KOCHI: Expressing concern over the confidentiality of people under surveillance for Covid-19, the Kerala High Court on Friday directed the Kerala government to anonymise the personal details of the individuals before allowing US-based company Sprinklr to access them.While admitting a batch of petitions, including those by Opposition leader Ramesh Chennithala and BJP state president K Surendran, a division bench comprising Justice Devan Ramachandran and Justice T R Ravi restrained Sprinklr from committing any act which will be directly or indirectly in breach of confidentiality of data entrusted with it as per the contract.
Sprinklr should return the data as soon as their contractual obligations are over, the court said.
The court orally asked the government: “Why is the Kerala state so dependent on Sprinklr?” and added, “It’s the state government’s duty to protect the collected data.” The court also asked the state to explore the Centre’s submission that the Union Ministry of Information and Technology is capable of providing service similar to that of Sprinklr if the state government made a request.
The bench held that the government should inform individuals that the data would be accessed by the third party -- that is Sprinklr -- and that the individuals’ specific consent should be obtained for the same. The court also restrained the company from using the name or logo of the Kerala government for its promotional activities. Any residual or secondary data with Sprinklr shall be immediately deleted, it said.
Data being stored in Mumbai, not abroad: Lawyer
“The state has taken the view that without Sprinklr it can’t combat Covid-19. So, we don’t want to interfere now. That’ll be interpreted as court interfering with Covid-19 control measures,” the court said.
The state government fielded Supreme Court lawyer N S Nappinai, an expert in cyber law, to justify its contract with Sprinklr and to explain the technicalities involved. The lawyer submitted that Sprinklr is not in possession of data as of now and all data has been transferred to the state. According to her, the data is stored in Amazon cloud in Mumbai and not abroad.
The company would not retain data beyond the period of the agreement. She also argued that as the data is being retained in India, criminal action could be initiated under the Information Technology Act 2000 for any breach.Meanwhile, when the state pointed out that Sprinklr is also a pro-bono participant with the World Health Organisation in developing its dashboard for providing Covid-19 updates, the bench observed that it is only a dashboard which anybody can do and is different from ‘SaaS’.
The court also asked, “How do you know the company will not commit a breach of contract in future?”
Assistant Solicitor General of India P Vijayakumar submitted that the sensitive personal data such as health data should not be shared with any third party service provider. In fact, the state should have anonymised the personal data before sharing it with third party service providers like in this case for a due cause. In fact, the National Informatics Centre could process and analyse big data if the state makes such a request, he argued. The court posted the hearing of the case after three weeks.