Bench upholds earlier 2020 directions, rules pandemic emergency justified State’s actions while noting procedural lapses; petitions challenging data confidentiality dropped.
The Kerala High Court on 28 January 2026 closed a batch of writ petitions challenging the State government’s 2020 agreement with US-based data analytics firm Sprinklr Inc. for managing COVID-19-related data. The court said there was no material to show that sensitive data had been shared with the foreign entity, and confirmed its earlier interim directions to safeguard data confidentiality.
The verdict was delivered by a Division Bench of Chief Justice Soumen Sen and Justice Syam Kumar V M in Balu Gopalakrishnan v. State of Kerala & Ors. (WP(C) 9498/2020 and connected matters). Petitioners had contended that the agreement exposed personal health data to potential misuse without adequate safeguards.
Background of the Sprinklr Agreement
During the early stages of the COVID-19 pandemic, the Kerala government, through its IT Department and facilitated by the Principal Secretary, entered into an agreement with Sprinklr Inc. to use its data management tools for processing COVID-19 case information. The deal drew legal challenges alleging that the State shared sensitive personal data with an overseas private company without consent or sufficient protection, thereby violating privacy rights and constitutional norms governing government contracts.
Petitioners argued that the agreement diluted privacy protections and failed to comply with Article 299 of the Constitution, which prescribes procedures for government contracts, and relied on the Supreme Court’s K.S. Puttaswamy v. Union of India judgment on the right to privacy.
Earlier Interim Directions
In April 2020, a Division Bench led by Justice Devan Ramachandran had issued detailed interim directions regulating the collection, use, and storage of COVID-19 data and restricting sharing with third parties. The April 2020 order had been passed after the State conceded that greater caution should have been exercised in entering the Sprinklr agreement.
Those directions included measures to ensure that the use of Sprinklr’s tools did not result in uncontrolled access to or leakage of personal health information. Following the order, the government maintained that it had stored data exclusively and that Sprinklr provided analytical tools without accessing or controlling the data itself.
Contents of the Current Orders
On Wednesday, the Division Bench noted that:
- The issue of sharing data with third parties did not arise, as Sprinklr had merely provided analytical tools while the State retained control and custody of the data.
- There was no evidence of data theft or misuse having occurred during the engagement with Sprinklr.
- No material suggested any ulterior motive or malafide intent on the part of the State in awarding the contract.
While acknowledging that procedural prudence should have been exercised, the Bench said that the extraordinary circumstances of the pandemic and the imperative to protect public health justified the government’s actions. It confirmed the interim directives dated 24 April 2020 and held that no further orders were necessary.
The court also observed that alternative mechanisms like use of the National Informatics Centre (NIC) might have been more prudent, yet concluded that the absence of any reported breach or misuse weighed in favour of closing the petitions.
State’s Contentions
The State, represented in court, argued that:
- The Sprinklr tools were provided at no financial cost and did not involve transfer of data control.
- The pandemic’s exigency necessitated swift action to handle large volumes of COVID-19 data, and the agreement was executed in good faith to support public health objectives.
- All data was stored on servers approved under governmental standards, and Sprinklr was barred from any use beyond data management.
The petitioners had maintained that consent from individuals was not adequately obtained and that storing data on foreign servers could expose it to foreign jurisdiction. However, the court found that those concerns did not materialise into actual data sharing or misuse.
Legal and Practical Implications
The High Court’s order clarifies that emergency responses during unprecedented public health crises, undertaken with state control over data, may not amount to violation of privacy rights in the absence of evidence of misuse. It reinforces the principle that interim judicial directions concerning data protection frameworks must be respected, even as courts recognise the necessity of state action in emergencies.
The decision also underscores the scope of judicial oversight in matters where constitutional privacy guarantees intersect with urgent governance needs, particularly in the face of future public health emergencies or technological engagements.
The judgment adds clarity on the legal treatment of government contracts involving data analytics tools during emergencies, the interpretation of data sharing versus tool usage, and the boundaries of privacy concerns when state control is retained and no misuse is shown.
