By - Rajashree Devchoudhury on June 10, 2020
The Government of Kerala in its combat against COVID - 19, had engaged the services of a US-based software entity, by the name and style of Sprinklr Inc. ("Sprinklr") to store, analyse and process personal data of COVID patients and also those of vulnerable and susceptible persons. This action by the Kerala Government had caused unrest amongst the general public. In a series of public interest petitions filed before the Kerala High Court, a temporary order came to be passed whereby the Hon'ble High Court issued several guidelines to the Government of Kerala and also to Sprinklr regarding the management of personal data of COVID patients and those related.
Spinklr is a data analytics firm, involved in the business of providing online data storage and processing services to various governments across the globe . The Government of Kerala, in its attempt to control the spread of the pandemic and to keep a track of all the persons infected, had availed the services of Sprinklr, whereby the personal data collected by the Government of Kerala was shared with Spinklr, which in turn stored such data on its servers. Spinklr then provided the analysed data back to the Government of Kerala.
The petitioners contended before the Hon'ble High Court of Kerala that the State of Kerala need not have engaged the services of a foreign entity like Sprinklr, when government agencies like C-DIT and NIC are more than capable of handling such data storage and processing. Further, the aspect of Sprinklr using the said data for commercial gains was also mooted before the Hon'ble High Court. It was also contended that consent was not being obtained from the persons whose data was being collected by the State as had been directed by the Hon'ble Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v. UOI ("Puttaswamy Case").
The petitioners further contented that the Master Service Agreement ("Agreement") executed between the Government of Kerala and Spinklr, were in conflict with Article 299 (1) of the Indian Constitution and also the governing law for dispute resolution in the Agreement was that of the State of New York, United States of America. Moreover, it was vehemently contented that the confidentiality clauses in the Agreement were not strict enough to prevent misuse of the personal information in the custody of Spriklr.
In response to the contentions raised by the petitioners, the State of Kerala contended that the State run entities, such as C-DIT are not equipped to manage large volume of data and that the State of Kerala had no other viable alternative to choose from.
It is interesting to note that the Union of India was also made a party to these petitions and the Hon'ble High Court had provided an opportunity to the Central Government to put forth its valuable inputs regarding the aforementioned facts and circumstances. The Union of India submitted that the personal data of Indian citizens should always be in the control of the State and should necessarily be stored in data centres belonging to the state or the central governments. The Union of India essentially reiterated the contentions of the petitioners and supported the petitioners in their case.
The Hon'ble High Court of Kerala, without delving in detail regarding the merits of the case and also considering the current global pandemic, passed certain interim directions with an intent "to ensure that there was no "data epidemic" after the Covid-19 is controlled". With a view to not hamper the measures taken by the Government of Kerala in fighting the Covid - 19 pandemic, the Hon’ble High Court limited the scope of the interim directions to the issue of breach of confidentiality.
The Kerala Government and Sprinklr were each bound to recognize the protection of privacy guaranteed through the judgement passed in the Puttaswamy Case and called for privacy protection measures for the collection, processing, storing and disposal of the sensitive personal information.
A concise summary of the directions issued by the Hon'ble High Court of Kerala in the current matter is enumerated hereinbelow:
Subsequent to the decision passed by the Hon'ble Supreme Court in the Puttaswamy Case, protection of personal data has gained traction. The interim directions passed by the Hon'ble High Court of Kerala in the current case expand the principles laid down in the Puttaswamy Case. While the Personal Data Protection Bill, 2019 is under consideration in the parliament, the courts in India are taking initiative to ensure protection of personal data of the citizens of the country.
The interim directions passed by the Hon'ble High Court of Kerala goes to show the proactive steps taken by the judiciary in this regard. These directions may seem like a small step but it is a step nonetheless. It is imperative that the Personal Data Protection Bill, 2019 comes into force but until then, the burden of protecting the personal data of the citizens will rest on the shoulders of the judiciary. It is commendable that the Hon'ble High Court of Kerala passed these directions. However, serious steps need to be taken by all parties involved to ensure protection of personal data.