Whether the personal data of the citizens, especially the health data, can be transferred without their consent to foreign companies? Is there a necessity for tender procedures when free services are offered to the government in emergency scenarios? These are the main questions related to law connecting the recent Sprinklr controversy, which will be answered within the existing framework of law, in proper forums. However, it is also important to consider this context for reviewing the Personal Data Protection Bill 2019 (PDP Bill 2019), which may soon become a law in the near future. This article attempts to look at the provisions of the proposed Bill in this light. In other words, the attempt is not to justify any side of the issue using a draft bill, which would be redundant.
The Sprinklr issue, in short, is all about the Kerala Government’s sharing of information of COVID suspected patients under surveillance with a US-based software company, in order to make sense of the data collected as a part of mitigation efforts. While the opposition parties worry about the serious breach of privacy, the threat of data theft and the territorial jurisdiction over the company, the stand taken by the government is that the physical storage of data is still within India. Also, the government contends that as soon as the government sends notice to stop the services, Sprinklr would erase the data it is handling and there shall be no other use of such data other than for COVID-19 mitigation purposes by the Government of Kerala. Here comes the question, what would have been the situation if the Centre had passed the PDP Bill in 2019? This would be an interesting analysis to get an estimate of the provisions of the Bill and probable consequences.
Firstly, whether any event of sharing of the information of people without their consent by the government to a private business concern is a breach of privacy? The answer is no. According to Section 12(1)(e) of the proposed Bill, personal data may be processed by the government without consent to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of a disease or any other threat to public health. Further for the purposes of the processing, the government may transfer it to any third-party data processor (Section 31). The only rider to the case presented above is the question of necessity upon which Section 12 rests. In other words, as per the said provisions, the government can share the information in such emergency situations, provided it proves that it was necessary to process the data for the purpose. Sharing, therefore, is not a concern at all. Now, given the situation, being a pandemic not only affecting public health but also the global economy, the question of necessity may be easily satisfied. But the glaring loophole in the 2019 Bill, which this event reminds, is that there is no regulation as to whom the data may be shared by the government for processing. No provision in the Bill lays down the criteria for choosing a processor for the purposes of the government.
Herecomes the second important question,whether the sharing of the information to a foreign private concern is legal? The answer may come as a surprise—it is legal according to Sections 33 read with 34, although the provision requires the Central Government in consultation with the proposed Data Protection Authority (DPA) to notify specific purposes and transactions for which cross-border data transfer can be undertaken. There is a significant difference between Sections 12 and 33. There is no question of necessity coming into discussion in case of cross-border data transfer provided therein Section 33. Section 33 simply says that subject to the conditions under sub-section (1) of section 34, the sensitive personal data may be transferred outside India, with one condition that such data shall continue to be stored in India. Hence, there cannot be a question based on the principle of necessity whether there was a need to involve a ‘foreign’ entity in the present case. Precisely, the question why not prefer Indian firms instead is not relevant in view of Section 33. However, it is far-fetched to claim that there should be a specific necessity to transfer data to a foreign processor within the existing proposal.
Another important concern is regarding the anonymisation of the data shared amongst multiple processors and handlers, i.e., had the Kerala Government anonymised the said data, the sharing would have been not a major issue. However, the concern here is what are the provisions of the PDP Bill 2019 dealing with it? Interestingly, anonymisation of data is not found within the identified obligations of data fiduciary and data processor. Data Fiduciary is the entity or person who determines the purpose and means of processing personal data, while data processor is the one who processes personal data on behalf of a data fiduciary (Section 3(13) and 3(15), respectively). In the present case, the fiduciary is Kerala Government, whereas Sprinklr is the processor. It is also worth noting, in this context, that the Bill does not extend statutory liabilities to all those who process, handle or receive personal data. The Bill imposes liabilities only on the data fiduciaries and not on the data processors. This means the liability of the processor according to the proposed Bill is limited by the contract signed by the processor with the fiduciary. The implication of the present case is that any claims of an aggrieved person has to be primarily directed against the State. The European Union General Data Protection Regulations 2016 (EU GDPR) stipulates that data controllers (fiduciaries in our case) cannot enter into contract with processors which do not meet the responsibilities imposed by the EU GDPR on the controllers. Such a provision is conspicuously absent in the Indian version. It is also important to note that Section 38(1)(b) in the proposed Bill states that the DPA may exempt research, archiving or statistical purposes from the application of any of the provisions of the Act, if satisfied that the purposes of processing cannot be achieved if the personal data is anonymised.
The final question which rings the bell is concerning the dispute resolution between the individuals whose data is shared and the fiduciaries who collect them. The Bill requires the data fiduciaries to appoint internal personnel as Data Protection Officers (DPO) and they will be the primary officers in-charge of handling concerns and complaints filed by the individuals. The Bill provides 30 days for the DPO to take action on any requests or complaints. Only after exhausting this option, an aggrieved person may approach the adjudicator to be appointed by the proposed DPA. Also, if not satisfied with the adjudicator’s decision, the complainant may appeal to the Appellate Tribunal proposed in the Bill. However, the Bill forgets to mention the administrative jurisdiction of the adjudicator or the geographical locations of the benches of the Appellate Tribunal. Access to justice is, therefore, a critical challenge to a common man under the proposed Bill. Jurisdiction of the courts is seriously limited under Section 77. Imagine the plight of an individual who will have to travel for hours just to reach the adjudicator’s office. Not to mention the absence of the provisional measures pending action from the DPO, in the Bill. This suggests that while a person may be aware of a continuing compromise of her privacy, she may not be able to stop it immediately. Also, users who are not tech-savvy may be left without any reliable and immediate assistance from the law or authorities.
Above all, there is a serious issue of Centre-State relations in the proposed Bill. The powers are concentrated at the Centre and it is doubtful whether state governments get a minimal say in the implementation of the proposed law. The Bill may also raise a concern whether the state governments would have any discretion left to act promptly and swiftly as in the present case. The states and individuals are certainly underrepresented in the Bill. The Joint Parliamentary Committee (JPC) is presently analysing the Bill that was introduced in the Lok Sabha on December 11, 2019 and its report is pending. While the business enterprises and techies are continuing to lobby for changes in the provisions of the Bill and have also successfully created precedents in the COVID-19 mitigation, it is important to discuss what a common man has in the Bill and what he can expect from the lawmakers. We must persuade the government to expand the access to justice at district or sub-district levels, and to introduce provisional remedies for pending cases with the DPO or DPA. This is the minimum we should demand. Further, we should convince the parliamentarians to establish statutory liabilities on all those who receive or handle data, to establish guidelines on third party processing by the governments and for the decentralisation of powers to the state governments. We must look for guarantees for the above in the proposed legislation and must not compromise on the position that these may be laid down as administrative orders on a later stage. The COVID-19 mitigation and Sprinklr issue are lessons to be learned.
A version of this article was published in Live Law on April 22, 2020. Click here to read
Nithin Ramakrishnan is Research Scholar at CPPR. He is also assistant professor of international law at the Chinmaya Vishwavidyapeeth (deemed to be university), Ernakulam. Views expressed by the author are personal and need not reflect or represent the views of Centre for Public Policy Research.