Amid fire incidents involving its escooters and multiple other complaints about them malfunctioning, Ola Electric is once again facing public criticism after the startup publicly put out telematics data of one of its users on the social media platform Twitter.
On April 22, Ola Electric came out with a statement on the Guwahati scooter accident in response to an unverified series of tweets by a man named Balwant Singh who wrote that an Ola S1 Pro scooter led to his son’s accident due to a fault in the regenerative braking system.
Ola Electric said there was nothing wrong with the escooter and that the accident was caused due to the vehicle overspeeding. The vehicle’s sensor data was also posted publicly on Twitter.
However, Twitter users accused Ola Electric of breaching customer privacy and data protection rules. The incident raised questions about how safe customers’ data is with the companies and if they can make the data public.
Journalist Nikhil Pahwa tweeted saying, “It seems that they’ve (Ola Electric) taken not just the right to track customers but also publicly disclose data about customer behaviour.”
The complainant, Singh, also asked Ola Electric to take down the data immediately, claiming that the company did not take his consent before making the data public, which was a violation of “privacy laws”.
Ola Electric is yet to respond to the allegations about the breach of privacy.
Legal Perspective Into The Controversy
Ola Electric Has Abided By Its Policy
Inc42 reached out to lawyer Shraddha Deshmukh, who has previously worked on constitutional and data protection laws and has appeared alongside KK Venugopal, Attorney General of India, in the K.S. Puttaswamy matter. According to Deshmukh, Ola Electric did not breach any data privacy law by either collecting or putting the data out in public. In fact, telematics data is not personally identifiable, and isn’t about personal choices or personality, which are protected under privacy laws, she said.
Ola Electric’s privacy policy document clearly states that the company collects telematics data. “To further improve your Product and safety, to facilitate the (helpdesk) servicing of your Product and to give you insight on your driving behaviour, we will collect certain telematics data from the vehicle,” the document says.
Deshmukh said since the privacy policy is also “contractually agreed”, the agreement must have been signed by the user, allowing Ola Electric to collect such data.
According to her, since Ola Electric’s policy also states that it may use and process users’ personal information where it is necessary for the company to pursue its “legitimate interests and for other reasonable purposes as a business”, there is nothing legally wrong in putting the data out in public.
In fact, one of the cases where the startup could use such data is “to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings”, according to the policy document.
Deshmukh said that since Singh’s tweet against Ola Electric was defamatory in nature, the company reserves the right to defend itself with the right data.
Talking about anonymity, she added that the customer’s anonymity was lost when he brought out the topic in public, questioning the company.
“If you make claims against a company without looking into your contract, the former has the legitimate right to defend itself,” said Deshmukh. “This is more in order to let people know that their vehicles are safe because there is a cascading effect if somebody brands a company’s products as unsafe.”
Deshmukh said the responsibility lies with the users in terms of what policy clauses they are agreeing to. If a customer is not happy with any cookie collection or with any access via the third party, he/she is given the freedom to opt out, she added.
“If you want to utilise the services, there would be some kind of information shared and if you allow that, you lose the legitimate expectation in keeping information confidential,” she added.
Therefore, this is not a case of breaching somebody’s confidential data, concluded Deshmukh.
Echoing similar sentiment, Priyam Jhudele, Associate at Ikigai Law, said, “Arguably, telemetry data such as riding speeds and riding mode are linked to a vehicle and not to an individual user. And may not be seen as personal data.”
Thus, according to him, Ola Electric’s privacy policy is relevant here. “If the privacy policy promises that Ola Electric would not disclose such information, then a disclosure of this nature could be a breach of contract. But Ola Electric’s privacy policy is likely to offer grounds to disclose such information, particularly for disputes of this nature,” he added.
Legally Ola Electric Is Not Wrong, But…
Though it might seem fair from a legal point of view, in principle, Ola Electric’s step in making the user’s telematics data public is a “clear infringement of privacy”, said Rohin Garg, Associate Policy Counsel at the Internet Freedom Foundation.
Garg pointed out that the absence of a concrete data protection law in India is the biggest issue in this regard.
He said that despite this being a case of violation of privacy, the company did not violate any law as no such law exists.
According to Garg, while the contract may mention about access to data generated from the escooters, it is unlikely that customers would have read and explicitly consented to such data sharing.
If users actually went through every clause of a contract before signing up for any services, perhaps nobody would absolutely agree with them, he said.
“It’s very tough to expect consumers to go through all the points in a privacy policy agreement,” said Garg. “Companies can perhaps say that it’s on the users to do that. However, in that case, the companies would also have to make all the efforts to make consent an easier path for users and only then we can have the discussion about what the consumers can or can’t do.”
Right now, it suits the companies to put such tricky clauses in long policies that just ask the users to go to the bottom and accept, he added.
On the other hand, Rashmi Deshpande, partner at Business Law Chamber, said that since rules and regulations related to EVs are at a very nascent stage and there are no stringent laws about EV data collection, it can’t be said that Ola Electric has breached any Act or violated any regulations.
“I wouldn’t say gathering and using such data is wrong but putting such data on social media without consent could be a dicey game,” she added.
Besides, in this case, the breach could be at different levels. There are also questions if the collection of data and the way it was collected is correct, and if the information that was made public is authentic because the data was taken out in the absence of the client, Deshpande said.
However, she also said that it was expected of a company to defend itself. But if it had shared the data with the client directly instead of putting it out on Twitter, Ola Electric wouldn’t have been caught on the wrong footing, she added.
Data Privacy Law In India
India currently doesn’t have any exclusive law for data privacy, and most of the decisions are made based on prior Supreme Court judgements.
The Personal Data Protection Bill, 2019, introduced by the government in Lok Sabha in December 2019, is yet to be passed. The Bill was first drafted by a panel led by retired Supreme Court Judge BN Srikrishna in 2017. After being presented in the Lok Sabha by the then Minister of Electronics and Information Technology Ravi Shankar Prasad, it was sent to a Joint Committee of the Parliament.
The Committee submitted its revised Bill only in November 2021, which is yet to be tabled in the Parliament. Meanwhile, efforts are also underway to introduce a new privacy bill that can comprehensively address the requirements of the country’s changing technology landscape.
In the meantime, as Garg said, grey areas about data privacy not only continue to plague the automobile industry but also other industries.
