This article is written by M.S.Bushra Tungekar, from University of Mumbai Law Academy. This is a comprehensive article that analyses personal data protection.
Ever wonder how the major league brands spread across the globe monitor and manage their reputation over social media platforms such as Twitter, Facebook, Instagram? With a booming digital marketing industry, how do brands such as Mcdonalds, Dell, Microsoft, Nike, Lenovo, NASA handle customer interactions and engagements?
Must be difficult. Well not after the launch of the billion-dollar startup, Sprinklr. Sprinklr gives these brands a consolidated view of the customer, it helps the organization’s front office to keep a track of its customer interactions across various social media platforms and coordinate the data with its social media team along with the marketing team. The software bridges the gap between customers and the organization improving the customer relations of the brands.
Background of the case
Whereas the state government claimed that the data was sufficiently protected and was taking full responsibility for the protection of the data. To reiterate their points the Kerala government released 8 documents on its website.
What were the issues raised
There were several issues raised by the leader of the opposition party, Mr.Ramesh Chennithala. This deal sparked a political controversy.
Breach of privacy
The intrusion of privacy of data of the COVID-19 patients was the primary issue that was raised. Entrusting, a foreign firm with private data of the citizens is putting the privacy of the person at risk. Furthermore, it was alleged that the data collected and transmitted to the Sprinklr server was not with the consent of the patients.
Another matter of concern was that the health data which was collected by the tool developed by Sprinklr was stored on a US-based server which could cause a major breach of privacy.
Concerns were shown as to in case of a breach, the Kerala government would have no recourse, and the dispute arising would be dealt with by the courts in the US as Sprinklr is registered in New York.
The due procedure was not followed
It was alleged by Ramesh Chennithala that while entering into a deal with the US-based start-up due procedure was not followed by the government. The law was not consulted before engaging in such business. The decision to enter into such a deal was taken unilaterally without consulting the law and finance departments.
Kerala government’s response
The state government also stated that the contract with Sprinklr is only for 6 months and on expiry of which the government might have to look for alternatives and it has no issues approaching the center for help.
Judgment by the Kerala High Court : critical analysis
A bench comprising Justice T R Ravi and Justice Devaramchandran of the Kerala High court issued guidelines as an interim order in the Sprinklr case to be followed by the Kerala government to ensure complete protection of the data.
The Bench expressed their reservations regarding the terms of the contract and it was refraining from intervening at this junction so as to not disrupt the measures taken for Covid-19. However, the following guidelines were laid down in the interim order:
- The high court directed the Kerala Government and its concerned departments to anonymize data (data collected is processed in such a way that it deletes personally identifiable information) which has already been collected from the citizens under quarantine and permit Sprinklr to access such data in the future only after it has been anonymized.
- Every citizen whose data is being collected and is to be shared with Sprinklr or any third parties shall be informed about the same and their consent for it shall be obtained.
- The Sprinklr has been restricted from committing any breach of confidentiality and from the disclosure of such data to any third party.
- The court injuncted Sprinklr from dealing with the data directly or indirectly which has been entrusted by the Kerala government, in conflict with the confidentiality terms of the contract. Sprinklr shall entrust the data back to the government on completion of their contractual obligation.
- Sprinklr was directed to send back all the residuary or secondary data to the government.
- Sprinklr was further injuncted from advertising that they have access to data regarding Covid-19 patients.
- Restrictions were put on Sprinklr from exploiting the data and the official log of the government for any commercial benefit.
Right to privacy and data protection
Private data protection refers to safeguarding an individual’s private data with the help of privacy laws and procedures. Private data involves any information of such a nature which can identify an individual. Such information of an individual is sensitive in nature and is not available publicly.
Under the Constitution
The Supreme court, in a landmark case of Justice K S Puttaswamy (Retd.) & Anr. vs. Union of India and Ors, the constitutional bench held that the right to privacy is a constitutional right that emerges from Article 21 which guarantees the right to life and personal liberty. However, such a right is not an absolute right and is subject to reasonable restrictions.
Under the Information Technology Act, 2000
The Government notified the Information technology Rules(Reasonable security practices and procedures and sensitive personal data or information), 2011 which deals with the protection of sensitive data. These rules provide for security procedures to be followed by corporate bodies dealing, handling, processing, storing, or collecting sensitive data that has to be abided by. Failure to do so the corporate body shall be liable to pay the damages
What can be expected in the future
Currently, the protection of personal data is not regulated by a specialized law in India but is regulated by the Information Technology Act, 2000, and under Information technology Rules (Reasonable security practices and procedures and sensitive personal data or information), 2011. The need for codified laws regulating the collection, processing, and storage of sensitive personal data is recognized by the Indian government.
An expert committee was set up by the Union Government chaired by Hon’ble Shri Justice B N Srikrishna to examine the various issues related to personal data protection. Data protection laws and procedures must be based on the following key points:
- Must be flexible enough to adapt to changing technologies.
- The laws must have a holistic approach and be applicable to both private and government entities.
- Proper and informed consent of the individuals should be taken.
- The data which ought to be processed should be minimal and necessary.
- Structured enforcement and accountability. There should be a proper and robust enforceable structure along with provisions for holding the controller of data accountable for any negligence or breach.
- Adequate penalties must be enforced.
Personal Data Protection Bill, 2019 (PDPB)
To fill the lacunas of this legislation and to protect the personal data of the citizens from any intrusion, the Personal Data Protection Bill, 2019 (PDPB) was introduced in Lok sabha. The main aim of this bill other than the protection of data was to establish a framework and it shall also create an independent Data Protection Authority for the said purpose. This bill would supersede the Information Technology Act, 2000.
Features of the bill are further discussed below
PDPB controls the processing of private data of individuals not only by Indian companies but also by the government and foreign companies (if they deal with personal data of Indian citizens). Under the Bill, certain personal data has been categorized as sensitive data. Sensitive data may be in the nature of biometric, religious preferences, financial data, etc.
- The obligations of data fiduciary
A data fiduciary under the bill means any person, or company, or state, regulates the purpose and means of processing data. The processing shall be for a lawful purpose,
limited to the extent of need and purpose. Individuals whose data is being collected shall be duly notified before the collection of such data. The individual should be informed about the nature and purpose of the collection.
- Rights of the data principal
The rights of a data principal include the right to withdraw consent, seek confirmation on the process of their data whether the data is processing or has been processed, transfer, right to make corrections, and restriction of the use of data by the data fiduciary.
- Grounds for processing personal data without consent
There are certain exceptions given to the data fiduciary when processing personal data without the consent of the data principal. Such exceptions are in case of legal proceedings, for the safety of an individual in case of a disaster, for providing benefit to an individual if needed by the state.
- Transparency and accountability
- Transfer of private data outside India
Sensitive data may be transferred outside India. However, the data must be stored in India. In case of transfer of the data outside India, explicit permission of the data principal must be taken.
The union government in the interest of the state exempts any of its agencies from the applicability of the Act. Processing of personal data is also exempted for the purpose of journalistic purposes, personal purposes, and investigation of any offense.
- Data Protection Authority of India
PDPB 2019 establishes an independent authority for the purpose of safeguarding the interests of the data principals. The authority has the power to monitor, create awareness, enforce the Act, and prevent misuse. The authority may also issue directions from time to time, call for information, conduct inquiry, conduct search, and seizures.
- Offenses and penalties
When a data fiduciary contravenes certain provisions related to data protection, the fiduciary shall be liable to pay a penalty which may be up to five crore rupees or two percent (2%) of its total worldwide turnover of the preceding financial year. Furthermore, if the fiduciary violates laws relating to processing and transfer of data outside India shall be punishable with a penalty which may extend to fifteen crore rupees or four percent (4%) of its total worldwide turnover of the preceding financial year, whichever is more.
It is pertinent to note that there is a need for codified laws regulating the collection, processing, and storage of sensitive personal data is recognized by the Indian government. The Personal Data Protection Bill, 2019 which was introduced in Lok Sabha is still pending.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: