The Kerala High Court last week passed an order on the ongoing Sprinklr controversy and asked the Pinarayi Vijayan-led state government to anonymise the data of citizens in Kerala under observation for COVID-19, which has been collected and collated by the American company Sprinklr, and allow the company further access only when the process of anonymisation is complete.
The Kerala High Court bench of Justices Devan Ramachandran and TR Ravi was hearing a writ petition filed by Ramesh Chennithala, the leader of the opposition in Kerala. In his plea, Chennithala had alleged that a large amount of private data of citizens of Kerala was handed over to a foreign company, thus amounting to a breach of privacy.
Chennithala in his plea alleged that the contract that the Kerala government entered in with the American company has little or no safeguards against the commercial and unauthorised exploitation of the data. He added that in case of a breach of confidentiality, or any such dispute, there is no way that the Kerala government can take any action against the company, since only the courts in New York, where the company is registered, can order any action against it.
What the Union govt said
The government of India was also listed as a respondent in the plea, and representing the Centre, the Additional Solicitor General of India, P Vijayakumar, submitted a statement in court that the privacy of the citizens of Kerala is their primary concern. The counsel also stated that the contract did not have sufficient confidentiality clauses and that clauses to ensure confidentiality were added only subsequently.
The Centre told the court there was no need for Kerala to approach any company outside India since there were “equally or more competent” companies in India. The counsel added that the state could have approached the Centre and that they would have been able to give the same or better support to them.
Kerala’s defence
The state government, represented by Additional Advocate General KK Ravindranath, said that the Kerala government, in anticipation of ‘worst case projections’ and ‘possibility of a sudden spike in cases,’ felt that they needed a system which could handle the data of over 80 lakh citizens. The Kerala government said Sprinklr was approached since not many government companies are technically equipped to handle such large data and thus, it was forced to take the assistance of Sprinklr, as the company showed an interest in working with the government. Additionally, the company had promised to offer their services free for a period of six months.
Responding to Chennithala’s concerns on privacy, the Kerala government stated that the government takes full responsibility for the protection of data. The counsel added that the available protective systems make it impossible for Sprinklr or anyone else to breach confidentiality or to deal with the data "surreptitiously or maliciously," and that control of all the data has been given to the Kerala government.
With respect to jurisdiction, the Kerala government said that since the data “resides in India” any breach of confidentiality will mean that action can be taken against Sprinklr in India. The counsel added that, however, any breach of contract by the Kerala government can make it liable to face action in New York.
The Kerala government also told the court that Sprinklr’s services are free only for six months from the date of the contract and after that, Kerala will have to search for alternatives. The state added that it has no issue with approaching the Centre and seeking the help of the National Information Centre to manage such data after the contract ends.
What the court said
The court noted the Kerala government’s stand that it “cannot continue the fight against COVID-19 without the assistance of the software provided by Sprinklr,” and stated that it will not be issuing any orders to obstruct the government’s efforts. However, the court stated that since no data is currently available with Sprinklr, all remaining or secondary data should also be entrusted back to the Kerala government.
Issuing an interim order, the two-judge bench ordered the Kerala government to anonymise all the data that have been collected and collated from the citizens with respect to the COVID-19 epidemic. It also ordered that Sprinklr shall be allowed to have access to this data only after the process of anonymisation is completed.
The court said that every citizen, from whom data is to be taken in future, must be informed that their data has been collected and is likely to be accessed by Sprinklr or any other third party and their specific consent must be taken.
The court also prohibited Sprinklr from breaching confidentiality and ordered that it entrust all data to the Kerala government as soon as their contractual obligation is over. The company was also prohibited from using the name or official logo of the Kerala government.