Kochi: In a significant relief to the Kerala government, the Kerala High Court on Wednesday closed a batch of writ petitions challenging the data confidentiality aspects of the State’s agreement with US-based data analytics firm Sprinklr Inc. for handling COVID-19–related data.

A Division Bench comprising Justice Soumen Sen and Justice Syam Kumar VM upheld the earlier directions issued by another Division Bench, observing that the exceptional circumstances created by the pandemic justified the State’s actions, even though certain procedural lapses were acknowledged.

“The question of sharing the data does not arise as the State has only used tools of Sprinklr for the purpose of identification of the COVID victims. On such consideration, we do not find reason to pass any further order. However, the order passed by the division bench on April 24, 2020 stands confirmed,” the Court orally ordered.

During the early stages of the COVID-19 outbreak, the Kerala government, through its Information Technology Department, entered into an agreement—facilitated by the Principal Secretary—for the use of Sprinklr’s data management tools.

The petitioners argued that sensitive personal data had been shared with a foreign entity without sufficient safeguards, exposing individuals to potential misuse. They further contended that the agreement weakened privacy protections and violated Article 299 of the Constitution, which governs contracts entered into by the government.

On April 24, 2020, a Division Bench headed by Justice Devan Ramachandran issued directions regulating data usage and prohibiting its sharing with third parties. These directions followed the State’s admission that greater care ought to have been exercised while finalising the agreement.

The petitioners also submitted that the agreement placed personal data within the reach of third parties and foreign jurisdictions, and that even in the absence of proven data theft, the risk of leakage justified compensation and a strong judicial message to the State. Reliance was placed on the Supreme Court’s ruling in KS Puttaswamy v. Union of India, emphasising that privacy violations cannot be retrospectively legitimised without legislative support.

The State countered that the agreement involved no financial liability and that the services were provided free of cost. It maintained that Sprinklr only supplied technological tools and that all data remained under the State’s control. The government also invoked the doctrine of necessity, stating that the pandemic required swift action, and pointed out that no instance of data theft or misuse had been reported. According to the State, the sole objective was to identify infected individuals and those requiring quarantine in the interest of public health.

While rejecting the State’s argument that Article 299 did not apply, the Court clarified that the provision covers all contracts entered into by the State, regardless of their nature. At the same time, it accepted that the agreement was executed under extraordinary and critical circumstances during a global health emergency.

“We are not accepting this submission as Article 299 clearly refers to all contracts and does not make any distinction between a contract, or ..any contract the State is involved in, selecting a particular person or agency to undertake a job of the sovereign. However, the State is able to justify its conduct having regard to the... and the Court is satisfied that the situation was such and critical for which an emergent step need to be taken by the State by applying the doctrine of necessity.” the court said.

The Court observed that the State’s actions were motivated by the urgent need to curb the spread of COVID-19 and safeguard public health. It noted that there was no material indicating any ulterior motive or misuse of data, and that the nature of the information collected had not led to complaints from affected individuals.

“In the instant case, we do not find that there is any ulterior motive involved or..on the part of the State to collect the data and share...However, it appears that Sprinklr has provided the tools for it and the data are all being stored by the State. In fact , it would have been more prudent to the State to share the data with the NIC as appears to have been suggested by the Assistant Solicitor General of India. ” Court observed.

Although the Court remarked that the State should have exercised greater caution and ideally explored alternatives such as the National Informatics Centre (NIC), it concluded that no further directions were necessary. Reiterating that the State had only used Sprinklr’s tools for identifying COVID-19 victims and that no data sharing had taken place, the Court confirmed the earlier directions and formally closed the writ petitions.
(With Live Law inputs)