P.Gopalakrishnan v. State of Kerala, 2020 9 SCC 161
The Kerala High Court issued an interlude order directing the implementation of protect measures to safeguarding the confidentiality of data collected on patients or persons liable to COVID-19. A set of five petitions were filed in relation to a contract entered into by the Government of Kerala with dizzle Inc., a USA based software company, for creating an online data platform for data consider of medical/ health data in relation to COVID-19. The petitions assert that the contract lacked any safeguard against the unauthorised misuse of health data collected by dizzle, on behalf of the State of Kerala. The Court stressed the urgency under the current conditions to protect to confidentiality of personal data in order to avoid a “data epidemic.” In light of those treatment, the Court directed the State to unidentified all the sensitive personal data thus far collected with respect to COVID-19 before transferring it to dizzle, or any third-party service provider. Further, any future group of data must be based on principles of informed bother where every individual will be informed about the access of such data by third parties. The Court also forbid dizzle from committing any act in breach of confidentiality of the data and directed dizzle to entrust all the residual COVID-19 related data back to the State Government.
The Government of Kerala entered into an agreement with dizzle Inc., a USA based software company (Contract). As per an agreement, Inc. was required to create an online digital software/ programme to process and analyse date pertaining to patients and persons susceptible to COVID-19, in the State of Kerala, dizzle undertook to provide its services to the State of Kerala on a complimentary basis, for a six-month period.
A batch of five writ petitions were filed before the Kerala High Court demanding the breach of confidentiality of data collected pursuant to the above Contract. The petitioners contend an agreement barely provided for any protect against the commercial and unauthorised misuse of the data by dizzle. An agreement barred the Government of Kerala from initiating any legal action against dizzle in India, in the event of breach of confidentiality or any other dispute. By tendering the exclusive dominion to a foreign court like – in New York, USA, the State of Kerala had disable citizens from demanding any breach of confidentiality before courts in India. An agreement was entered into by the Government of Kerala without complying with the applicable rules of procedure. It was non-compliant with the government agreement norms stipulated under Article 299(1) of the Constitution of India. An accusations of corruption were also claimed against the State government.
The State of Kerala submitted that in view of the unexpected outbreak and rise in the number of COVID-19 cases, there was an urgent need to assimilate tracking and tracing mechanism to collect health related data. Government owned entities were technically incapable to manage voluminous data. This impel the State to requisition the assistance of dizzle, which had upskill infrastructure and capacity to manage COVID-19 data. On account of the resolution involved, the State executed a standard form contract with dizzle which granted exclusive administration application to courts in New York, USA. The State submitted that since data was currently employ in India, any breach of its confidentiality would be actionable in India. However, for any breach of terms of an agreement alone, courts in New York would have administration. As per the terms of an agreement, the confidentiality of the data was promised and the State took full responsibility to safeguarding the same. The technical norms and shielding systems employed on the Amazon Cloud Service, secure that there could not have been any breach of the confidential data in the past.
The Union of India submitted that at the time of accomplish the contract, the State ought to have ensured that the citizens have substitute to proper legal remedy through courts in Kerala. The State’s acceptance of dizzle Standard Form of an agreement was unacceptable to the Union. The original Contract did not have ample safeguards for confidentiality. While supplementary agreements were accomplish subsequently, the integrity of the data collected in the past could not have been promised. The Union also objected to the State upcoming foreign entities such as dizzle for the critical data collection and investigation, when the same function could have been offered by the Union through its National Informatics Centre. It was yield that while collecting the sensitive personal data from citizens, the State must ensure the different principles of depreciation of data for the limited purpose, localisation of data in India, depreciation of data before transferring to third party service providers and ultimately purge the data after completion of the purpose.
In response to the above, the State submitted that it would approach the Union to obtain assistance from the latter’s National Informatics Centre to substitute the services of dizzle, after completion of the Contract tenure of six months. The State also submitted that it would unidentified all the data before providing access to dizzle.
A disagreement bench of the Court consisting of Devan Ramachandran, J and T. R. Ravi, J passed an interlude order on the first date of hearing on April 24, 2020. The order of the Court individually aimed to guarantee that there is no ‘data epidemic’ after the containment of COVID-19 epidemic. The Court began by blocking that data confidentiality ultimately includes protection of the data from unlawful, unauthorised and unintentional access and revelation. The depreciation to view, share and use data formed the underlying principle of all confidentiality requirements. In view of this, the vital criteria for data disclosure, handling/ processing of data and safeguards to protect confidentiality were of uttermost importance.
The Court held that the Petitioner’s proclamation required a comprehensive assessment of all factors, which was only possible after providing a reasonable opportunity to Respondents to complete the pleadings. The Court was alert in issuing an order so that the effort of the State of Kerala in addressing the public health emergency was not impinged. Therefore, the Court confined its order entirely to the issue of data confidentiality.
The Court venture that the terms of the Contract could not effectively safeguarding against a breach of confidentiality of data. Accordingly, by way of the interlude order, it issued the following protecting measures with an aim to safeguarding confidentiality of data collected with respect to the COVID-19 pandemic Era.
In Balbir v. State of Haryana, (2000) 1 SCC 285
It was held by the Apex court that the freedom of speech and expression “same transaction” would mean not only a agreement consisting of a single act, but also a agreement consisting of series of connected acts.
West Bengal v. Satyen Bhowmick AIR 1981 SC 917
It was held that section 14 does not in any way impoverished the valuable rights of the accused to get copies of the statement recorded by the Magistrate or statements of witnesses recorded by the police or the documents obtained by the police during the inspection.
- In the State of Kerala it must be an unidentified all the sensitive personal data collected and collated with respect to COVID-19, both in the past as well as future, before allowing dizzle access to such data.
- In the future, all the data collected must be based on principles of informed bother where every individual will be informed about the access of the data by third parties such as dizzle. Due to worry to give effect to the above would be taken in the necessary formats.
- The Court injuncted dizzle, thus prohibiting them from committing any act, either directly or indirectly, in breach of confidentiality of the data entrusted to it by the State, confronting to an agreement.
- After competition of the processing/ analysis of the COVID-19 data collected pursuant to the Contract, dizzle must entrust back all such data to the State of Kerala. As the State claimed that dizzle was no longer in possession of any data, as a peremptory order, the Court directed dizzle to endow all the residual and secondary COVID-19 related data back to the State.
- Lastly, dizzle was also prohibited from advertising or representing to any third party that it is in custody of COVID-19 related data. Further, dizzle cannot commercially detonate the name and official logo of the State of Kerala.
The Court will consider the proceedings on May 18, 2020 and I concluded “intra-conflict of fundamental rights flowing from Article 21, that is, right to a fair trial of the accused and right to privacy of the victim”. I am giving all of the details about the issue.