The Discussion on “Nomination” gave rise to a debate on Linked In why we should consider that the “Right to Privacy” is only for living persons. I would like to explore this further.
DPDPA 2023 is not specific about whether the Act applies to only living persons like what GDPR has stated. The reason is that DPDPA 2023 is not a “Privacy Protection Legislation”. It is only a “Digital Personal Data Protection” regulation. Hence there was no need to clarify this point.
DPDPA 2023 expects that data needs to be protected under the CIA concept. This responsibility starts from the collection as a “Fiduciary” and continues until the data is effectively given back to a legal heir of the deceased. DPDPA 2023 imposes additional obligations such as “Notice”, “Consent”,”Data Breach Notification” etc. which also the Fiduciary has to fulfill.
Notice and Consent are obligations to the Data Principal while data breach notification is an obligation for the regulator and the data principal. The Notice and Consent are relevant only if there is a living being to whom the notice can be given and consent obtained. If the individual who can give his consent is not alive, no consent can be given. Hence this right has to be considered as extinguished on the death of the data principal.
What survives after the death is a need to dispose of the property of the deceased that the “Fiduciary” obtained on trust for a certain purpose. During the lifetime of the individual he had the right of withdrawal of the consent and death snatches away this right. Hence the permission granted while the right to withdraw consent was available becomes infructuous on the death of the data principal.
Now coming to the “Right of Nomination”, it is the desire of the data principal expressed during his life time but exercisable only after the death. It is therefore a complex thought that has an inherent contradiction that has to be sorted out by a Jurisprudential thought process.
To be consistent with the ITA 2000 which does not recognize any electronic document of the nature of a testate document and assuming that it is impractical to get written paper nomination in the digital personal data scenario, we need to give an acceptable meaning to the word “Nomination”.
If we consider “Nomination” as a “Transfer of right in a property”, it contradicts ITA 2000 (in electronic form). On the other hand, it is a burden for the data fiduciary to obtain paper instruction for nomination nor implement a claim settlement.
The legal status of “Nomination” is that it is a method to transfer the responsibility of disposal of property to the legal heirs through an intermediary who is trusted by the erstwhile property owner. Just as a Will provides a “Executor” of the will who is a trusted person of the deceased when he was alive the power to collect, encash and distribute the property to the legal heirs, the Nominee is expected to discharge a similar responsibility. This responsibility has two steps. First is the taking custody of the property without doing anything else with it such as encashing it. Second is encashing it.
In the digital personal data scenario where “Nomination form” is not a “Will” and “Nominee” is not an “Executor” of the Will, we must recognize only a limited responsibility for the nominee to take custody of the property without discharging any responsibility other than safe custody. He may have to send a suitable notification to the legal heirs to take over the property with rights of further disposal including monetization.
In summary, the jurisprudence that develops out of this chain of thoughts is
- Nomination is indicating the choice of the data principal while he was alive of to whom his property should be given for safe custody after his death. This indicates that the permission given for processing to the data fiduciary is terminated and it has to be safely handed over to the nominee.
- The Nominee cannot further instruct for continuation of the processing or monetize the data in any other form.
- The nominee as a “Trustee” similar to the “Executor” of the will has the responsibility to find out the legal heirs and transfer the digital property to them.
- Just as an executor is entitled to cover his expenses for discharging his duties, the nominee can recover costs if any from the legal heirs.
In case of a will, Courts can grant a “Letter of Probate”. At present there is no equivalent document that can be called a “Letter of Administration of digital personal data issued by any judicial authority”.
A jurisprudential advise in this regard is that the Data Fiduciary shall issue a “Letter of Administration of Nomination” to the nominee which entitles him to contact the legal heirs and dispose of the property. It should be his discretion to approach a Court and validate the “Letter of Administration of Nomination” with a civil court and convert it into a “Letter of Probate” like document.
This would be a suggestion in the DGPSI toolkit by Ujvala Consultants Pvt Ltd.
It would be good if the MeitY incorporates such thoughts in the form of its own rules. Once the full set of rules are released by the MeitY, Naavi will release a toolkit for compliance of DPDPA 2023 based on DGPSI framework in which such thoughts would be included.
In the meantime, comments are welcome.
Naavi