“Data” is accepted as an “asset”. “Personal Data” is in practice considered as an “asset belonging to the data subject”, the limited use of which can be transferred to a Data Controller under a contractual arrangement.
In India we consider “Data Subject” as a “Data Principal” and “Data Controller” as a “Data Fiduciary”. We have not gone into defining whether Data is an “Asset belonging to an individual” or a “Right” that can be assigned.
However, PDPB 2019 referred to “Nomination” of personal data. Though this did not become a law, there are some inferences that can be drawn from the draft provisions that the Government had an intention to consider “Personal Data” as a property that can be bequethed by a written instrument like a Will.
However since a written Will (An instruction that will become valid only on the death of the person and will survive the death unlike a normal contract) is possible, “Nomination of Personal Data through a paper based Will is a possibility”.
Naavi had proposed a detailed system for handling the accounts of deceased data principals (earlier articles in this regard are available in this site) in which “Personal Data” was considered as an “Asset” and just like we settle a claim of money lying in the Bank account of a deceased person or more appropriately in the Bank locker of a deceased person, a method was proposed to handle the personal data of the deceased.
In the process Naavi had also proposed that “Unclaimed Personal Data” should be considered as a sovereign property and taken over to the control of a Data Custodian of the Government and not allowed to be left with the Data Fiduciaries. (Again similar to unclaimed Bank accounts etc).
The Government already recognizes some parts of “Non Personal Data” as “Sovereign Asset” and this was part of the recommendations of the Kris Gopalakrishna Committee report. This is an acceptable thought which will be acceptable even in the global scenario though countries including EU have failed to recognize the problem of “Personal Data of Deceased Data Subjects”.
If we therefore consider that for practical purposes “Personal Data” is like any other “Personal Asset”, we come across another issue related to the International Relationship of different countries.
Our laws recognize that the legal response of the Government is dependent on the need to ensure “Sovereignty and Integrity of the country” and “Friendly relations with other countries”. The data protection law does not however specify clearly the dealing with the “Personal Data” of foreign citizens particularly if it belongs to “Unfriendly countries” or “Enemy Countries”.
If Personal Data is property, then the Country in which a data subject exercises citizenship rights should be considered as having sovereign rights on the personal data of its citizens.
In case of transfer of personal data for processing to foreign countries, there could be an issue of the “Property” of a “Citizen” being transferred to the custody of a foreigner.
EU GDPR through the Schrems judgement established a right of EU data subjects (essentially the EU Citizens) to demand that their rights be protected against foreign data processors in the foreign jurisdiction and over ruling the local law. This is consistent with the thought that the Personal Data of a Citizen is indirectly the sovereign data of the Government.
The approach to be adopted by India in DPDPB 2022 to negotiate data transfer countries in the form of Mutual Assistance treaties between countries for determination of “Adequacy” is a pointer in this direction. The contracts like SCC also need to be considered under the International contract law.
While treating “Personal Data” a property of the Citizen and subjecting it to the rules of “Property transfer across borders” is an acceptable proposition, in the context of free movement of data in the cloud storage situation, a doubt occurs if an Indian Cloud owner can store the data of a Pakistan citizen (Though Pakistan is not a declared enemy country, if a war breaks out, such a situation may arise), considering that Pakistan may not a “Friendly country” under the acceptable definition of the term under the law in India.
Does this mean that an Indian cloud operator is taking on a responsibility to manage the assets that belongs to the Pakistan Government indirectly?
If tomorrow either the Indian Government or the Pakistani Government is unhappy with the way the data has been used, processed or disclosed, can there be a charge from either of the countries that the Company has acted against the sovereign interests of their country?
Suppose due to some negligence or cyber attack the data is destroyed, then can the owner country allege conspiracy to destroy its national asset? or the destination country allege conspiracy to assist a foreign power?
These questions may be in the realms of speculation today. However taking into account the hidden value of the personal data (or any other data), which may include a Crypto Currency or NFT it is difficult to ignore the possibilities of a war breaking out between two countries because the data assets of one country was destroyed or taken over by another country.
What if a Pakistan or Chinese entrepreneur is managing a Crypto Exchange and its Government nationalizes the company and takes over the data?… The value may run into billions of rupees and more harmful than enemy army taking over some buildings inside our territory.
During the Ukraine conflict, the US Government did impose sanctions that extended to data assets and tried to arm twist foreign Governments to shut TV channels, stop IT services to Russia etc.
As we go forward and the value of data is more and more recognizable, the demand of sovereign rights over personal data will only grow.
Currently our ITA 2000 nor the DPDPB 2022 does not address this situation.
I therefore request MeitY to consider through a CERT IN guideline to release a notification that
-Processing of Personal Data of citizens of designated countries shall be handled with care and under report to CERT In.
-Such data should be held in a separate custody as “Foreign Properties of designated countries
-The possibility of a normal data breach becoming a trigger for International dispute needs to be flagged as a “Data Security Risk” with appropriate security measures.
-The processing of such data of foreign citizens should be also reported to the data protection authority of the data exporting country in addition to the data protection authority/CERT-IN in India.
-If no exemption is provided for Data from being treated as “Property”, then laws applicable to properties of citizens in foreign countries will apply automatically and this has to be factored in as a Cyber Risk factor
I request MeitY/CERT-In to clarify in this matter.
In the current year when India is the Chairperson of G-20, we need to raise this “Handling of Data Transfer across Borders” as not a simple Section 17 -DPDPB 2022 issue or Article 44 of GDPR but as an issue involving transfer of property across borders and work out a resolution for such disputes.
(Request for comments)