In continuation of the concerns that Naavi.org has expressed regarding the need to recognize and document the transfer of digital assets of deceased data principals, Cyber Evidence Archival Center (CEAC) which is a division of Ujvala Consultants Private Limited has started with immediate effect a “Repository Service for written instructions regarding disposal of digital assets on the death of a data principal”.
It is to be noted that in India, “Will in electronic form” is not recognized. Any instruction that relates to an action to be undertaken on the death of a person will have the character of a testamentary statement and hence cannot be expressed in the form of digital documents such as e-mails.
At the same time, a proper will needs to be witnessed and registered. It needs to contain some basic information. There are many websites from which a format of will can be obtained.
This repository service is meant for people who want to state their digital holdings and ensure that they can be claimed by the legal heirs. At FDPPI we are working on some suggestions to be given to the Government and we hope in due course Government may introduce a valid system of nomination of digital assets. However the increasing number of deaths caused by Covid indicate that we need a service as envisaged immediately.
Under the process, CEAC will receive paper based instructions written in own handwriting (Not type written) indicating the name and address of the person along with the details of the digital assets such as (E Mail account, Facebook account, etc), through a sealed cover sent through registered post (With acknowledgement and also confirmation over e-mail) with a marking indicating “For Digital Asset Disposal Repository”. The cover would not be opened and would be deposited in a Bank locker.
The deposit will be charged a fee. Current proposed fee is Rs 500/- per deposit and needs to be renewed annually.
The retrieval will be subject to the process suggested under CLCC which is subject to fine tuning and will also be charged. At the time of retrieval, the cover would be opened in front of the claimant and a legal representative of the claimant and information contained there in would be provided so that further legal process of adding the digital assets in the succession certificate application can be made. The retrieval charge proposed now is Rs 1000/-
CEAC would not be responsible for the instructions not being considered as a valid will.
This is a service which would be in operation until a more formal arrangement may evolve with changes in law.
At present CEAC reserves the right to stop the service completely any time after 2 years.
More details can be obtained by sending an e-mail to ceac.naavi@gmail.com
It was a shocking news to receive today that our friend and a Cyber Law expert Mr Neeraj Arora is no more. It appears that he had recently recovered from Covid but succumbed to cardiac arrest.
Mr Neeraj Arora was a specialist in Electronic evidence with his understanding of the law and also the practices in the law enforcement. He was also an excellent presenter and contributed to the growth of Cyber jurisprudence in respect of Section 65B.
He was one of the lawyers whom people in Delhi were afraid of while presenting Electronic evidence as he was one of the few persons who could trouble witnesses in cross examination.
His Linked in profile contained the following description.
“Mr. Neeraj Aarora is a practicing advocate, an arbitrator and a computer forensic expert. He is AOR in Supreme court & Public Prosecutor with NIA and also on the panel of Controller of Certifying Authorities, Ministry of Information Technologies, Govt. of India. He also being a technocrat, has developed strong dominion over Cyber, Law & Finance domains and has unique ability to integrate Bit & Byte, Debit & Credit with Law. His exposure as Defence Lawyer, Special Public Prosecutor, Law Enforcement Officer and Arbitrator give him an edge to appraise any case from all the perspectives. He is law graduate from DU, a Fellow Member of ICAI and Certified Fraud Examiner from ACFE (USA). He has done PG Diploma in ADR, Cyber Law and Drafting of Legislation, Treaties, International Agreement & Contracts from Indian Law Institute, New Delhi. In technology domain, he has done PGD(Cyber Law), CEH, CHFI, CISA, CISSP & MBA (IT) apart from various other certifications on emerging technologies. He is also Certified Forensic Computer Expert from IACIS, a certification approved by Forensic Specialties Board (USA). He is also International Coach on computer forensic with International Association of Computer Investigative Specialist (IACIS), U.S. He is the Managing Partner of his Techno Legal Firm, Hazen Legal Associates which is specialized into Criminal Law, Cyber Law, Digital Evidence, Privacy and other compliances under IT Act, 2000. His specialise to handle techno-legal issue in Courts primarily relating to Computer Forensics, Audio-video Evidences, Block-chain, AI, Machine Learning, Privacy, Robotics, Big-data, Drones, Data Protection etc. Mr. Aarora is a visiting faculty on these techno-legal issues with Indian Law Institute, National Judicial Academy, National Law University, National Police Academy, Judicial Academies, NICFS, CBI, ISACA, ISC2 and various other institutes of repute. He is also an Arbitrator & Member of Appellate Arbitral Tribunals at National & International Level. He has successfully handled more that 600 matters in mediation & given 300 awards as an Arbitrator & Member of Appellete Arbitral Tribunal and presided as Presiding Arbitrator in more than 50 cases. Mr. Arora is the President of Cyber Research & Innovation Society which has been promoted by Mr. Aarora to promote the research & innovation on these techno-legal domains by bringing technocrat, legal professionals, researchers & users on one platform to develop the methodologies & remedies for safer use of these technologies by common man, stake-holders, industry & society at large.“
I was privileged to have his voluntary endorsement on my Linked in profile.
The last time we came across in the physical world was at NLSUI, Bangalore during a seminar in which both of us were speakers. I have lost a professional friend and his sudden demise is a loss to the field of Cyber Law.
Mr Neeraj Arora will be remembered through many of his videos which will remain in YouTube. Our heartfelt condolences are with his family.
I was working on the policies to be adopted by Data Fiduciaries to protect the data assets of a deceased data principal. It is time to dedicate the draft policy which is available herein the CCLC (Cyber Law Compliance center) to his memory.
FDPPI is the leading organization in India focusing on development of systems and best practices for “Privacy and Personal Data Compliance Management System” (PDP-CMS) and DNV is one of the oldest Management Certification organizations in the world.
The two organizations have come together in a collaboration that offers to the Indian industry co-branded services for building a Privacy and Data Protection Culture in the country and prepare the industry and professionals for the forthcoming Personal Data Protection Act in India through
a) FDPPI-DNV Certification program for Data Protection Professionals
b) FDPPI-DNV Certification of organizations for implementation of for PDP-CMS (Personal data protection compliance management system)
c) FDPPI-DNV DTS (Data Trust Score) evaluation
Mr Rajeev Panicker, head ICT business vertical for Det Norske Veritas GL for India & Middle East Region. (DNV) addressed the FDPPI members on 12th May 2021, during the Jnaana Vardhini session and highlighted the essence of the collaboration between FDPPI and DNV.
Recognizing the value of the complimentary nature of the activities of the two organizations FDPPI and DNV have decided to make co-branded offers for the benefit of the community.
Accordingly, both organizations will offer services of each other to their clients and also execute projects by sharing their resources.
FDPPI has about 37 supporting members of which several members represent organizations which provide their services through revenue sharing arrangements with FDPPI. All of them will now be able to expand their services portfolio with the addition of the FDPPI-DNV co-branded services.
The arrangement is expected to expand the reach of both organizations and benefit the community at large.
We are happy to announce that the difficulties of Net4India Customers who had lost control of their domain names, e-mail accounts, hosting facilities etc because the NCLT committed the blunder of not recognizing the existence of a continued business and the interest of the customers and blindly went ahead to declare Net4India as insolvent and freeze its operations may be coming to an end.
While the systemic changes required to be brought in to ensure that such incidents donot recur will continue to be followed up with the MeitY, I am glad to know that ICANN has completed the process of selecting a registrar who would take over the current business of Net4India. Ltd.
As per the announcement, PDR Ltd, (Public Domain Registry) has been designated as the organization to which the Net4India registrations would be transferred.
ICANN anticipates PDR will begin contacting registrants with information on how to access and manage their domain name registrations by early next week.
Once completed, the ICANN-approved bulk transfer will result in the migration of all gTLD registrations from Net 4 India to PDR. There is no charge to registrants for this bulk transfer, and no AuthInfo codes are required for this process.
Once the transfers happen, we suppose that it would be the discretion of the registrants to either continue with PDR or transfer the domains to their preferred domain registrars. Since PDR will be expensive compared to other registrars, we suppose most of the registrants would look forward to transfer the domains to alternate domain registrars.
We need to wait and see how this proceeds further.
In the process of this appointment of PDR as the registrar, ICANN has ordered an automatic data transfer across the borders for which there is no consent. Also this is likely to transfer the continuing business potential of the customers who were wronged by NCLT to a foreign registrar. MeitY by not intervening in the process has caused the erosion of foreign exchange and cross border data transfer, which need to be corrected.
It is presumed that NCLT must have approved the scheme. If so, we need to again point out the lapse on the part of NCLT not to have recognized the need to get the business transferred to an Indian registrar.
Some views were also expressed through the following webinar in the FDPPI’s Jnaana Vardhini Series.
Following this webinar, FDPPI has set up a task force to develop a recommendatory white paper on the handling of Personal data of deceased data principals under the PDPB 2019 which will come up for further discussion in the Parliament during the next session. The task force recommendation would be taken up with FDPPI’s PDP Advisory Board for developing a broader policy at the national level. Also FDPPI’s PDP Code Committee will develop the code of practice for Data Fiduciaries to develop the policy document applicable for Data Fiduciaries on handling the personal data of the deceased customers.
The problem of determining how to handle personal data of deceased persons has many complications. Personal Data is often the key to access data lying with a Data service provider (Eg: E Mail service provider or a hosting company). The data lying within the account space of a service provider can be identified as an intellectual property coming under “Copyright”. A software code developed by an individual may have copyright and also patent rights. In such cases the “Property character” of the data is well established and what is required is a “Claim Process” to enable the legal heirs to inherit the rights on the intellectual property.
However, “Personal Data” which includes the “Password” used for accessing the account is not clearly recognized as a “Property” and the right on individually identifiable data elements required as a password or to re-set the password cannot be assigned like the ownership of a “Intellectual Property”. In order to ease the claim process for settlement of a deceased person’s data property, if we start recognizing personal data as “Property” then during the life time of the data principal, we must agree for alienation of the personal data as a property.
In the “Non Personal Data” scenario, it is possible to recognize data as an alienable property and a “Sale” or “Licensing” or “Assignment” can be recognized as a means of transferring the property. But in the case of “Personal Data” Indian PDPB and GDPR may prefer to avoid the term “Sale” and use only “Assignment of Rights” as a means of transfer of any beneficial interest.
The Singapore PDPA which has extended the rights under the PDPA-2012 (Sg) to the personal information of deceased persons for 10 years or the HIPAA which has extended certain obligations of the covered entity to protect the EPHI for 50 years have looked at the “Personal Data of the deceased persons” as a “Commodity”. Though “Rights of Privacy” have no significance after death even under these laws, the laws expect “Protection” including non-disclosure to unauthorized person to continue for the state time period.
It is only in CCPA that the prospect of “Personal Data” being capable of being “Sold” has been discussed without any reservations.
Though Indian law has not spoken of “Transfer of Personal Data” from one person to another, the concept of “Consent Manager” used in the Act indicate that a Data Principal can transfer the right to “give consent” or “withdraw consent” to the consent manager. Just as the collection of personal data from a data principal to a data fiduciary is supported by a “Consent” in accordance with the Indian contract Act, the provision of the right to “Give or withdraw consent” is given by the Data Principal based on the “Consent to appoint a Consent Manager”.
Unfortunately the “Consent” which is a “Contract” does not survive the death of the Data Principal and hence on receipt of the knowledge of death of the consent giver, the data fiduciary should freeze the transactions in the account. Where the basis for collection and processing was not consent (say in GDPR) then, there would be a “Legitimate Interest” which survives the death of the data principal.
Hence the legal basis of collection and processing can have an impact on the right of the data fiduciary to continue processing of a deceased data principal’s personal data.
One solution which would have resolved this issue was to have introduced a “Nomination” facility for “Personal Data”. This has to be done with a new statutory provision and perhaps the PDPB 2019 itself is an opportunity to introduce the provision of “Nomination”.
In case the JPC has not suggested any provision in this regard, this can be introduced as an additional amendment when the Bill is introduced in the Parliament. This requires introduction of a definition of “Nomination of Personal Data” in Section 3 and also an additional sub section under Section 14 ( Processing of personal data for other reasonable purposes”.
The detailed procedures under this clause may include
a) Sending an annual confirmation request (similar to balance confirmation in Bank overdraft accounts) for validating the privacy policy.
b) If no reply is received to the confirmation request, sending a second request with a notice that the account would be de-activated and tagged as “Dormant” after a period of say 6 months
c) If no reply is received, for 6 months, sending a final notice and transferring the account along with the personal data to an arvhive.
d) If no re-activation request is received for 2 years ( Or say 6 years as in the case of HIPAA), transferring the personal data and the data lying in the account to a Government Repository, which can be created by the DPA itself, by adding a new function of DPA under Section 49(2).
The PDPSI framework will be immediately incorporating this suggestion as a recommended implementation specification within Implementation Specification (IS17) on Notice and Consent form, and related implementation specifications such as Classification (IS 33), Access Control (IS 36), Data Storage and Security (IS 37), Data Destruction (IS 43) etc.
In the absence of the available guidance from the DPA and the PDPB 2019, PDPSI will incorporate some controls which may be modified after the PDPB 2019 becomes a law.
PDPSI will therefore be the first framework for PDP-CMS which would address this contentious issue as a part of the compliance.
A statement attributed to an official states “The move would bring in greater transparency in the activities of companies engaging in trading of cryptocurrencies, which are not legal tender in India” .
We are aware that the media particularly the above two publications hold an editorial policy in support of the legalization of the Digital Black Currency in the name of Bitcoin and its various avatars.
We are also aware that there are many in the Government particularly in the Finance Ministry who are sympathetic to Bitcoins. So also many judges in the Supreme Court.
We have been demanding that the Government officials, Judges and also businessmen should declare their holdings of Bitcoin and all related “Private Cryptos”.
In the light of the above demand, if we look at the MCA notification it is clear that MCA has thrown a gauntlet at the Digital Black Money holders. It could be considered as a clever move to trap the holders of Digital Black wealth.
We are aware that many corporates who were attacked with ransomware demands, did pay out using Bitcoins. Obviously, they should have diverted their white money into buying Bitcoins and it would not have reflected in the Balance sheet. Now they need to disclose the transaction along with the source of payment, details of the seller and the exchange through which they bought.
If they have used their personal black money, then they cannot disclose the transaction. If the seller has sold it from his black wealth, he will need to explain. If the Exchanges claim that they are doing KYC, they need to declare the identity of the people involved. If the transaction has gone through a Bitcoin wallet held abroad, there is a possibility of a havala transaction.
If the companies donot declare their Bitcoin holdings, if and when the Government bans the Crypto and gives a window for existing investors, the Companies who have hid the transaction now cannot declare later.
The same argument applies to the individuals. They now need to declare their crypto assets in this year’s tax return and if they do, have to explain the source. If they donot, then they permanently remain black money holders and in the eyes of Indian law remain tax evaders.
Damned if you do and Damned if you don’t.
I am sure that the same publications which are today welcoming the MCA move will tomorrow ask for more concessions to ensure that the current holders are given immunity. Then the same people who were opposing the Electoral Bonds, Bearer Bonds and the schemes for regularization of previous tax defaults will have to eat their words.
Mr Rajeev Panicker, head ICT business vertical for Det Norske Veritas GL for India & Middle East Region. (DNV) addressed the FDPPI members on 12th May 2021, during the Jnaana Vardhini session and highlighted the essence of the collaboration between FDPPI and DNV.
