Counsels, CEOs, lawyers and Government officials alike, to not only seek interpretation of such clauses, but also uncover jurisprudence related thereto. Supply chain management, lease agreements, labour (dis)engagements, the list goes on.
While the FM has attracted maximum attention, this has also been a time for consideration and debate on a host of issues in the labour law/ employment law domain. Not only has the pandemic added another “F” word to our vocabulary – Furlough – it has also taught companies creative ways of dealing with work continuity without hurting the wallet.
The legal community has also had the opportunity to go “back to basics”, with a host of webinars, on topics ranging from fundamentals of Drafting, to Contract interpretation, Evidence and Cross Examination, Arbitration, Mediation, Real Estate, and the more niche areas of Gaming laws, Media & Entertainment, Telemedicine (for which I plead guilty), etc.
But this article is not about any of the aforesaid “hotly” debated topics, or even the Basic principles. It’s about another interesting area of the law, which received more attention even before the law has been codified. No prizes for guessing it right. PRIVACY it is – or as I have referred to it in the Title of the article – NIJI-NESS (for the uninitiated into the intricacies of the Hindi language, Niji means private).
Just around the time that the country was coming to grips with the idea that there could actually be a Version 2.0 to the lockdown (we would have liked to believe that there was only going to be one version), a Public Interest Litigation was filed before the Kerala High Court – the state that had truly become the Gateway to India. Whereas every year it carries that badge proudly for welcoming the monsoon, this time, it played “host” of a different and forgettable kind – reporting the first case of COVID-19 for the country.
The Government of Kerala, having to respond to the pandemic without any precedent whatsoever, as it had the dubious distinction of catching the pandemic on the “first day first show” and, having been caught completely unaware, needed to respond, at least to ensure that the pandemic is contained, to as small a section of population as possible. With a view to monitor and restrict the impact, as also to understand the mechanism, the State Government was required to collect the process the data of 80 lakh people in the State.
In the words of the Additional Advocate General for the State of Kerala, as “Government owned/controlled entities like C-DIT and Information Kerala Mission are not technically equipped to handle large volumes of data, and since there are no viable alternatives within the Government framework”, the State was “forced to requisition the assistance of an overseas private entity by the name of Sprinklr Inc. The entity, which refers to itself as a digital communications infrastructure provider was engaged to provide an online digital software / platform to process and analyse data with regard to patients and those vulnerable and susceptible to the COVID disease in the State of Kerala. As per the terms of the contract, Sprinklr agreed to provide the services free and gratuitously to the Government for the first 6 months.
However, this agreement was challenged through the PIL, primarily on the ground that the agreement not only permits the data to be retained and processed by a foreign entity via cloud, and hence impacts the confidentiality and protection thereof, but it also leaves the data principals, i.e., the people whose data is being processed, without any effective remedy in case of breach, because the jurisdiction clause in the agreement vested exclusive jurisdiction in Courts of New York.
The Union Government supported the Petitioners’ stand on the grounds that (a) the State Government ought to have taken the assistance of the Central Government and specifically the National Informatics Centre, instead of entering into the contract with a foreign entity; (b) the original agreement with Sprinklr did not even have adequate confidentiality clauses; and (c) the integrity of the data already shared with Sprinklr cannot be guaranteed.
While the Court did not wish to impede the State Government’s fight against COVID-19, specifically because the Government Counsel made an unequivocal statement that the State cannot continue the fight against COVID without the assistance of the software provided by Sprinklr, however, it did not wish to let status quo continue, as it felt that the same may lead to a situation of “data epidemic” after the COVID-19 epidemic is controlled.
Relying on internationally recognised principles of data protection and data privacy as also the settled proposition of law relating to confidentiality, the Kerala High Court, in a landmark order in a case of first impression observed as under:
Resultantly, the Hon’ble Court, vide order dated 24.04.2020, passed a series of unprecedented directions to the State of Kerala and Sprinklr, including that (a) all data collected and to be collected shall be anonymised and only such data can be shared with Sprinklr in future, which has already been anonymised; (b) all citizens whose data is being collected must be informed that their personal data is going to be processed by Sprinklr or any third party and that specific consent from the citizens is to be taken for the same; (c) the data available with Sprinklr or to be made available in future shall not be used by Sprinklr in any manner which is contrary to the confidentiality obligations set out in the agreement and that such data shall be returned to the Government, once the use / processing of the data for COVID-19 purposes is over; and (d) all data that had been transferred to Sprinklr in the past shall be returned to the Government forthwith, if not already done.
The order clearly demonstrates the the absence of a personal data protection legislation shall not deter Courts in India from passing orders (i) protecting the confidentiality and integrity of personal data, specifically that which is categorised as sensitive personal data; (ii) relying upon and incorporating into Indian jurisprudence, generally acceptable principles of international law (“GDPR”) relating to data protection (lawfulness, fairness, transparency, consent, specific purpose, integrity and confidentiality as well as to resort to data anonymisation where needed); (iii) upholding the right of Privacy even in these times of pandemic “emergency”.
Less than 3 weeks before this order was passed, the Union Government released the Aarogya Setu App. The primary scope of this contact tracing app being collection and processing of data, though for the specific purpose of addressing the pandemic issue and trying to control the spread thereof. Thus, the underlying basis for collection and processing of data seems to mirror the situation or justification given by the Kerala Government in the Sprinklr case.
The debate around the application only gained ground, however, on 01.05.2020, when the Government passed orders making it mandatory, for (i) people residing in containment zones; (ii) all employers – public or private sector – who were opening up their places of work, to ensure that each of their employees downloaded the app and accordingly, captured their health data on the application.
With 90 million downloads by the first week of May 2020, and more getting added on a daily basis, privacy activists raised various fears, sent legal notices to the government and even filed a public interest litigation, again before the Kerala High Court. The app also attracted a hacker to hack the database to ostensibly demonstrate its fallibility.
The PIL alleged that mandating the use of Aarogya Setu, especially at the workplace and attaching penal sanctions to non-compliance by employers amounts to an arbitrary and unreasonable exercise of executive power which is in violation of Articles 14, 19 and 21, and specifically the right of privacy, which has been found to be guaranteed under Article 21 of the Constitution of India in the Puttaswamy case. The broad contentions included (i) lack of consent and actually forced consent to part with the Sensitive Personal Data – brought about by not only the absence of basic procedural safeguards on access and disclosure, but also because of the absence of an effective legislative framework that would allow a person whose data has been breached/misused, to get an effective remedy therefor; (ii) the statutory provision under which such an executive order has been passed, i.e., Section 10(1) of the Disaster Management Act, is an overarching interpretation, especially as privacy can only be breached by a specific law made for that purpose; (iii) while legitimate actions of the State in furtherance of Public Interest may be used to curtail the right of privacy, however, the absence of specific legislation covering the subject, and purpose restrictions not specified in the Privacy Policy, the action is no longer legitimate. This is evident from the fact that the Privacy Policy does not limit the use of the data for COVID-19 only – which is the real reasons of collecting the data – but specifically states that it can be used “for all purposes that are allowed by the law for the time being in force”.
Once the PIL was filed and notice issued on the same, the following steps that the Government has taken, demonstrates the strength of Privacy as a right. First, the Government clearly came out with a strong statement from no less than the Minister of Electronics and IT, Mr. Ravi Shankar Prasad, that the general data would be deleted within 30 days and the date related to infected persons, within 45-60 days. Also, currently, there do not seem to be any cases filed, in relation to alleged non-enforcement of the claimed 100% compliance as per the Government order. Thus, there seems to be a reasonable approach that is being followed in this regard as well.
The one sure indicator that emerges from the above discussion is that the Personal Data Protection Bill is long overdue to be enacted as a legislation. Absent that, the pandemic of confusion is unlikely to die down.
Tags: TMT Law Practice
www.grandmasters.in | 8 Years & Counting
www.rcls.in | 8 Years & Counting
www.itlegalsummit.com | 8 Years & Counting
www.bfls.in | 8 Years & Counting
www.maels.in | 8 Years & Counting
www.plcs.co.in | 8 Years & Counting
Copyright © 2020 Lex Witness - India's 1st Magazine on Legal & Corporate Affairs Rights of Admission Reserved
