Kerala High Court Closes Pleas Against Sprinklr Deal, Says There Was No Data Sharing By State
The Kerala High Court on Wednesday (28 January) closed a batch of writ petitions which questioned the data confidentiality of the State government's agreement with US-based data analytics firm Sprinklr Inc. for managing COVID-19 related data.
The division bench comprising Justice Soumen Sen and Justice Syam Kumar V M, confirmed the earlier directions issued by a division bench of the Court and held that the extraordinary circumstances of the pandemic justified the State's actions, though procedural lapses were noted.
“The question of sharing the data does not arise as the State has only used tools of Sprinklr for the purpose of identification of the COVID Victims. On such consideration, we do not find reason to pass any further order. However, the order passed by the division bench on 24 April 2020 stands confirmed.” the Court orally ordered.
During the initial phase of the COVID-19 outbreak, the Government of Kerala, through its Information Technology Department, entered into an agreement facilitated by the Principal Secretary for the use of Sprinklr's data management tools.
The petitioners contended that sensitive personal data was shared with an overseas entity without adequate safeguards, thereby exposing individuals to the risk of data misuse.
It was also contended that the agreement diluted privacy protections and failed to comply with Article 299 of the Constitution, which governs government contracts.
Earlier, a Division Bench led by Justice Devan Ramachandran, by an order dated 24 April 2020, had issued detailed directions regulating the use of data and restricting any sharing with third parties. Those directions were passed after the State conceded that greater prudence should have been exercised while entering into the agreement.
The petitioners argued that the agreement exposed personal data to third parties and foreign jurisdiction. It was also argued that even in the absence of proven data theft, the possibility of the data leakage warranted compensation and a strong message to the State.
Reliance was also placed on the Supreme Court's decision in K.S. Puttaswamy v. Union of India, stressing that privacy violations cannot be retrospectively validated without legislative backing.
The State, however, maintained that the agreement did not involve any financial liability and the services were rendered free of cost. It was also submitted that Sprinklr merely provided technological tools, while the data remained with the State.
The State further submitted that the situation of a pandemic demanded immediate action, invoking the doctrine of necessity. It was also brought to the notice that no instance of data theft or misuse had been reported.
The State submitted that it was solely aimed at identifying infected persons and those requiring quarantine, in the interest of public health.
Rejecting the State's contention that Article 299 was inapplicable, the Court observed that the provision applies to all contracts entered into by the State, irrespective of their nature. However, it accepted the justification that the agreement was executed under unprecedented and critical circumstances during a global pandemic.
“We are not accepting this submission as Article 299 clearly refers to all contracts and does not make any distinction between a contract, or ..any contract the State is involved in, selecting a particular person or agency to undertake a job of the sovereign. However, the State is able to justify its conduct having regard to the... and the Court is satisfied that the situation was such and critical for which an emergent step need to be taken by the State by applying the doctrine of necessity.” the court said.
The Court noted that the State's actions were driven by the need to prevent the spread of COVID-19 and protect public health.
The Court further observed that there was no material to suggest any ulterior motive or misuse of data. It was also noted that the nature of information collected did not attract complaints from affected individuals.
“In the instant case, we do not find that there is any ulterior motive involved or..on the part of the State to collect the data and share...However, it appears that Sprinklr has provided the tools for it and the data are all being stored by the State. In fact , it would have been more prudent to the State to share the data with the NIC as appears to have been suggested by the Assistant Solicitor General of India. ” Court observed.
While observing that the State should have exercised greater caution and ideally explored alternatives such as the National Informatics Centre (NIC), the Court concluded that no further orders were warranted.
It was also observed that the question of sharing the data does not arise as the State has only used tools of Sprinklr for the purpose of identification of the COVID Victims.
It thus confirmed the directions issued by the Division Bench on 24 April 2020 and closed the writ petitions.
Case Title: Balu Gopalakrishnan v State of Kerala and Ors. and connected matters
Case No: WP(C) 9498/ 2020 and connected cases
Citation: 2026 LiveLaw (Ker) 51
Counsel for Petitioners: Jayakar K S, Krishnadas P Nair, K L Sreekala, Haridas P Nair, M A Vinod, Mathew A Kuzhalnadan, K R Arun Krishnan, Sudeep Aravind Panicker, T Asafali, Laliza T Y, Sandhya Raju, Krishna Prasad N, T Ramprasad Unni, J S Ajithkumar, S MPrasanth, G Renjith, Aswini Sankar R S, T H Aravind, Nisha George
Counsel for Respondents: Gopalakrishna Kurup (AG), K K Ravindranath (Addl. AG), V Manu, P Narayanan (Sr. GP), S Kannan (Sr. GP), Sunil Sanker, Vidya Ganagadharan, N Manoj Kumar (State Attorney), Jaisankar V Nair (Senior Panel Counsel)