Judiciary Steps In – Mandates Data Protection.
Kerala High Court on Public Data – Directs State Govt to Protect Public Data
The Government of Kerala in its combat against COVID – 19, had engaged the services of a US-based software entity, by the name and style of Sprinklr Inc. (“Sprinklr”) to store, analyse and process personal data of COVID patients and also those of vulnerable and susceptible persons. This action by the Kerala Government had caused unrest amongst the general public. In a series of public interest petitions filed before the Kerala High Court, a temporary order came to be passed whereby the Hon’ble High Court issued several guidelines to the Government of Kerala and also to Sprinklr regarding the management of personal data of COVID patients and those related.
Background
Spinklr is a data analytics firm, involved in the business of providing online data storage and processing services to various governments across the globe[1] . The Government of Kerala, in its attempt to control the spread of the pandemic and to keep a track of all the persons infected, had availed the services of Sprinklr, whereby the personal data collected by the Government of Kerala was shared with Spinklr, which in turn stored such data on its servers. Spinklr then provided the analysed data back to the Government of Kerala.
Submissions of the Parties
The petitioners contended before the Hon’ble High Court of Kerala that the State of Kerala need not have engaged the services of a foreign entity like Sprinklr, when government agencies like C-DIT and NIC are more than capable of handling such data storage and processing. Further, the aspect of Sprinklr using the said data for commercial gains was also mooted before the Hon’ble High Court. It was also contended that consent was not being obtained from the persons whose data was being collected by the State as had been directed by the Hon’ble Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. UOI[2] (“Puttaswamy Case“).
The petitioners further contented that the Master Service Agreement (“Agreement“) executed between the Government of Kerala and Spinklr, were in conflict with Article 299 (1) of the Indian Constitution[3] and also the governing law for dispute resolution in the Agreement was that of the State of New York, United States of America. Moreover, it was vehemently contented that the confidentiality clauses in the Agreement were not strict enough to prevent misuse of the personal information in the custody of Spriklr.
In response to the contentions raised by the petitioners, the State of Kerala contended that the State run entities, such as C-DIT are not equipped to manage large volume of data and that the State of Kerala had no other viable alternative to choose from.
Additionally, defending its contract with Sprinklr, the State of Kerala reasoned that the company maintained a good privacy policy and employed a high level of international data protection norms to ensure confidentiality of personal data and that the dispute resolution would have to be undertaken in India despite there being a clause to the contrary on the ground that the data was being stored in India. Therefore any action for breach of confidentiality under the provisions of the Information Technology Act, 2000 ought to be in India.
It is interesting to note that the Union of India was also made a party to these petitions and the Hon’ble High Court had provided an opportunity to the Central Government to put forth its valuable inputs regarding the aforementioned facts and circumstances. The Union of India submitted that the personal data of Indian citizens should always be in the control of the State and should necessarily be stored in data centres belonging to the state or the central governments. The Union of India essentially reiterated the contentions of the petitioners and supported the petitioners in their case.
Observations of the Court
The Hon’ble High Court of Kerala, without delving in detail regarding the merits of the case and also considering the current global pandemic, passed certain interim directions with an intent “to ensure that there was no “data epidemic” after the Covid-19 is controlled”.[4] With a view to not hamper the measures taken by the Government of Kerala in fighting the Covid – 19 pandemic, the Hon’ble High Court limited the scope of the interim directions to the issue of breach of confidentiality.
The Kerala Government and Sprinklr were each bound to recognize the protection of privacy guaranteed through the judgement passed in the Puttaswamy Case and called for privacy protection measures for the collection, processing, storing and disposal of the sensitive personal information.
A concise summary of the directions issued by the Hon’ble High Court of Kerala in the current matter is enumerated hereinbelow:
- The State Government and all its departments were directed to ensure that all the data collected by them was anonymized prior to giving access of the same to any third party.
- The State Government was directed to mandatorily obtain specific consent from the persons whose data was being collected to enable the State Government to share such data with the third party service providers.
- Specific directions were passed to Sprinklr preventing it from directly or indirectly committing an act of breach of confidentiality and disclosure of personal data to any other third party. Sprinklr was also directed to entrust back all the data in its custody once the obligations under the Agreement came to an end.
- Preventive order restraining Sprinklr from advertising or representing to third parties that they (Sprinklr) are in possession or have access to information relating to Covid – 19 patients or persons susceptible to the pandemic.
- The Hon’ble High Court also passed an order preventing commercial exploitation of data in the custody of Sprinklr.
Conclusion
Subsequent to the decision passed by the Hon’ble Supreme Court in the Puttaswamy Case, protection of personal data has gained traction. The interim directions passed by the Hon’ble High Court of Kerala in the current case expand the principles laid down in the Puttaswamy Case. While the Personal Data Protection Bill, 2019 is under consideration in the parliament, the courts in India are taking initiative to ensure protection of personal data of the citizens of the country.
The interim directions passed by the Hon’ble High Court of Kerala goes to show the proactive steps taken by the judiciary in this regard. These directions may seem like a small step but it is a step nonetheless. It is imperative that the Personal Data Protection Bill, 2019 comes into force but until then, the burden of protecting the personal data of the citizens will rest on the shoulders of the judiciary. It is commendable that the Hon’ble High Court of Kerala passed these directions. However, serious steps need to be taken by all parties involved to ensure protection of personal data.
- [1] Information regarding the services of Sprinklr may be accessed at https://www.sprinklr.com/
- [2] K.S. Puttaswamy (Retired) v. Union of India, (2019) 1 SCC 1
- [3] All contracts made in the exercise of the executive power of the Union or of a State shall be expressed to be made by the President, or by the Governor of the State, as the case may be, and all such contracts and all assurances of property made in the exercise of that power shall be executed on behalf of the President or the Governor by such persons and in such manner as he may direct or authorise
Contributed By – Neha Mathew, Associate Partner & Rajashree Devchoudhury, Senior Associate
King Stubb & Kasiva,
Advocates & Attorneys
New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com
By entering the email address you agree to our Privacy Policy.