Privacy, Data Protection and Retention
Google Spain SL v. Agencia Española de Protección de Datos
In Progress Expands Expression
Global Freedom of Expression is an academic initiative and therefore, we encourage you to share and republish excerpts of our content so long as they are not used for commercial purposes and you respect the following policy:
Attribution, copyright, and license information for media used by Global Freedom of Expression is available on our Credits page.
The Kerala High Court issued an interim order directing the implementation of safeguarding measures to protect the confidentiality of data collected on patients or persons susceptible to COVID-19. A set of five petitions were filed in relation to a contract entered into by the Government of Kerala with Sprinklr Inc., a USA based software company, for creating an online data platform for data analysis of medical/ health data in relation to COVID-19. The petitions claimed that the contract lacked any safeguard against the unauthorised exploitation of health data collected by Sprinklr, on behalf of the State of Kerala. The Court stressed the urgency under the current circumstances to protect to confidentiality of personal data in order to avoid a “data epidemic.” In light of those concerns, the Court directed the State to anonymise all the sensitive personal data thus far collected with respect to COVID-19 before transferring it to Sprinklr, or any third-party service provider. Further, any future collection of data must be based on principles of informed consent where every individual will be informed about the access of such data by third parties. The Court also prohibited Sprinklr from committing any act in breach of confidentiality of the data and directed Sprinklr to entrust all the residual COVID-19 related data back to the State government.
The Government of Kerala entered into a contract with Sprinklr Inc., a USA based software company (Contract). As per the Contract, Sprinklr Inc. was required to create an online digital software/ platform to process and analyse date pertaining to patients and persons susceptible to COVID-19, in the State of Kerala. Sprinklr undertook to provide its services to the State of Kerala on a gratuitous basis, for a six-month period. [para. 8 & 9]
A batch of five writ petitions were filed before the Kerala High Court challenging the breach of confidentiality of data collected pursuant to the above Contract. The petitioners argued that the Contract barely provided for any safeguard against the commercial and unauthorised exploitation of the data by Sprinklr. Further, the Contract barred the Government of Kerala from initiating any legal action against Sprinklr in India, in the event of breach of confidentiality or any other dispute. [para. 6] By tendering the exclusive jurisdiction to a foreign court (courts in New York, USA), the State of Kerala had incapacitated citizens from challenging any breach of confidentiality before courts in India. Further, the Contract was entered into by the Government of Kerala without complying with the applicable rules of procedure. It was non-compliant with the government contract norms stipulated under Article 299(1) of the Constitution of India. Further, accusations of corruption were also alleged against the State government. [para. 12]
The State of Kerala (State) submitted that in view of the sudden outbreak and rise in the number of COVID-19 cases, there was an urgent need to incorporate tracking and tracing mechanism to collect health related data. Government owned entities were technically unequipped to manage voluminous data. This compelled the State to requisition the assistance of Sprinklr, which had adequate infrastructure and capacity to manage COVID-19 data. [para. 8 & 9] On account of the urgency involved, the State executed a standard form contract with Sprinklr which granted exclusive jurisdiction to courts in New York, USA. The State further submitted that since data was currently retained in India, any breach of its confidentiality would be actionable in India. However, for any breach of terms of contract alone, courts in New York would have jurisdiction. [para 11] As per the terms of the contract, the confidentiality of the data was guaranteed and the State took full responsibility to protect the same. The technical norms and protectional systems employed on the Amazon Cloud Service, ensured that there could not have been any breach of the confidential data in the past. [para. 10]
The Union of India (Union) submitted that at the time of executing the contract, the State ought to have ensured that the citizens have recourse to proper legal remedy through courts in Kerala. The State’s acceptance of Sprinklr’s Standard Form of Contract was unacceptable to the Union. Further, the original Contract did not have sufficient safeguards for confidentiality. While supplementary agreements were executed subsequently, the integrity of the data collected in the past could not have been guaranteed. [para. 14] The Union also objected to the State approaching foreign entities such as Sprinklr for the critical data collection and analysis, when the same function could have been offered by the Union through its National Informatics Centre. It was submitted that while collecting the sensitive personal data from citizens, the State must ensure the essential principles of minimisation of data for the limited purpose, localisation of data in India, anonymisation of data before transferring to third party service providers and ultimately purge the data after completion of the purpose. [para. 16]
In response to the above, the State submitted that it would approach the Union to obtain assistance from the latter’s National Informatics Centre to substitute the services of Sprinklr, after completion of the Contract tenure of six months. Further, the State also submitted that it would anonymise all the data before providing access to Sprinklr. [para 17 & 18]
A division bench of the Court consisting of Devan Ramachandran, J and T. R. Ravi, J passed an interim order on the first date of hearing on April 24, 2020. The order of the Court singularly aimed to ensure that there is no ‘data epidemic’ after the containment of COVID-19 epidemic. [para. 23] The Court began by delineating that data confidentiality ultimately includes protection of the data from unlawful, unauthorised and unintentional access and disclosure. Hence, the authorisations to view, share and use data formed the underlying principle of all confidentiality requirements. In view of this, the imperative criteria for data disclosure, handling/ processing of data and safeguards to protect confidentiality were of utmost importance. [para. 2 – 4]
The Court held that the Petitioner’s allegations required a comprehensive assessment of all factors, which was only possible after providing a reasonable opportunity to Respondents to complete the pleadings. The Court was cautious in issuing an order so that the effort of the State of Kerala in addressing the public health emergency was not impinged. [para. 20 & 21] Therefore, the Court confined its order solely to the issue of data confidentiality.
The Court opined that the terms of the Contract could not effectively protect against a breach of confidentiality of data. Accordingly, by way of the interim order, it issued the following safeguarding measures with an aim to protect confidentiality of data collected with respect to the COVID-19 pandemic [para. 24]:
The Court will consider the matter on May 18, 2020 and issue further directions.
Decision Direction indicates whether the decision expands or contracts expression based on an analysis of the case.
The judgment is extra-ordinary as it recognises certain globally accepted principles of data protection. While India is still debating to create a legislation that would create a robust data protection mechanism, the order of the Court is based on recognised principles of data protection such as ‘data minimisation’, ‘data anonymisation’, ‘data purging’ and ‘informed consent.’ With the increasing number of COVID-19 cases globally, governments are rampantly collecting health related sensitive personal data from citizens. The rise in use of contact tracing applications and surveillance mechanism is encroaching upon the right of confidentiality of data, which ultimately devalues the right of privacy. By way of the interim order, the Court has rightly juxtaposed the right of the government to implement measures to fight COVID-19 pandemic by balancing it with individual’s right of confidentiality of sensitive personal data/ privacy. The importance of the order cannot be undermined as it has tested the acts of the State on the anvil of legality, legitimacy and proportionality, to ultimately conclude that the State can collect data only after obtaining informed consent from individuals. As rightfully noted by the Court, acts of the state in ‘controlling Covid-19 pandemic cannot lead to a data epidemic.’
Global Perspective demonstrates how the court’s decision was influenced by standards from one or many regions.
Case significance refers to how influential the case is and how its significance changes over time.
The decision establishes a binding precedent for single bench of the High Court of Kerala and all lower courts in the State of Kerala. It has a persuasive precedent for all other courts. As this is an interim order, the precedential value of the present will depend on the final outcome of the High Court.
Let us know if you notice errors or if the case analysis needs revision.