We have in the past discussed the issue of “Digital Wills”. (Refer here: Inheritance of Virtual Assets) ITA 2000 has kept “Wills” in electronic form outside the provisions of ITA 2000. Hence “Digital Wills” are not valid like written documents under Section 3 of ITA 2000. There is a logic for this and hence we can accept this as the current policy of the Government to keep possible frauds by creation of fake digital wills.
Now Dr Prashant Mali, well known Cyber Law expert has published a comprehensive article on the issues related to digital assets and their inheritance. (Refer here).
We are in the threshold of the passing of the PDPB 2019 which will bring new regulations in force on how to handle or how not to handle personal information. In due course we may also have a legislation on “Non Personal Data Governance” and how to unlock financial value out of such assets.
Naavi has also recommended that “Data Assets” should be brought into account books by creating a contra entry in the balance sheet as both an asset and a liability until such time that we have a proper method of valuation of data assets acceptable to the accounting fraternity.
FDPPI has also adopted the PDPSI (Personal Data Protection Standard of India) as a framework for audit and certification of Personal Data Management System (PDPMS).
In the light of the above, it is considered that we need to suggest some changes to the law to resolve the issues of “Transfer of Digital Assets to the legal heirs of deceased”.
This needs to be referred to in ITA 2000 in the form of a “Guideline to Intermediaries on handling of Deceased accounts”. It also has to be addressed in the PDPB 2019 follow up in the form of guidelines to be issued by DPA in due course.
There should therefore be an amendment to the Section 79 guidelines to the following effect.
“In the event of an account being inoperative for more than 6 months, the Intermediary shall notify the account holder to renew the account by posting a data transaction (which could even be a reset of the password). If the customer remains incommunicado, then the account may be treated as dormant and archived for better security with an additional factor of authentication for renewal.
If the account remains dormant for a further period of say 18 months, then the account may be declared as inoperative and flagged for an increased level of security.
An inoperative account shall be notified to the office of “Controller of Deceased digital assets” (CDDA) to be created by the MeitY.
If there is any knowledge that the account holder is deceased, the account shall be notified as “Account holder reported deceased” with a suitable mark on the content along with the source of such information and the CDDA shall be notified.
The CDDA may try to establish contact with the account holder and if the account holder fails to respond for a period of 6 months, or on receipt of any confirmation that the account holder is deceased, inform the account holder who there after shall transfer all the assets of the deceased to the CDDA.
In case of e-mail accounts and facebook pages or the like, the notice that the account has been transferred to CDDA shall be prominently noted as a default error response.
There after the legal heirs may contact CDDA for transfer of the digital assets and subject to the satisfaction of CDDA the asset may be transferred to the legal heirs of the deceased on demand.
In the event of the legal heirs opting to disown the data, the data asset shall be considered the asset of the sovereign state and shall be kept at the disposal of CDDA which shall dispose it of in appropriate public interest.”
Since the digital information in a personal account is classified as “Personal Data” under the PDPB 2019, the Data Protection Authority shall be empowered to make the regulations under the PDPB 2019 and such an amendment can be incorporated at the time of passage so that detailed guideline can be issued by DPA in due course.
The CDDA could be an authority which would be a “Data Fiduciary” under PDPB 2019. It can also use anonymization of the information and create value to be harnessed as sovereign asset realization when the Non Personal Data Governance Act becomes operative. In the context of upcoming regulation for banning crypto asset, that law also needs to incorporate a reference on how to deal with the crypto assets of the deceased.
I urge FDPPI, the premier Data Protection agency in India to take up the issue to formulate policy guidelines in this regard.