Kerala High Court Issues Guidelines To Anonymize Data Collected By The State With Respect To Covid-19 - Operational Impacts and Strategy

INTRODUCTION

The division bench of Kerala High Court comprising of Hon'ble Mr Justice Devan Ramachandran and Hon'ble Mr Justice T R Ravi passed an interim order on 24 April 2020 in the matter of Balu Gopalakrishnan & Anr. v. State of Kerala & Ors. expressing its reservations particularly towards the terms related to data confidentiality under the contract entered into between the Kerala government and Sprinklr Inc., a foreign data analysis company (hereinafter Sprinklr). The High Court also directed that, going forward, the Kerala government should take prior consent from the citizens apprising them that their data is likely to be accessed by third-party service providers.

FACTUAL BACKGROUND

The Kerala government entered into contract with Sprinklr to access an online digital software to process and analyse the data of patients and those vulnerable and susceptible to COVID-19 in Kerala. Due to the urgency at the time of execution of the contract, a "standard form contract" was executed between the parties.

ISSUE FOR CONSIDERATION BEFORE THE HIGH COURT

Whether there are enough safeguards to ensure confidentiality of the data collected and how would the data be dealt with after processing/analysis?

MAIN ARGUMENTS RAISED BY THE PARTIES

The petitioners alleged that: (i) the contract barely has any safeguards against the commercial and unauthorised exploitation of data entrusted to Sprinklr; and (ii) in case of any breach by Sprinklr, the Kerala government will have no legal recourse before the courts in India since the contract grants exclusive jurisdiction to the courts in New York. The petitioners also submitted that the contract violates Article 299 (1) of the Constitution of India.

The Kerala government submitted that the contract was executed in order to overcome the "worst case projections" and the possibility of sudden spike in cases due to the outbreak of COVID-19. The Kerala government had anticipated that tracking and tracing of citizens would be necessary with the assistance of a scalable information technology system and the available in-house technology was not well-equipped. The Information Technology Department of the government supported these contentions and asserted that the protection systems on Amazon Cloud Service makes it impossible for anyone including Sprinklr to breach the data confidentiality.

The Union of India (UOI) emphasized that exclusive jurisdiction granted to the New York courts is unacceptable and that the State of Kerala should have resorted to competent Indian entities to maintain such 'sensitive medical data'. The UOI also expressed concerns about the confidentiality of the data and potential breach.

INTERIM ORDER

The division bench communicated its apprehensions regarding the proper protection of data and observed that the COVID-19 pandemic should not turn into a "data epidemic" at a later stage.

In view of the above, the court:
- directed the Kerala government to provide only anonymized data to Sprinklr and in future apprise and take specific consent from the citizens to the effect that their data so collected will likely be accessed by Sprinklr or any other third party;
- issued a peremptory order that any residual or secondary data available with Sprinklr shall be entrusted back to the Kerala government;
- injuncted Sprinklr from committing breach of the terms of confidentiality and from parting with the data so provided under the contract to any third party;
- directed that Sprinklr shall not deal with the data entrusted upon them in derogation of the confidentiality provisions set out in the contract and shall entrust back all the data so provided by the Kerala government as soon as Sprinklr's obligations under the contract is complete; and
- injuncted Sprinklr from advertising or representing to any third party regarding the data or using the name or logo of the Kerala Government, directly or indirectly, for any commercial benefit.
The Kerala High Court further observed that data confidentiality is about protecting data from unlawful, unauthorized and unintentional access and disclosure. Therefore, the authorizations to view, share and use data forms the hypostasis of all confidentiality requirements. The Kerala High Court also observed that the corner stone of managing data confidentiality is, to a large extent, determined by the control over access to it and the modus and manner in which it has been dealt with.

COMMENT

Amidst the unprecedented outbreak of COVID-19, humanity is witnessing a new world order in every domain. Data protection laws are still floating on uncertain waters in India and therefore, this interim order to take mandatory consent of COVID-19 affected citizens points towards the urgency of recognizing the data protection laws.

Further, the guidelines laid down by the Kerala High Court ensures that the Kerala Government is ably equipped to fight the pandemic. It would be interesting to see that in the absence of jurisdiction (to Indian Courts), how these guidelines are implemented and complied with by Sprinklr and whether such guidelines will actually help avoid the "data epidemic".

The content of this document do not necessarily reflect the views/position of Khaitan & Co but remain solely those of the author(s). For any further queries or follow up please contact Khaitan & Co at legalalerts@khaitanco.com