Kerala HC Restrains Sprinklr From Breaching Data Confidentiality; Govt Directed To Anonymize Data & Take Informed Consent [Read Order]

The High Court of Kerala on Friday passed a slew of directions to address the concerns of data confidentiality over the controversial Sprinklr deal to process data related to COVID-19 cases in Kerala.

A bench comprising Justices Devan Ramachandran and T R Ravi passed the directions after a four hour long hearing held through videoconferencing via Zoom.

The following are the directions in the interim order:

1. Govt of Kerala directed to anonymize all data that have been collected and collated so far, and allow Sprinklr to access data only after such anonymization is completed.
2. Sprinklr restrained from committing any act which will be in breach of confidentiality of data entrusted with them by Kerala Govt under the impugned contract.
3. Sprinklr shall not directly or indirectly deal with the data entrusted to them by the Kerala Govt in conflict with the confidentiality clauses in the contract, and will return the data as soon as their contractual obligations are over. They should not disclose or part with the entrusted data to any third party entity.
4. Sprinklr injuncted from advertising or representing to any third party that they have access to data relating to COVID-19 cases.
5. Sprinklr restrained from exploiting directly or indirectly any data entrusted with it for commercial purposes.
6. Sprinklr further injuncted from using the name or logo of Government of Kerala for its promotional acts.
   
7. Government has to take informed consent from individuals that their data will be processed by a third party foreign company.

Taking note of the submission made by the State Government that Sprinklr has already transferred all data with it to the control of the Government, the bench directed that any residual or secondary data with Sprinklr shall be immediately deleted.

The Court also recorded the statement of K Ravindranath, Additional Advocate General, that the State Government has no objection in approaching the Central Government for availing the services of central agencies for substituting the services of Sprinklr Inc. 

The case will be next listed after three weeks.

The bench orally expressed reservations over many aspects of the deal and said that it was refraining from interference at the present moment so as not to upset the COVID-19 control measures adopted by the State.

"State has taken the view that without Sprinklr they cannot fight COVID-19. So we do not want to interfere now. That will be interpreted as Court interfering with COVID-19 control measures", J Devan Ramachandran orally observed.

He added: 

"We have many serious reservations about statement filed by the State. We do not know how the company was selected and what are their credentials. Normally, we would have interfered. But we do not want to interfere with COVID-19 battle. So, a balance has to be drawn" 

The Court also observed that it was amazed that the law department was not consulted before finalizing the Sprinklr deal despite several legal issues in it.

"What is worrying is that the IT Secretary took a decision without consulting the law department even though many legal issues were involved. Merely because there is an emergency, you cannot create more problems. The cure cannot be worse than the problem",  Justice Devan Ramachandran, heading the bench, observed.

Not impressed with the government stand that law department sanction was not necessary as per rules of procedure for purchase orders costing less than Rupees 15,000, Justice Devan Ramachandran remarked :"We are amazed by your statement".

"If there is a breach, costs will be unimaginable. Can a head of department enter into a contract on his own under Article 299? This is throwing up a lot of legal issues, and no law dept sanction was taken!", the judge remarked.

The bench, also comprising Justice T R Ravi, was hearing a bunch of petitions challenging the IT contract between the Government of Kerala and US-based tech company Sprinklr Inc for analyzing and processing data of COVID-19 patients.

Before putting questions to the State, the bench remarked that it was not against the government at present but wanted to get clarifications on many points of concern.

"Today's proceedings are not incriminatory or recriminatory. That is, we are not finding fault with you or blaming you. Court is fully with you in fight against COVID. But, we are concerned about data security", Justice Devan said.

The bench said that the the statement by the government that a standard form of contract was accepted is "worrying".

The State Government roped in the services of Mumbai-based cyber lawyer Advocate N S Nappinai to explain the aspects of the deal to the bench. She submitted that the concerns over data confidentiality are baseless. She highlighted that data was under the control of the State Government. The Master Service Agreement has clauses clearly defining the purpose of data collection, and prohibits Sprinklr from using the data for other purposes. There is no question of Sprinklr using the data in future. The agreement is for six months. There is no question of retention of data after the period of the agreement, she added.

Also, since the data is residing in India, the company will be exposed to criminal action under the Information Technology Act 2000 for any breach, regardless of the foreign jurisdiction clause.

When the bench asked about the credentials of Sprinklr, Nappinai submitted that they have a proven track record in the field, and referred to the fact that they were providing dashboard services to World Health Organization.

Not buying that submission,  Justice Devan remarked "We are aware of the difference between dashboard services and SaaS. Anybody can do that. A dashboard person cannot operate SaaS".

The judge also asked if it was necessary to use "Big Data Tools" as the present numbers of COVID-19 cases in Kerala have reduced now. 

He said that data of 5 lakh persons will not be 'Big Data'. "Everyone knows that", the judge said.

Nappania commented that what is 'big data' is a matter of perception.

The bench also thoroughly quizzed the Additional Advocate General about the credentials of Sprinklr.

"Why were the credentials of Sprinklr not given in Statement?", Justice Devan asked.

Referring to the statement filed by the Government, the AAG submitted that in 2018 there was a global conclave, and there were deliberations with Sprinklr since then.

"Are you saying that in that conclave only Sprinklr was there and no other company. Why this company particularly?", Justice Devan asked.

The bench also expressed incredulity over the state stance that there was no time to enter into legal consultation and routine protocols due to the emergency situation.

The bench also took note of the stand of the Central Government that its agencies are capable of providing the same services as Sprinklr.

Central Govt submitted that the lack of law department sanction is a matter of concern.

Surrender of jurisdiction to New York will cause prejudice to the individuals. It is not correct to say that citizens will have remedy in India, said ASG P Vijayakumar.

Click Here To Download Order

[Read Order]