Data with a Sprinkl of protection
Concerns raised in relation to this agreement are, first, that due process for the selection and appointment of a vendor for this project was not followed; and second, and quite possibly the more debated concern of the two, that privacy and data protection were compromised
The State of Kerala is no stranger to epidemics. It has dealt effectively and efficiently, in the past, with threats such as the Nipah virus. Its current work in battling the COVID-19 pandemic has kept it in the spotlight as a role model for State Governments. The ‘Kerala Model’ has also found notable mention in international forums. At the same time, the Kerala Government has recently come under fire for its engagement with a US-based SaaS provider, Sprinklr Inc, in connection with COVID-19 control measures.
So what happened?
The Kerala Government executed a contract with Sprinklr, effective March 25, 2020, to help it collect and manage patient data during the COVID-19 crisis. The data included answers to various questions, descriptions of symptoms, health conditions, and related medical information, and was collected by the Government using an app- /- tool developed by Sprinklr. As a result of the contract, Sprinklr would have access to the health and medical data of Indian citizens.
The rationale provided by the Kerala Government for hiring Sprinklr was two-fold: it claimed, first, that Government-owned/-controlled entities, such as Centre for Development of Imaging Technology (CDIT) and Information Kerala Mission, were not technically equipped to manage the large volume of data; and second, – that Sprinklr’s platform was readily available and was being offered free of charge for a period of six months.
Why the fuss?
Concerns raised in relation to this agreement are, first, that due process for the selection and appointment of a vendor for this project was not followed; and second, and quite possibly the more debated concern of the two, that privacy and data protection were compromised.
The privacy debate began with strong opposition from critics who insisted that the Sprinklr arrangement did not ensure appropriate privacy and data protection measures for the sensitive health data collected. These include, among others, lack of consent from data subjects and storing data on Sprinklr’s servers outside India. However, this narrative was quickly turned into a broader health versus privacy discussion.
What does the law say?
The right to privacy is incorporated within the larger fundamental right to life and liberty, as guaranteed under Article 21 as well as the freedom of expression and movement under Articles 19(1)(a) and (b) of the Constitution of India. This is further supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules), which lay down guidelines for collecting and processing an individual’s sensitive information, including medical records. Among other things, it requires the collector of sensitive information to obtain prior consent from the provider of such information, i.e. the individuals themselves. Notably, the Privacy Rules do not grant the Government any overriding powers.
For a complete assessment, the right to privacy must be read along with the right to health, which is embodied in the directive principles of State policy. These directive principles call the State to take care of the health and strength of its citizens. Over time, the right to health has been woven into the larger fabric of the right to life and liberty in Article 21 mentioned above.
So how should we look at the Sprinklr issue? Should we explore whether, in this context, the Government has the right to override its citizens’ fundamental right to privacy for the purpose of managing the pandemic to secure its citizens’ health? Often, issues remain unsolved because the wrong questions are asked. The ‘health versus privacy’ question may not arise if there were no privacy concerns in the Sprinklr arrangement to begin with.
What does the contract say?
We do not intend to record our evaluation of the specific clauses under the contract, as that may be counterproductive. However, a few aspects would be worth mentioning. Sprinklr’s process is stated to be compliant with the General Data Protection Regime (GDPR). The European Union’s GDPR is considered the gold standard in privacy regulations the world over. India’s Data Protection Bill, 2019, to some extent, borrows concepts from the GDPR. Also, the contractual documents entered into with the Kerala Government do not appear to deviate from the standard provisions generally agreed with other customers, in that one cannot point towards any particular instance of dilution of privacy safeguards.
However, controversy seems to be shrouded around the fact that the original Letter of Affirmation dated April 11 was replaced with another Letter of Affirmation the next day. While the original letter seems to suggest that Sprinklr would have more rights in terms of the data collected, the second letter assumes a different flavour, giving the Kerala Government the deciding hand in terms of controlling the data. Hence, questions remain unanswered, sending us back to the original debate.
Health or Privacy
It is an undisputed fact that each citizens’ right to privacy must be treated as a matter of utmost importance. However, like every other fundamental right, the right to privacy must come with reasonable restrictions. While the right to privacy has been discussed and upheld by Courts in India, time and again, and has been incorporated within legislations such as the Privacy Rules, it may be argued that such a right may be overridden when discussing situations such as the COVID-19 pandemic, which involves a larger public interest. This does not imply that only one of two rights (i.e. right to privacy v. right to health) can subsist at any point in time. In fact, it is the constitutional duty of the State to ensure that both rights are guaranteed and provided to citizens within reasonable bounds.
In the present context, while pointing fingers at the State Government’s decision to work with a foreign company may come easily to most, it must also be noted that this decision rides on the back of the Government’s duty to protect the health of its citizens by exerting to curb the spread of COVID-19. At the same time, it is imperative that the Government recognizes the sensitive nature of the data in question and, consequently, ensures confidentiality and integrity while also making it available in a safe yet useful manner.
With this thought in mind, the High Court of Kerala issued an order on April 24, 2020,calling out the fact that the provisions of the contract executed with Sprinklr do not, in their view, ensure that there is no breach of confidentiality of the data collected by the State and processed by Sprinklr. Accordingly, it directed the Government to ensure that all data that may have already been collected, or that will be collected in the future, in respect of the COVID-19 pandemic be anonymized before giving Sprinklr access to it. Further, the Government was instructed to obtain consent from every citizen whose data would be collated in the future, after informing them that that such data would be processed by Sprinklr.
With regard to the issue of following due process, the High Court acknowledged that an analysis of each allegation would not be prudent at this juncture, as doing so would require a comprehensive assessment of all factors, and that they cannot be said to impede any effort to fight the COVID-19 pandemic.
The broader health versus privacy discussion is importance and not to be taken lightly. This part-legal, part-ethical question will assume significance worldwide for the various COVID-19 measures that need to be implemented. We hope the ideas that emerge from the rubble will be the ones that transform a “health or privacy” question into a “health and privacy” solution.
Authored by Vishnu Nair, Partner, J Sagar Associates and Sherill Pal, Principal Associate, J Sagar Associates