Kerala High Court
Kerala High Court
Litigation News

Sprinklr no longer has access to any COVID-19 data: Kerala Government tells Kerala High Court

"The only support which Sprinklr is providing is for any updating of the application... Even for the same, it is only limited technical access and there is no access to data", it is stated in the Government's affidavit.

Meera Emmanuel

In response to concerns raised in the Kerala High Court over the security of COVID-19 data with the involvement of US-based company Sprinklr in its management, the Kerala government has now informed the Court that all such data collected is now exclusively accessible only by the State Government.

In this regard, the State has submitted that the data is stored only on Amazon Web Services cloud servers being managed by the Centre for Development of Imaging Technology (C-DIT).

In an affidavit filed earlier this week, the Government has stated that,

"... the complete application and data is being managed in the Amazon web Cloud Server instance of C-DIT and no employee of Sprinklr has any access to any data. The only support which Sprinklr is providing is for any updating of the application based on the functional requirements suggested by the State, if such occasion rises. Even for the same, it is only limited technical access to install and plug in to the software and there is no access to data."
Kerala Government

The Government has stated that while the C-DIT has an Amazon Web Services cloud account, it did not initially have the capacity to host the large volume of data expected to be collected. However, the C-DIT's Amazon cloud services account has now been upgraded and the COVID-19 data has been migrated to this space, it is stated.

The affidavit adds that even though Sprinklr's proposal had included free hosting services, the State Government has decided to keep the data in its own account, despite the additional cost involved.

Further, it is added that Sprinklr has created a separate instance of their application in the C-DIT Amazon Web Services Account. This means that the data collected is being processed only in the C-DIT instance using the Sprinklr application hosted therein, the Government has informed. Effectively, it is stated that,

"... the Govemnent has now full and exclusive ownership of the data and for analysis of the data, the software of the third respondent. now available with the C-DIT, will be used. Hence, there is no transfer of data to third parties."
Kerala Government

It is also added that the data so collected is being stored in encrypted form.

Even prior to this, the Government asserts that right from the beginning, there was a conscious effort to limit the persons and kind of data being collected and that the agreements between Sprinklr and the State contained sufficient measures to guard against any breach.

In this regard, it is also stated the contracts between Sprinklr and the Kerala Government contained sufficient safeguards to ensure that there is no possibility of any misuse or commercialisation of the data by Sprinklr.

However, these safeguards are no longer as relevant since all data access now rests with the State of Kerala alone, the affidavit notes.

Why was Sprinklr approached?

Sprinklr was engaged as there was a need from the support of a scalable Information Technology system/ SaaS to collect and analyse large volumes of data, the affidavit goes on to state.

This issue had to be resolved in the shortest time possible, as time was of essence in curbing the COVID-19 pandemic.

While this was the case, Government owned or controlled entities such as the C-DIT and the Information Technology Kerala Mission were not technically equipped to manage such a large volume of data, Kerala has submitted. Further, it is noted that the issuance of tenders for technical solutions would have consumed more time.

In this backdrop, the Kerala Government says that Sprinklr showed an interest in the early days of the pandemic in working with the Government. It is further stated that the company had experience and capability to process large volumes of data.

The association with the Kerala Government stemmed out of conclaves held in the area of technology after reaching out to the global Malayali diaspora, to attract investments for the State of Kerala. After a flagship event was held in 2018, several follow up meetings were also conducted. The Kerala Government came into contact with Sprinklr during these meetings, it is stated. The State goes on to emphasise,

"The offer by the third respondent (Sprinklr) was looked into and found reasonable (zero cost during COVID 19). It is submitted that that the third respondent is also a pro bono partner of the World Health Organisation in developing its COVID -19 Update dash board. There was no other nexus or reason for engaging third Respondent, save and except for the circumstances set out above."
Kerala Government

The State also goes on to state that the functions being performed by the Sprinklr application is not something that can be managed by the State Government's institutions. As stated in the affidavit,

"None of the Government Institutions in Kerala are presently capable of doing big data analysis, particularly big data analytics with unstructured data' or to offer solutions in the shortest possible time, that the (COVID-19) situation would demand."

Engagement of Sprinklr was not a single-handed decision

The Government has submitted that the decision to procure Sprinklr's SaaS application was taken based on clear consultation and scrutiny within the Electronics and Information Technology Department of the State.

A committee was also constituted for the process with concerned department heads and representatives of the Health Deparment, the Local Self Government Department and the State Disaster Management Authority.

"... the actions taken by the Principal Secretary, E&IT Department to sign the document and avail the SaaS application had sufficient scrutiny and consensus on technical and functional requirements being met."
Kerala Government

It is added, "The IT Support Team was formed within the Department to take forward the necessary interventions with regard to supporting COVID 19 control activities during lockdown period when the Department Sections were not in the fully functional mode."

Answering contentions that the decision to engage Sprinklr was made bypassing Law Department scrutiny, the Kerala Government highlights that Administrative Department heads are authorised to take decisions for procurement of goods or services where the cost is less than Rs 15,000.

In this case, Sprinklr have offered its application for free for a six month period. Since the cost involved is zero, there was no need for the purchase to be scrutinised by the Law Department, the affidavit states. "Hence, this is not bypassing of Law Department, but it did not require any consideration with the said (Law) Department at all", it is stated.

Given his backdrop, it is also pointed out that there was neither any drafting or executing of agreement involved nor any financial transaction done. Further, it is stated that the issue of a formal purchase order pertaining to a pro-bono service procurement is within the authority and responsibility of the administrative head of the department.

As such the affidavit states that the contention that the action taken is bound by Articles 298, 299 and 300 of the Constitution (which pertains to drafting and execution of contracts) does not have any standing

No scope for use of COVID-19 data collected once pandemic has subsided

Inter alia, the Kerala Government also argues that the concerns regarding the possible breach of COVID-19 data is misplaced for reasons connected to the kind of data collected itself.

In this regard, it is pointed out that five kinds of information have been collected which was necessary for managing the COVID-19 pandemic in Kerala, i.e.:

  1. Data related to international travellers;

  2. Data related to domestic travellers;

  3. Data related to health workers or people who have contact with patients;

  4. Vulnerable people data,either self-reported or reported by relatives;

  5. Data collected by field worker when they visited homes to observe people in quarantine.

The first four kinds of data is stated have been collected through voluntary self-reporting, wherein the persons is argued to have been properly informed of how the data would be used for COVID-19 management purposes only.

The contention that persons submitting data online did not have a choice is patently incorrect and misleading, the State asserts. Further, this data is primarily being collected as part of efforts to detect and guard against community transmission of COVID-19.

The Fifth kind of data collected by field workers is relevant to curb the spread of COVID-19 and to ensure that medical care reaches people most susceptible the disease. The information was collected only for such limited purposes from people in isolation who had high vulnerability to COVID-19, it is stated. Further, it was collected physically, and is therefore, not within the purview of the IT Act at the collection stage.

Pertinently, the Kerala Government highlights that the data collected is of no long-term applicability, but rather only for the purpose of analysis and action during the pandemic.

The affidavit notes that "... there is no need to retain the data for a very long period, not definitely much beyond the quarantine period." Further, it is noted that "The system has the capability to have the data purged/ destroyed at a specified time interval that can be prescribed."

"... the data collected was relevant and necessary and does not pose any threat to the privacy or security of the individual. The first respondent (State of Kerala) has however taken note of the inherent privacy rights and limited its actions to reasonable and necessary requirements."
Kerala Government

It is also added that the allegations of ration card and aadhaar details being entrusted to Sprinklr are baseless.

Regarding venue of jurisdiction in case of data breach

It is stated that New York had been designated as the jurisdictional venue in case of disputes between Sprinklr and the Kerala Government as part of the standard form of contract.

However, it is submitted that this does not extend to the privacy policy, and further that the persons from whom the data is collected ('data principals') are not bound by the contract terms.

In any case, it is noted that the COVID-19 data lies in India on C-DIT servers and that "Any data breach or even apprehension thereof therefore pertains to occurrences in India."

As such Indian criminal law and the Information Technology Act would apply, the State has said. In this regard, it is stated that if there are any breaches on the part of Sprinklr, being an "intermediary", it is open to both the data principals and the Indian Government authorities to initiate action in India as "a restriction on jurisdiction for civil action does not limit criminal or regulatory prosecutions or jurisdiction."

In view of these, among other, submissions the Government has also challenged the maintainability of the writ petitions filed on the issue arguing that they have been moved based on "apprehensions, baseless and unfounded allegations, speculative conjectures and surmises and in some instances with vested interest."

Read the Affidavit:

Spinklr case - Govt Affidavit.pdf
Bar and Bench - Indian Legal news