Sprinklr Privacy Policy may be inadequate for data protection

The PIL filed against the Kerala Government and Sprinklr in the Covid patient data processing contract has brought before the Kerala high Court one of the first real tests of the Privacy Protection principle in India

The Court has in its preliminary hearing passed several injunctions against the US company Sprinklr raising questions on the privacy protection of the patients. The Court has set the next hearing by 18th May 2020.

We need to note that India is in the threshold of passing its own Privacy protection law and soon thereafter there will be discussions with the GDPR and other international regulators about the “Adequacy” of the Indian privacy protection regime. For this consideration, apart from the law as passed, the attitude of the Courts will be an important factor. Hence the way Kerala High Court decides in this case will determine if the Indian judicial system respects privacy adequately or not.

The order therefore requires to be studied on some of the academic points that it raises.

Copy of the order

This case has arisen because Kerala Government entered into a contract with Sprinklr, an online data processing company to process the Covid patient’s data. It has been challenged on several grounds and what we are interested is the privacy issues that have come up for discussion.

The issue here is that the data sought to be processed by Sprinklr is “Sensitive Personal Data” and there is an issue of  “Reasonable Security Practice” and “Due Diligence” under ITA 2000 (Section 43A) . Since the Personal Data Protection Bill 2019 (PDPB 2019) is sought to be a direct replacement of Section 43A, the reasonable security practice may be currently considered as the compliance requirements as stated in the PDPB 2019. Hence we need to evaluate the arguments on whether Privacy Protection is adversely affected or not by the contractual arrangement with reference to PDPB 2019.

In this connection , the Data Protection obligations, the Rights of the Data Principal, the mandatory explicit consent, the restrictions on transfer of personal data outside India, the security requirements etc become relevant.

At the outset we need to identify that the information on Covid is “Sensitive Personal Information” and hence it requires “Explicit Consent” for processing  and transfer out of India.

The Court has spoken of the need for “Confidentiality” and “Anonymization” that also need to be discussed.

According to the defense of Sprinklr,

a) The confidentiality of the data of the citizens is guaranteed as per the terms of the contract.

b) The State Government has undertaken to take full responsibility for its protection

c) Available protection systems on the Amazon cloud service makes it impossible for Spinklr or anyone else to breach confidentiality or to deal with the data surreptitiously or maliciously.

d) Sprinlkr at present does not hold any data at present and has transferred all such data back to the Kerala Government.

e) Data resides in India and hence any breach of its confidentiality will expose Splinklr to action in India and hence the standard form clause of jurisdiction in USA should not be objected to.

The MeitY has argued that Sensitive personal data should always remain in India and also that the data should be anonymized before it is handed over to the processors. It has also rightly insisted that the data which was transferred earlier should be confirmed as having been purged by the company.

Considering the current status where the Court does not want to adversely affect the Government’s efforts in controlling Covid, the Court has decided to take an interim view only on ensuring the confidentiality of the data and take up a detailed hearing later on.

The injunctive relief granted by the Court is therefore under this consideration that Confidentiality of the data has to be maintained.

The approach of the Court is to be appreciated that they have tried to take a balanced view and rejected most of the contentions of Sprinklr without taking any drastic step that could adversely affect the Covid prevention efforts of the Government.

But when the case is heard in detail the defense provided by Sprinklr will come for a detailed scrutiny. In this regard, its Privacy Policy, the Terms and conditions, the Data Protection Addendum, the GDPR privacy by Design policy will all come for scrutiny.

There is a possibility that between now and the next hearing, Sprinklr may make changes in its website policies which will amount to tampering with the evidence. Hence all these documents have been archived by CEAC  and any changes  if attempted will be provable as tampering of evidence. 

From a first glance of these documents, it appears that the defense of the company that it follows international standards of data protection and hence nothing can go wrong may not be a tenable argument. There is enough indication that the documents are only statements of intent which does not seem to be reflected in the actual implementation.  The information so far available on the news reports is sketchy and if the company is subjected to intense cross examination, it may be possible to bring out more inconsistencies to prove that they donot have any credible evidence to substantiate their defense.

It will be interesting to observe how both sides take the case from here. We would refrain from more discussions at this stage for reasons of propriety. If however a need arises in the coming days, more points may be taken up for discussion.

What we are interested is in observing if the Court will impose a heavy penalty as envisaged in PDPB 2019 which is also consistent with the GDPR which the Company swears by. The penalty to be imposed has no relation to the fact that the sensitive personal data has now been returned or that the Company has deferred the receipt of remuneration by 6 months. We know that “Data” has value and just as Crude oil can be sold at -37$ per barrel, it is not impossible to think that “Data” can be bought at “Zero” value for the hidden benefit it represents.

Also the attempt to justify the jurisdiction clause which requires Kerala Government to raise its disputes if any in New York is laughable to say the least. If a dispute arises, the company would definitely raise the jurisdiction clause and stall any proceedings in India.

I wish the company was more straightforward than to claim that the jurisdiction clause does not matter. If so, it will be a great precedent to all other customers of Sprinklr and other service providers to simply ignore the jurisdiction clause and proceed in India.

It is open the Court however to accept the admission of the company that since data is stored in India, the company can be sued here. The Court can  confirm that since the Contract is a standard form contract, and it is not supported by authentication by digital/electronic signature, it has only the status of an implied dotted line contract and hence the jurisdiction clause deserves to be rejected as an Unconscionable clause”.

This will help many others and also provide a new reason for imposing data localization in the PDPB 2019 since it helps in overcoming the inconvenient jurisdiction clause. If the company retracts on this argument as they are likely to do, then the current argument will be considered as an attempt to mislead the Court.

It is also strange that the Company is arguing that the State Government is indemnifying the Company by taking “full responsibility”. If so, it is another point that proves that the contract is unfair to the Kerala Government.

Another point which the Company seems to  forget  is that in “Personal Data Protection”, ensuring “Confidentiality” is only one aspect. It is an information security issue and is a necessary but not sufficient condition of data protection obligation.

What is more relevant in data protection is that beyond securing the confidentiality, integrity and availability of personal data there are other aspects of consent, rights, the lawfulness of the processing etc.

Hence just because the data is protected (we are not aware if the Amazon cloud data was actually encrypted), it does not mean that all obligations of data protection are fulfilled. Also just because no data breach has occurred now, we cannot say that the contravention of the privacy right cannot be recognized.

Hence the last word has not been said in this case. We hope that the High Court stands upto the principles and come to a good conclusion without succumbing to the defense of “urgency” etc.

Naavi

Also Read

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.