COVID19 A probe into the Indian Data Protection Laws
INTRODUCTION
The division bench of Kerala High Court comprising of Hon’ble Mr Justice Devan Ramachandran and Hon’ble Mr Justice T R Ravi passed an interim order on 24 April 2020 in the matter of Balu Gopalakrishnan & Anr. v. State of Kerala & Ors. expressing its reservations towards the foreign jurisdiction clause in an information technology contract between the state of Kerala and Sprinklr, a data analysis company. The High Court also directed the Kerala government to take prior consent from the citizens apprising them that their data will be processed by a third-party foreign entity.
FACTUAL BACKGROUND
The Kerala government entered into contract with Sprinklr Inc. (Sprinklr) to access an online digital software to process and analyse the data of patients and those vulnerable and susceptible to COVID-19 in Kerala. Due to the urgency at the time of execution of the contract, a “standard form contract” was executed between the parties.
ISSUE FOR CONSIDERATION BEFORE THE HIGH COURT
Whether there are enough safeguards to ensure confidentiality of the data collected and how would the data be dealt with after processing/analysis?
MAIN ARGUMENTS RAISED BY THE PARTIES
Ø |
The petitioners alleged that: (i) the contract barely has any safeguards against the commercial and unauthorised exploitation of data entrusted towards Sprinklr; and (ii) in case of any breach by Sprinklr, the Kerala government will have no legal recourse before the courts in India since the contract grants exclusive jurisdiction to the court of New York. The petitioners also submitted that the contract is violates Article 299 (1) of the Constitution of India. |
Ø |
The Kerala government submitted that the contract was executed in order to overcome the “worst case projections” and the possibility of sudden spike in cases due to the outbreak of COVID-19. The Kerala government anticipated that tracking and tracing of citizens would be necessary with the assistance of a scalable information technology system and the available in-house technology was not well-equipped. The Information Technology Department of the government supported these contentions and asserted that the protection systems on Amazon Cloud Service makes it impossible for anyone including Sprinklr to breach the data confidentiality. |
Ø |
The Union of India (UOI) emphasized that exclusive jurisdiction granted to the New York courts is unacceptable and that the State of Kerala should have resorted to competent Indian entities to maintain such ‘sensitive medical data’. The UOI also expressed concerns about the confidentiality of the data and potential breach. |
INTERIM ORDER
The division bench communicated its apprehensiveness regarding the proper protection of data and observed that the COVID-19 pandemic should not turn into a ‘data epidemic’ at a later stage.
Ø |
In view of the above, the court: |
|
|
§ |
directed the Kerala government to provide only anonymised data to Sprinklr and apprise the citizens that the data so collected from them will be accessed by Sprinklr or any other third party; |
|
§ |
issued a peremptory order that any residual data available with Sprinklr shall be entrusted back to the Kerala government; |
|
§ |
injuncted Sprinklr from committing breach of the terms of confidentiality and from parting with the data so provided under the contract to any third party; |
|
§ |
directed that Sprinklr shall not deal with the data entrusted upon them and shall entrust back all the data so provided by the Kerala government under the contract; and |
|
§ |
injuncted Sprinklr from advertising or representing to any third party regarding the data or using the name or logo of the Kerala Government in any kind of promotional activity. |
Ø |
The Kerala High Court further observed that data confidentiality is about protecting data from unlawful, unauthorised and unintentional access and disclosure. Therefore, the authorisations to view, share and use data forms the hypostasis of all confidentiality requirements. The Kerala High Court also observed that the corner stone of managing data confidentiality is to a large extent, determined by the control over access to it and the modus and manner, in which it has been dealt with. |
COMMENT
Amidst the unprecedented outbreak of COVID-19, humanity is witnessing a new world order in every domain. Data protection laws are still floating on uncertain waters in India and therefore, this interim order to take mandatory consent of COVID-19 affected citizens points towards the urgency of recognising the data protection laws.
Further, the guidelines laid down by the Kerala High Court ensures that the Kerala Government is ably equipped to fight the pandemic. It would be interesting to see that in the absence of jurisdiction (to Indian Courts), how these guidelines are implemented and complied with by Sprinklr and whether such guidelines will actually help avoid the “data epidemic”.
- Ajay Bhargava (Partner), Swati Jain (Associate), Raddhika Khanna (Associate) and Karan Gupta (Associate)
For any queries please contact: editors@khaitanco.com
We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.
For private circulation only
The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.
© 2024 Khaitan & Co. All rights reserved.
Mumbai
One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India
Mumbai
One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001
Delhi NCR (New Delhi)
Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India
Kolkata
Emerald House
1B Old Post Office Street
Kolkata 700 001, India
Bengaluru
Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India
Delhi NCR (Noida)
Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India
Chennai
8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India
Singapore
Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623
Pune
Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India
Gurugram (Satellite Office)
Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India
Ahmedabad
1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058