is adding it as a part of the “Consent” in electronic form appears to be not feasible.

This means that we have to re-define the meaning of “Nomination” as restricted to “Transfer of the custody of the personal data from the Data Fiduciary who is permitted to make commercial use of the data to another Datta Fiduciary who is permitted to use it only for distribution to the legal heirs and not for exploitation himself.

If therefore the First Data Fiduciary offers to the nominee that the benefits of the data principal (say an account) will be transferred to him if he allows the continued to use the personal data, it may not be legally proper for him to accept it and continue to be the manager of the personal data of the deceased. (This situation may arise if the personal data has value even after the death of a person).

If Personal Data can be considered as an “Asset” whether it is intangible or only a licensable right, that can be “nominated” on death through an instrument, then the question of “who can nominate” the property also has to be settled.

If personal data is a property of the data principal, then obviously he is the person who has to nominate.

However there is one type of data that arises in the context of processing of personal data which relates to “Data about Data”. Eg: Transaction data in a E Commerce transaction or a Header information generated by a messaging service like WhatsApp or G Mail but is generated by the Data Fiduciary.

This meta data may also be identifiable with the individual but whether the ownership is to be assigned to the person or to the data fiduciary is a legal issue which needs to be settled.

This meta data is a combination of two parts namely information is generated by the data fiduciary and information contributed by the data principal. Hence it cannot be treated entirely as the property of the data principal and eligible for nomination and absolute transfer of property. The part contributed by the data fiduciary is his property and the mix of identifiable personal data of the individual, should be considered as “Jointly owned”.

The consequences of identifying “Meta Data” as joint property has other deeper implications of law that will be explored in future. For the time being let us leave it as a Privacy Jurisprudential thought.

One such consequence is when a disclosure of Meta Data is required whether the data fiduciary who is also an “Intermediary” under ITA 2000 can disclose without specific consent, the whole of Meta Data or only the part of Meta data that is created by him. Should the “Consent artifact” include a statement that Right on Meta Data is considered as jointly owned or singularly owned by the data fiduciary.

All these issues need to be discussed and clarified in the rules to DPDPA 2023. But the draft of the rules so far made available does not have this explanation. Hope it would be added in the next version.

Comments and Debate are welcome.

Naavi

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.