The Sprinklr issue, as you all may have come to know, is connected with two questions of law: when someone offers free services to government in emergency scenarios, is there any necessity for tender procedures, and whether the personal data of the citizens, especially the health data, can be transferred without their consent to foreign companies. These questions will be answered within the existing framework of law, in proper forums. However, I believe, it is also important to take this context for reviewing the Personal Data Protection Bill 2019, which may soon become our law in near future. This article attempts to look at the provisions of the proposed bill in this light. In other words, the attempt is not to justify any side of the issue using a draft bill, which would be redundant.
The Sprinklr issue, in short, is all about Kerala Government's sharing of information with a U.S. based software company, in order to make sense of the data collected as a part of Covid19 mitigation efforts. While the opposition parties worry about the serious breach of privacy, the threat of data theft, and the territorial jurisdiction over the company, the stand taken by Kerala Government is that the physical storage of data is still within India. Also, the government contends that as soon as the government sends notice to stop the services, Sprinklr would erase the data which they are handling at present and there shall be no other use of such data other than for Covid19 mitigation purposes by the Government of Kerala.
Here comes the question what would have been the situation if the Parliament had passed PDP bill in 2019. This would be an interesting analysis to get an estimate of the provisions of the bill and its probable consequences.
Firstly, whether any event of sharing of the information of people without their consent by the government to a private business concern is a breach of privacy? The answer is no. According to the Section 12(1)(e) of the proposed bill, the personal data may be processed by the Government without consent to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health. Further, for the purposes of the processing, the Government may transfer it to any third-party data processor (Section 31). The only rider to the case presented above is the question of necessity upon which Section 12 rests. In other words, as per the said provisions, the Government can share the information in such emergent situations provided it proves that it was necessary to process the data for the purpose. Sharing, therefore is not a concern at all. Now, the given situation, being a pandemic, not only affecting public health, but also global economy, the question of necessity may be easily satisfied. But the glaring loophole in the 2019 bill, which this event reminds, is that there is no regulation as to whom the data may be shared by the government for processing. No provision in the bill lays down the criteria for choosing a processor for the purposes of the government.
Here comes the second important question, whether the sharing of the information to a foreign private concern is legal? The answer may be again a surprise – it is legal, according to Sections 33 read with 34, although the provision requires Central Government in consultation with the proposed Data Protection Authority to have notified such purposes and transactions. There is a significant difference between Sections 12 and 33. There is no question of necessity coming into discussion in case of cross-border data transfer provided therein Section 33. Section 33 simply says that subject to the conditions under sub-section (1) of section 34, the sensitive personal data may be transferred outside India, with one condition that such data shall continue to be stored in India. Hence, there cannot be a question based on principle of necessity whether there was a need to involve a "foreign" entity in present case. Precisely, the question why not prefer Indian firms instead is not relevant in view of Section 33. Perhaps, you can try to read Sections 33 and 34 alongside Section 12 and drive in the question of necessity. However, it is far-fetched to claim that there should be a specific necessity to transfer data to a foreign processor within the existing proposal.
Another important concern is regarding the anonymisation of the data shared amongst multiple processors and handlers, i.e. had the Kerala Government have anonymized the said data, the sharing would have been not a major issue. However, over concern here is what are the provisions of PDP bill 2019 dealing with it? Interestingly, anonymisation of data is not found within the identified obligations of data fiduciary and data processor. Data Fiduciary is the entity of person who determines the purpose and means of processing personal data, while data processor is the one who processes personal data on behalf of a data fiduciary (Section 3(13) and 3(15) respectively). In the instant case, fiduciary is Kerala Government whereas Sprinklr is the processor. It is also worth noting, in this context, that the bill does not extend statutory liabilities to all those who process, handle or receive personal data. The bill imposes liabilities only on the data fiduciaries and not on the data processors. This means the liability of the processor according to the proposed bill is limited by the contract signed by the processor with the fiduciary. The implication for the present case is that any claims of an aggrieved person has to be directed against the state primarily. The European Union General Data Protection Regulations 2016 (EUGDPR) stipulates that data controllers (fiduciaries in our case) cannot enter into contract with processors which do not meet the responsibilities imposed by the EUGDPR on the controllers. Such a provision is conspicuously absent in the Indian version. It is also important to note that Section 38(1)(b) in the proposed bill, the Data Protection Authority may exempt research, archiving, or statistical purposes from the application of any of the provisions of the Act, if satisfied that the purposes of processing cannot be achieved if the personal data is anonymised.
The final question which rings the bell is the question concerning the dispute resolution between the individuals whose data is shared and the fiduciaries who collect them. The bill requires the data fiduciaries to appoint internal personnel as Data Protection Officers (DPO) and they will be the primary officers in-charge of handling concerns and complaints filed by the individuals. The bill provides 30 days for the DPO to take action on any requests or complaints. Only after exhausting this option, an aggrieved person may approach the adjudicators to be appointed by the proposed Data Protection Authority. Also, if not satisfied with adjudicator's decision, the complainant may appeal to the Appellate Tribunal proposed in the bill. However, the bill forgets to mention the administrative jurisdiction of the adjudicator or the geographical locations of the benches of the Appellate Tribunal. Access to justice, is therefore critical challenge to a common man under the proposed bill. Jurisdiction of the courts are seriously limited under Section 77. Imagine the plight of an individual who will have to travel for hours just to reach the adjudicator's office. Not to mention the absence of the provisional measures pending action from the DPO, in the bill. This suggests that while the a person may be aware of a continuing compromise of her privacy, she may not be able to stop such compromise immediately. Individual users who are not tech-savvy may be left without any reliable and immediate assistance from the law or authorities.
Above all, there is a serious issue of Centre-State relations in the proposed Personal Data Protection Bill 2019. The powers are concentrated at the Centre and its doubtful whether state-governments get a minimal say in the implementation of proposed law. The bill may also raise a concern whether the state governments would have any discretion left to act promptly and swiftly as in the present case. The states and individuals are certainly under presented in the bill. The Joint Parliament Committee (JPC) is presently analysing the Personal Data Protection Bill that was introduced in Lok Sabha on 11 December 2019 and their report is pending. While the business enterprises and techies are continuing to lobby for changes in the provisions of bill and have also successfully created precedents in the Covid19 mitigation, it is important to discuss what a common man has in the bill and what he should asked from the law-makers. We must persuade the government to expand the access to justice at district or sub-district levels, and to introduce provisional remedies for pending cases with the DPO or DPA. This is the minimum we should demand. Further, we should convince the parliamentarians to establish statutory liabilities on all those who receive or handle data, to establish guidelines on third party processing by the governments and for the decentralisation of powers to state governments. We must look for guarantees for the above in the proposed legislation and must not compromise on the position that these may be laid down as administrative orders on a later stage. The Covid19 mitigation and #Sprinklr are lessons to be learned.
(Nithin Ramakrishnan is an honorary fellow of the Centre for Economy, Development and Law, Thrissur and is currently working as Asst. Professor of Law, at Department of Ethics, Governance, Culture and Social Systems, Chinmaya Vishwavidyapeeth, Deemed to be University, Kochi. Views expressed are strictly personal).