Sprinklr Kerala Government contract: Personal Data Protection under test

It is reported today that the Kerala High Court has ordered that Kerala Government was wrong in getting the personal data of Covid patients processed with Sprinklr, without de-identifying the personal data. It has also ordered that the patients are to be notified by the Government .

The Kerala Government had appointed the  US based service provider for analysis of Covid patient’s data which ran into a political debate of nepotism as well as a debate on the infringement of privacy of citizens. We can leave the political controversy aside and focus only the issue related to the Privacy of the patients.

In this case, Kerala Government was a customer of Sprinklr and used the Software as a Service (SaaS). Data was provided to Sprinklr initially directly on their website and later by the Kerala Government from is website. Processing was done by the Sprinklr engine which must have worked from US and then the processed information was stored either in US or other servers.

The highlights of the order passed today by the Kerala High Court  include the following:

    • Kerala Government should anonymise all data collected from citizens with respect to COVID-19 before allowing Sprinklr access to the same. This must be done with respect to all data collected in future. Sprinklr should be given access only after the data is so anonymised.
    • Sprinklr has been injuncted from committing any act which will be directly or indirectly in breach of the data confidentiality entrusted to them under the contract with the Kerala Government. They shall not disclose/part with the entrusted data to any third party entity anywhere in the world.
    • Sprinklr should not to deal with data entrusted in conflict with the various confidentiality clauses/caveats. They will forthwith entrust back all such data to the Government of Kerala as soon as the contract is completed.
    • As per the Kerala Government’s submissions, the Court was informed that no data is presently remaining with Sprinklr. In view of the same, the Kerala High Court ordered that any secondary data lying with Sprinklr is to be entrusted back to the Government of Kerala and that this shall be treated as a peremptory direction.
    • Sprinklr has been injuncted from advertising or representing to any third party that they have access to any data relating to COVID 19 patients or persons vulnerable/susceptible to the disease.
    • Sprinklr has been ordered not to use or exploit any such data for any commercial benefit. Sprinklr shall deal with such information maintaining full confidentiality of the Kerala citizens whose data is collected.
    • Sprinklr is not to use the data collected and not to use the name or official logo of the Government of Kerala.
    • The Kerala Government has been directed to inform every citizen from whom data is taken that such COVID-19 data is likely to be accessed by Sprinklr or a third party. Their specific consent for the same should be obtained in the necessary form before data collection.

While issuing these directions today, the Court emphasised that it was doing the same with the singular intent of “ensuring that there is no data epidemic after the COVID-19 epidemic is controlled.

The service involved sharing of the Covid patient’s data which is “Sensitive personal data” under ITA 2000 (amended in 2008) as well as any norms that can be traced to the forthcoming Personal Data Protection Act in India or the prevailing global norms of GDPR.

Though the Company is a US company is bound to follow the principles of “Reasonable Security Practices” under Section 43A of ITA 2000/8. The Company is also expected to follow “Due Diligence” which is “following such practices as a prudent person would follow under similar circumstances”.

As of 25th April 2020, a prudent organization in India dealing with “Sensitive personal information” would consider the provisions of the Personal Data Protection Bill 2019 as the guidelines of privacy to be followed as due diligence.

The Kerala Government is also obliged to consider the Justice Puttaswamy judgement declaring Protection of Privacy to be a fundamental right of an Indian citizen.

More importantly, the Kerala High Court itself in the Oomen Chandy Case  (WP(c) No 40775 of 2017),5  has  said

“The newly recognized fundamental right to privacy, which takes within its fold the right to protect ones reputation as well, would merit classification as a fundamental right that protects an individual,  not (only) against the arbitrary State action, but also from the actions of other private citizens, such as the press or media,”..

Hence both the Kerala Government and Sprinklr were bound to recognize the Privacy protection guaranteed under the Puttaswamy judgement and initiated Privacy protection measures in the collection, processing, storing and disposal of the sensitive personal information.

In the Indian context, the Privacy law may be new to the Kerala Government but Sprinklr is claiming that its services are “GDPR Compliant”. Hence Sprinklr was fully aware to the sensitivity of the information being processed and even if the Kerala Government was not conversant with the privacy laws in general, should have cautioned the Government on how to address the issue.

The first thing that comes to everyone’s mind is the “Consent” from the patients. There is also the question of possible transfer of data out of India either for storing or for processing for which  an “Explicit Consent” was required to be called for by Sprinklr even if Kerala Government was not aware.

Further though the Government can claim exemption for “Medical Emergency”, the exception under PDPA applies only to an entity such as a hospital transferring the patient data for the purpose of medical treatment etc and not for Big Data analytics which can be done by many Indian companies.

Further, Indian PDPA goes beyond the “Consent” related constraints and holds the person who collects and processes the personal data in a capacity of a “Data Fiduciary” meaning a “Trustee” who has to protect the privacy of the data principal as per the Puttaswamy judgement principle. Hence no implied consent with concessions for transfer of data to a US entity can be presumed as “Due Diligence”.

In the instant case, both Kerala Government and Sprinklr are “Data Fiduciaries” since the purpose and means of processing is determined more by the SaaS company than the Kerala Government which is the user of the service under the terms and conditions under which the Sprinklr service is on offer. (Though the Data Protection Addendum on the website makes the Kerala Government the Controller and Sprinklr the Processor. In that case the data protection clause should have been directed by Kerala Government to Sprinklr which certainly is not the case here.)

As per the statement of one of the advocates representing the Kerala Government, it is claimed that the Company has a privacy policy and follows international data protection norms ensuring a high level of confidentiality of data. It is stated that the data was stored in an encrypted form in Amazon cloud in Mumbai.  If this contention is proved by evidence, it can prove that one copy of the data was perhaps stored in India. While the security of the information might have been secured against further breach because of encryption, the disclosure of the data to the service provider is still outside the consent mechanism.

The High Court has taken note of this in its order and come to an opinion that it was wrong for the Kerala Government to have shared the information with the SaaS provider without “Anonymization”. (We presume the Court was referring here to Pseudonymization or de-identification).

A quick glance at the Website of Sprinklr.com indicates that it uses several sub processors for processing work, and makes a mention of GDPR  and CCPA. However it does not mention compliance of ITA 2000/8 nor any Indian privacy laws.

Whether the policies which are declared on the website are operative or not can only be tested if data principals in India send requests for personal data processed and seeking portability of the data or right to forget. The company will most probably  reject any such requests under some excuse.

As regards the cross border transfer, the policy does not even recognize that it is in operation in India and hence the possibility of its compliance to Indian laws is clearly absent. It clearly says that it offers its clients the option to host the data in USA and Europe and there is no mention of the storage in Mumbai.

Without going too deep into an analysis it can be considered that Sprinklr is not in compliance with Section 43A ITA 2000/8 and it has rushed to the processing because the business opportunity fell on its laps.

Now that the Kerala High Court has caught the privacy related short comings in the process, it is necessary for Sprinklr to immediately stop receiving identified personal data of the patients which is any way not required for the purpose for which the data is being shared with them. The analytics that they may do has no relation to the identity of the person by name and hence it should immediately agree to an intermediary like NIC conducting “De-identification” process before the data is handed over to Sprinklr.

Simultaneously Sprinklr should transfer the processed data up to date to a custodian like NIC and purge all related data in all its servers and provide appropriate evidence of the erasure.

There is therefore no logic for the Kerala Government or Sprinklr to take any  excuse to process the identified data. They need to immediately engage the services of another intermediary, trusted in the Indian environment such as NIC or CDAC to put together a de-identification-re-identification framework  to continue further processing.

NIC should be more than capable of this exercise and if not there would be a number of software companies in India who can do it.

It would be interesting to see how the case develops further and whether the Court takes any cognizance of the principles of privacy protection that has been included in the upcoming privacy act.

In the next hearing we hope that the Court will place a substantial fine both on the Kerala Government and Sprinklr on the lines suggested in the PDPA Bill 2019 which is Rs 5 crores for the Kerala Government and upto 4% of the global turnover of Sprinklr. This will be in addition to the personal relief that can be claimed collectively by the data principals.

Naavi

(P.S: This is a quick comment based on the news reports that have just appeared. More may follow)

Also Read

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.