PDPA 2021: The nature of Data as an Asset and nomination facility

India enacted ITA 2000 (Information Technology Act 2000) with effect from 17th October 2000 and amended it in 2008 with effect from 27th October 2009. The provisions of ITA 2000/8 included legal recognition for a binary expression which we refer to as an “Electronic Document”, and how such electronic documents can be used and the consequences of its mis-use.

In the amendments of 2008, the act was sharpened with the introduction of how sensitive personal data is expected to be protected through a “Reasonable Security Practice” and the consequences for negligence in the process.

The Personal Data Protection Act (PDPB 2021) and the Crypto Currency Regulation bill which are presently being considered in the Parliament for passage have opened up some discussions on what is the legal nature of some special kinds of electronic documents.

Arguments in the context of Crypto Currency bill revolve around the need to ban Crypto currencies from private entities since it could destroy the legit economy by undermining the central bank currency. However when it comes to the legal status of a Crypto Currency, it has its recognition as an “Electronic Document” and hence one argument is that it should be considered as a separate Asset Clause and allowed to be traded in the stock markets like a “Commodity”.

The now abandoned draft Bill DISHA (Digital Information Security for Health Act) had provided that “Health Data” is owned by the health data subject as if it was a “Property”.

The PDPB 2021 considers “Personal Data” as a special kind of data and ascribes a whole lot of regulations on how it can be collected, used and disposed along with the consequences of contravention of the provisions.

In perception, Personal Data is a separate asset clause in the Corporate Data Asset store and to be compliant with PDPB 2021, an organization needs to recognize its “Personal Data Asset”, classify it as Personal, Sensitive personal, critical personal etc, create an inventory tag it with the country of origin of the data principal, the notice and consent associated with its collection and usage and so on.  The personal data is not a single piece of data and is often an aggregation of data elements from different sources at different points of time. It has depth and width. It also has a quality tag and an erosion of quality over a period of time.

In view of the fact that personal data like all data has an economic value to the user organization, different types of personal data have different values and the “Data Valuation Standard of India” (refer www.dvsi.in/wp) has developed a tentative methodology for valuing the data in the control of organizations and bring it to the books of account.

However, in the midst of these activities, the treatment of the data of “Deceased” data principals has been an issue that required attention. Under several articles in naavi.org (Refer here)we have discussed this issue in the past.

One of the issues discussed there in is whether ITA 2000/8  Section 1(4) Schedule can be amended to include the feasibility of a “Will” for data assets. The other option is to provide for a “Nomination” facility under law.

In financial assets there is both the provision of a “Will” through which the financial assets can be passed on to legal inheritance as well as nomination of Bank accounts.

The nomination facility for Bank held assets were brought in through section 45Z (introduced in 1985) of the Banking regulation Act which states as follows:

45ZA. Nomination for payment of depositors’ money.—

(1) Where a deposit is held by a banking company to the credit of one or more persons, the depositor or, as the case may be, all the depositors together, may nominate, in the prescribed manner, one person to whom in the event of the death of the sole depositor or the death of all the depositors, the amount of deposit may be returned by the banking company.
(2) Notwithstanding anything contained in any other law for the time being in force or in any disposition, whether testamentary or otherwise, in respect of such deposit, where a nomination made in the prescribed manner purports to confer on any person the right to receive the amount of deposit from the banking company, the nominee shall, on the death of the sole depositor or, as the case may be, on the death of all the depositors, become entitled to all the rights of the sole depositor or, as the case may be, of the depositors, in relation to such deposit to the exclusion of all other persons, unless the nomination is varied or cancelled in the prescribed manner.
(3) Where the nominee is a minor, it shall be lawful for the depositor making the nomination to appoint in the prescribed manner any person to receive the amount of deposit in the event of his death during the minority of the nominee.
(4) Payment by a banking company in accordance with the provi­sions of this section shall constitute a full discharge to the banking company of its liability in respect of the deposit: Provided that nothing contained in this sub-section shall affect the right or claim which any person may have against the person to whom any payment is made under this section
Similarly Section 45 ZC and 45 ZE provides for nomination for return of articles kept in safe custody and in safety lockers. with banking company

The legal jurisprudence on the nomination facility in the banking system is that payment or deliver of articles to a nominee discharges the Bank of its liabilities though it is not a legal settlement of the title. The legal heirs are open to settle their claims separately through the testate instruments such as a Will or through other measures available under the transfer of property provisions of law. Nomination does not settle legal ownership and is only a procedural facilitation for the convenience of the Banking system.

Now, PDPA 2021 introduces the concept of Nomination in respect of “Personal Assets” through a provision in the Bill.

Under the proposed Section 17 (4) regarding Rights of the Data Principal,

it is provided that

The data principal shall have the following options, namely:-

(a) to nominate a legal heir or a legal representative as his nominee;
(b) to exercise the right to be forgotten; and
(c) to append the terms of agreement, with regard to processing of personal data in the event of the death of such data principal.”

Reading this along with the current provisions of ITA 2000, we need to interpret that this provision is only for “Nomination”  and not to transfer “Legal Ownership” of the data. Hence this does not also confer the status of “Property” to the data.

This provision also has another anomaly since it tries to provide rights of amendment to a contract signed when the person was alive and in respect of a right that does not subsist after the death of a person.

This needs to be corrected by changes to this amendment failing which this provision could be considered as “Ultra Vires” the established process of law and introduce an ambiguity that will become a focus of end less litigation in future.

If this section survives the passing of the Bill, then watch out for the amendments to be made to PDPSI (Personal Data Protection Standard of India)  implementation specifications  where  we may suggest how this anomaly may be handled.

Naavi

(Comments welcome)

Other articles on DPA 2021

14. PDPA 2021: Concept of Discovery Consent

13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System

12. JPC recommendation on Children Data

11. JPC recommends DPA to watch on Incident Register

10. JPC comments beyond the Amendments-2: Implementation Schedule

9. JPC comments beyond the Amendments-1-Priority of law

8. Clarifications from the JPC Chairman on DPA 2021

7. Anonymisation is like Encryption with a destroyed decryption key 

6. PDPA 2021: The data breach notification regarding Non Personal Data

5. PDPA 2021: The Data Protection Officer is now in an elevated professional status

4. PDPA 2021: The nature of Data as an Asset and nomination facility

3. PDPA 2021: Regulating the human perceptions

2. PDPA 2021: Definition of Harm to include psychological manipulation

1. PDPA 2021: Should Big Data and Data Analytics industry be worried?

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.