loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
Close

Search

See all results for ""

COVID19 A probe into the Indian Data Protection Laws

13-May-2020

INTRODUCTION

The division bench of Kerala High Court comprising of Hon’ble Mr Justice Devan Ramachandran and Hon’ble Mr Justice T R Ravi passed an interim order on 24 April 2020 in the matter of Balu Gopalakrishnan & Anr. v. State of Kerala & Ors.  expressing its reservations towards the foreign jurisdiction clause in an information technology contract between the state of Kerala and Sprinklr, a data analysis company. The High Court also directed the Kerala government to take prior consent from the citizens apprising them that their data will be processed by a third-party foreign entity.

FACTUAL BACKGROUND

The Kerala government entered into contract with Sprinklr Inc. (Sprinklr) to access an online digital software to process and analyse the data of patients and those vulnerable and susceptible to COVID-19 in Kerala. Due to the urgency at the time of execution of the contract, a “standard form contract” was executed between the parties.

ISSUE FOR CONSIDERATION BEFORE THE HIGH COURT

Whether there are enough safeguards to ensure confidentiality of the data collected and how would the data be dealt with after processing/analysis? 

MAIN ARGUMENTS RAISED BY THE PARTIES

Ø   

The petitioners alleged that: (i) the contract barely has any safeguards against the commercial and unauthorised exploitation of data entrusted towards Sprinklr;  and (ii) in case of any breach by Sprinklr, the Kerala government will have no legal recourse before the courts in India since the contract grants exclusive jurisdiction to the court of New York. The petitioners also submitted that the contract is violates Article 299 (1) of the Constitution of India.

Ø   

The Kerala government submitted that the contract was executed in order to overcome the “worst case projections” and the possibility of sudden spike in cases due to the outbreak of COVID-19. The Kerala government anticipated that tracking and tracing of citizens would be necessary with the assistance of a scalable information technology system and the available in-house technology was not well-equipped. The Information Technology Department of the government supported these contentions and asserted that the protection systems on Amazon Cloud Service makes it impossible for anyone including Sprinklr to breach the data confidentiality.

Ø   

The Union of India (UOI) emphasized that exclusive jurisdiction granted to the New York courts is unacceptable and that the State of Kerala should have resorted to competent Indian entities to maintain such ‘sensitive medical data’. The UOI also expressed concerns about the confidentiality of the data and potential breach.

INTERIM ORDER

The division bench communicated its apprehensiveness regarding the proper protection of data and observed that the COVID-19 pandemic should not turn into a ‘data epidemic’ at a later stage.

Ø   

In view of the above, the court:

 

§    

directed the Kerala government to provide only anonymised data to Sprinklr and apprise the citizens that the data so collected from them will be accessed by Sprinklr or any other third party;

 

§    

issued a peremptory order that any residual data available with Sprinklr shall be entrusted back to the Kerala government;

 

§    

injuncted Sprinklr from committing breach of the terms of confidentiality and from parting with the data so provided under the contract to any third party;

 

§    

directed that Sprinklr shall not deal with the data entrusted upon them and shall entrust back all the data so provided by the Kerala government under the contract; and

 

§    

injuncted Sprinklr from advertising or representing to any third party regarding the data or using the name or logo of the Kerala Government in any kind of promotional activity.

Ø   

The Kerala High Court further observed that data confidentiality is about protecting data from unlawful, unauthorised and unintentional access and disclosure. Therefore, the authorisations to view, share and use data forms the hypostasis of all confidentiality requirements. The Kerala High Court also observed that the corner stone of managing data confidentiality is to a large extent, determined by the control over access to it and the modus and manner, in which it has been dealt with.

COMMENT

Amidst the unprecedented outbreak of COVID-19, humanity is witnessing a new world order in every domain. Data protection laws are still floating on uncertain waters in India and therefore, this interim order to take mandatory consent of COVID-19 affected citizens points towards the urgency of recognising the data protection laws.

Further, the guidelines laid down by the Kerala High Court ensures that the Kerala Government is ably equipped to fight the pandemic. It would be interesting to see that in the absence of jurisdiction (to Indian Courts), how these guidelines are implemented and complied with by Sprinklr and whether such guidelines will actually help avoid the “data epidemic”.

-       Ajay Bhargava (Partner), Swati Jain (Associate), Raddhika Khanna (Associate) and Karan Gupta (Associate)

For any queries please contact: editors@khaitanco.com

Ajay Bhargava (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2021 Khaitan & Co. All rights reserved.

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Chennai

119/65, First Floor
Dr Radhakrishnan Salai
Mylapore
Chennai 600 004,
India

Noida

Max Towers
7th & 8th Floors
Sector 16B, Noida
Gautam Buddh Nagar
201 301 India

Singapore

Ocean Financial Centre
#37-02 10 Collyer
37th Floor Quay
Raffles Place 049315,
Singapore