The High Court of Kerala on Tuesday sought explanation from the Kerala Government on the foreign jurisdiction clause in the IT contract with US-company Sprinklr, and also regarding the omission to seek sanction from the law department before finalizing the deal for processing data related to COVID-19 patients.
A bench comprising Justices Devan Ramachandran and T R Ravi directed the Government to file a statement by tomorrow, and posted the matter for further consideration on April 24.
During the hearing, the bench expressed concerns about the confidentiality of citizens' data processed by a third party, and also about the jurisdiction being kept as New York for adjudication of possible disputes.
"We are proud that Kerala has done well in controlling COVID-19. But we have also concerns about data confidentiality", Justice Devan Ramachandran observed.
"A citizen is not privy to the contract between Kerala Government and the company. If that company misuses the data, state government is responsible. If there is a breach tomorrow, the State Government will have to go to New York. We do not know why State of Kerala chose New York as the jurisdiction", Justice Devan continued.
Justice T R Ravi referred to the admission made by M Sivasankar, the Secretary of the Information Technology Department, in the TV channel interviews given on Saturday that the contract was finalized without seeking the sanction of the law department.
"We need an explanation on why the contract was not referred to the law department?", Justice Ravi asked.
"We do not want the COVID-19 pandemic to be substituted with a data pandemic", Justice Devan observed before the bench adjourned the hearing till April 24.
The bench added that it was not against the government at this time, and was only asking questions to clarify some things.
The bench also took exception to the initial submission made by Additional Advocate General K K Ravindranath that the data collected did not constitute "sensitive personal information".
The AAG was quick to correct the statement after Justice Devan remarked that it was a "dangerous submission".
"Data confidentiality in the present world is the most important. We cannot accept the submission that data is not 'sensitive information'. Health data is sensitive." Justice Devan remarked.
The judge also sought to know why the services of cloud platform are still being used even after the number of COVID-19 cases in Kerala have come down. He opined that cloud services are required only to handle huge voluminous data.
In response, the AAG submitted that around 80 lakhs persons are still being monitored. The AAG added that data was stored in the cloud server account of C-DIT in Amazon Web Services, which is approved by the Government of India for storing official data. The deal with the Sprinklr has all safeguards for data protection in accordance with the standard practices of 'Software as a Service(Saas)' models.
The Central Government, a respondent in the case, submitted that its policy is to use the government machinery to collect, store and process citizens' data as far as possible.
Unless you are able to guarantee us data confidentiality, the uploading of information to third party server will remain a problem : Justice Devan Ramachandran.#sprinklr #KeralaHC— Live Law (@LiveLawIndia) April 21, 2020
Unless you are able to guarantee us data confidentiality, the uploading of information to third party server will remain a problem : Justice Devan Ramachandran.#sprinklr #KeralaHC
The petition filed by one Balu Gopalakrishnan, a lawyer, alleged foul play in the decision of the Pinarayi Vijayan-government to choose the services a foreign-based private company for storing and analyzing COVID-19 data. The petitioner questioned the decision to entrust the job with a foreign company, overlooking state entities like the C-DIT and NIC.
Advocate Jaykar KS, appearing for the petitioner, submitted that data of citizens were collected without their informed consent, and was stored in a foreign server. According to the petitioner, more than 1.5 lakh sensitive medical information of the COVID -19 patients are with the company.
The petitioner highlighted that the company is facing litigation in cases in USA.
Citing the SC decision in K S Puttaswamy case, the petitioner argued that the agreement has resulted in the violation of right to privacy of individuals under Article 21 of the Constitution.
"The data which is aggregated and supplied to the 3rd Respondent(Sprinklr) is a valuable commodity in the data market which could fetch millions of dollars. So it is a question as to why it was done so. The 1st Respondent cannot feign ignorance to the above fact. It has the best of the IT minds in the country and advisors par excellence. The transfer of data was done by a State and not by any layman. It is a concerted decision taken collectively by a team of experts and not by a single individual, taking into consideration of all pros and cons of the action. So why?", the petitioner asks.
The petitioner has added the Union of India as a respondent in the case, and has stated that the decision to enter into a contract with a foreign company could not have been taken without the concurrence of the Central Government.
"The 2nd Respondent(Union) is the authority which should concur with such decisions of the State. It is a sad truth that the 2nd Respondent was never consulted before executing the alleged agreement and their concurrence was never sought for. The 1st Respondent feels that such important decisions which need the concurrence of the Union government can be given a go bye and decisions made by it will prevail", the plea stated
The petitioner argued that the agreement is in violation of the provisions of the Information Technology Act 2000.
"The Act provides for securing sensitive information and the manner in which it can be transmitted. The 1st Respondent, with all legal paraphernalia, entered into an illegal contract in a haphazard manner. The contract exposes the information of common laymen into the hands of a private entity. It was the bounden duty of the State to protect it's individuals, rather it chose to expose then to the vagaries of a 3rd party", the petitioner stated.
The petition sought to direct the State Government to sever the agreement with Sprinkler company and to appoint a government-IT company to store and analyze COVID-19 information.
The petitioner further sought a direction to the Central Government to conduct a forensic audit to bring out the "foul play" in the IT contract.
As an interim relief, the petitioner sought a direction to stop the uploading of COVID-19 information in the web servers of Sprinkler.
The agreement with Sprinklr has come a major political controversy in the State, with the opposition alleging grave irregularities in the contract.
M Sivasankar, the IT Secretary, appearing in media interviews on Saturday, explained that the agreement was entered in the backdrop of the public exigency created by the COVID-19 pandemic. He admitted that the opinion of legal department was not taken before the contract due to the emergency situation.Dismissing the allegations of data theft, the IT Secretary said that the State had ultimate control over the data, and that the company was only processing it to present the information in a structured form.