Privacy concerns of Kerala govt's sprinklr deal. How it could be corrected?

General
1

Sprinklr is a US based SaaS company, which was roped in by Kerala Govt to process health data related to Covid. The deal has met with controversy after privacy concerns were raised by opposition related to the matter. Few important points about this deal I have understood from media are:

  1. Sprinklr is offering the service for free(AFAIK). But as we all know, data is sometimes more valuable than currencies.
  2. Though Sprinklr is a US company, data is stored in Kerala govt’s AWS within India.
  3. There was no official deal made when sprinklr had started to access data. Later it was made. The deal is to help Kerala govt process health data till September 2020. Sprinklr does not have any right to access or use the data beyond that time period.
  4. Data has not been anonymised so far.
  5. Consent was not being taken from persons whose data were being shared.
  6. SC has today heard the petition filed by opposition and others against this data privacy concern. SC while noting that it is important to safeguard data, refrained from interfering in a way which will affect the Covid response of the state. It also asked govt to ensure that it informs the data owners of the privacy policy. HC also asked to anonymise data shared henceforth. It has also given the injunction to Sprinklr from using the data already provided directly or indirectly for any commercial purposes.

HC proceedings coverage:
https://twitter.com/LiveLawIndia/status/1253568100286345218?s=20

Though Govt of Kerala was wrong in being lackadaisical about privacy while making the deal with sprinklr initially, they have later taken measures to make it more transparent and less objectionable. Is it enough though?

So, a few questions I would like to get addressed by the eminent privacy professionals/activists/lawyers of this forum :

  1. Can govt share the data it has with it to private companies? Particularly foreign ones? If yes, what are the checks and balances involved?
  2. What about privacy concerns in a seemingly humanitarian transaction? Can govt compromise on privacy, just because a service is provided for free by a Pvt party?
  3. Had the privacy bill been enacted, would the situation have been different? Is there anything else we can learn from this lesson to make our privacy bill more robust?
  4. IFFs and it’s wellwishers’ recommendation to mitigate the damage already done in Sprinklr deal and ensuring such incidents do not occur in the future.

PS: I am only a common person, trying to learn about privacy and internet freedom. I lack deep legal as well as technical knowledge related to privacy. Hence, please do not take my post as facts - please verify.

1 Like