Amazon Alexa, Privacy & Breach

“Privacy safeguards individual autonomy and recognizes the ability of the individual to control vital aspects of his or her life.” – Hon’ble Justice D.Y Chandrachud.

Privacy has already been established as a fundamental right through jurisprudence as laid down by the Supreme Court of India [1]. Even with this right being unalienable, it is not absolute.

Data shall be referring to its definition as given under Section 2 (1) (o) of the Information Technology (“IT”) Act, 2000. Its scope would be including “sensitive, personal, and critical personal data” to the extent given under applicable laws including but not limited to GDPR [2] & PDP [3].

Regional Amazon businesses are compliant with the above.

Echo can only be sold to a major with informed consent taken by affirmative action of the consumer by agreeing to their ToU & Privacy Policy which discloses the information collected, stored, analyzed, transferred, and shared internally by Amazon affiliates, and third parties. The Echo can only be activated by using “wake words [11]” and records data for the extent of that conversation/carrying out that command as detailed in Alexa’s Communication Schedule. ASSPL allows the consumer to view the data given access to, minimize data reception as per the consumer’s discretion with the option to submit purge requests, withdrawal of consent, and DND [12]. ASSPL has appointed Grievance Officers and listed their communication lines for the consumer.

In addition to the above, ASSPL and its Amazon affiliates also employ encryption protocols for all data with special 128-bit protection in addition to independent gateways, and financial institution/wallet company’s data security mechanism in compliance with Payment Card Industry Data Security Standard to ensure a breach of payment information and unauthorized transactions do not occur from their end with extensive audit trails.

ASSPL and its Amazon affiliates invest massive amounts of their capital and operating budgets in securitizing their digital platforms with dedicated IS, IT, technical audit, digital, and research teams with internal developments and third-party agreements incorporating mandatory clauses with respect to vulnerability assessment and proficiency testing to further strengthen the integrity of their platforms and interworking synergy as a whole.

In conclusion, the existing sections [13] and rules [14] of the IT Act, 2000 provide for IS controls but are not express and stringent as PDP which is why there would not be a requirement to rework the data breach reporting policy on the contingency of PDP being formalized as law.

[1] R. Rajagopal v. State of Tamil Nadu (1994) 6 SCC 632.

[2] European Union General Data Protection Regulation, European Parliament, 2016/679.

[3] Bill no. 373, Personal Data Protection Bill, 2019.

[4] Section 43A (ii), Annexure.

[5] IS/ISO/IEC 27001.

[6] Art. 4 (14).

[7] Section 3 (29).

[8] Kurt Wimmer, Gabe Maldoff & Diana Lee, Covington & Burling, International Association of Privacy Professionals (2020).

[9] Data Processing Authority.

[10] Section 25 (3).

[11] A voice profile of the consumer is created where their voice is mapped to activate the device as per the preprogrammed wake word of Alexa or as may be customized by the consumer on their Echo device.

[12] Do Not Disturb as per Telecom Regulatory Authority of India.

[13] Section 43 (a), (b), (i), 43A, 66C, 66E & 72.

[14] Rule 4, 5, 6 & 8.

Art: "Evgeny Chirikov at his desk" by Ivan Kulikov.