Kerala HC pulls up state govt on privacy issues concerning use of app for gathering COVID-19 data

The Kerala High Court on Tuesday directed the state government to inform the Court on the steps taken to ensure that the confidentiality of the sensitive medical information shared with New York-based software company Sprinklr, which has been engaged by the Kerala Government to manage the COVID-19 data of persons under quarantine in the state, reported legal news website BarandBench.com.

The court was dealing with a petition filed citing data privacy concerns in sharing such sensitive information with a private entity,

Appearing for the petitioner, advocate Jaykar KS on Tuesday told the Court that the data is collected by Asha workers on mobile applications, and that the information so pooled is sent to the servers of Sprinklr, which is a private entity.

He argued that such information is being sent to Sprinklr without taking any consent from the donor/person giving information. He submitted that the data of around 1.5 billion people in the State has been so collected, and that this information would constitute sensitive medical data.

He added that the issue would not have arisen if the data was stored on a government server, and thereafter shared with Sprinklr for managing it. In such a scenario, unauthorised replication of the data was unlikely, he pointed out. "Why don't we keep the data with us (on Government servers)?" he queried.

While rebutting the petitioner's submissions, the state counsel began by remarking that the data collected is not as sensitive as the petitioner made it out to be.

However, this drew a sharp response from the Bench, which made it clear that such submissions would not be accepted. The court orally emphasised, “That is a dangerous submission. The medical data is certainly covered... (as sensitive data)..."

The Bench proceeded to opine that the plea raised a serious issue of whether the data collected by the private entity would be kept confidential.

Emphasising that it is not taking away any credit from the Kerala Government in controlling COVID-19, the Court asked, "How do you guarantee that the data collected remains confidential in the hands of the third respondent (Sprinklr)?"

In a later part of the hearing, the Court also opined, "We do not want you (State) to upload data unless you can tell us that data is confidential from the third Respondent (Sprinklr) also. We cannot accept submission that the data collected is not sensitive. If the Kerala Government thinks that the informaton is not sensitive, something is amiss..."

The court also queried after the need for engaging Sprinklr, being a Software as a Service (SAAS), given that such cloud computing

platforms are generally only required when there is voluminous data to handle.

"But Kerala does not have that kind of numbers now", the Bench observed, adding that, "What is the purpose of requiring a third party server at this time? Why do you require an SAAS, when the numbers are so low?"

The Bench proceeded to clarify, "We are only concerned with data remaining confidential. How will you guarantee us that? Every day you are putting in information...," reported BarandBench.com.

The court thereafter directed the state to obtain instructions and respond later in the day itself on how the confidentiality of the data uploaded would be maintained.

When the matter was taken up again, state counsel S Kannan told the court that there is a large amount of data being handled, which required the engagement of the SAAS.

In this regard, he submitted that around 80 lakh people were being screened, and that it was partly because of such data management that the State was able to control the spread of COVID-19 in Kerala.

Inter alia, it was also submitted that the data is stored in Amazon servers, and that such servers have been given the approval of the Indian government for such use. He added that Sprinklr is used to analyse the data, and that the private entity is barred from using the data for any other purpose.

The High Court was, however, not convinced by these submissions. Notably, the Court was critical over the fact that Kerala appeared to have

agreed to New York being the jurisdictional venue in case any disputes arose between the government and Sprinklr.

Justice Devan Ramachandran orally queried as to how a citizen was expected to proceed in case there was any breach of personal/sensitive information collected from him i.e. whether such a person would be allowed to sue the Kerala Government.

As the hearings wrapped up, Justice TR Ravi also recounted having seen an interview wherein it was stated that the Sprinklr contract had not even been sent to the State's legal department before it was entered into by the State.

The court proceeded to direct the state to file a response on these issues and other queries concerning the confidentiality of the shared information, emphasising that these concerns must be taken seriously.

"We do not want the COVID epidemic to be substituted by a data epidemic," the court said.

Central government counsel Jaishankar V Nair also told the Court that he would put on record the stance of the Centre that it would prefer that the Kerala Government keep the data collected on Governmet servers.

Further, advocate Mathews J Nedumpara also briefly interjected to inform the court that he would address the criminal aspects on the issue during the next hearing.

The matter has been posted to be taken up next on April 24.