How the Kerala High Court set a model for dealing with data privacy

Additional info Live Law report on the hearing

To those who might not have been following the developments in Kerala the small southern state in India this might be pretty new. To bring you up to speed the Kerala government with help from the civil societies and a well informed public had effectively flattened the curve, had the best recovery rates and one of the lowest mortality due to Covid19 in India.

The issues began with he opposition raising concerns regarding a software service provider called Sprinklr (founded by a keralite and based out of USA) who was in contract with the government for collection and analysis of data. The company was supposedly roped in to provide their SaaS based big data systems to help the government make use of high quality data analytic infrastructure to help them fight the disease with an edge.

The concerns soon turned into allegations and then exploded into a mass hysteria powered by the opposition parties. Things did not help when the media joined in with their irresponsible journalism smelling blood of a possible scandal and the TRP ratings that come with it. What followed was an explosion of fake news, false allegations and extremely irresponsible action from a group of politicians and media.

special mention in this regard as technical and scientific information was bent and distorted purposefully to mislead the people including misinterpreting how a CDN works to make it look like the data was sent to US servers

The allegations presented where on the lines of - 1. The kerala govt sold health data of kerala citizens to an American company. 2. The data was sent off to an US based server. 3. The action violated privacy, a fundamental right guaranteed by the constitution of India. 4. The ruling party took a kick back payment for the data that was sent. 5. The data was being sold to the likes of Pfizer.

While technical experts and IT analysts along with legal experts tried their best to clarify the situation the issue was catapult into messy paranoia spewing campaign against the ruling left government.

It went on till the 24th of April, when the Kerala High Court put a temporary halt on the matter while considering petitions against the Governement which demanded a load of actions from termination of the contract to use of another app.

In doing so the High Court of Kerala might have set a shining example on how to deal with issues concerning privacy. The courts action on this issue can be applauded for the balance it brought between privacy, technical competence and line of interference.

Privacy as a right

In August of 2017, the Supreme court of India in an unanimous nine-judge bench had ruled that privacy is a fundamental right guaranteed by the Indian constitution as an extension of right to life in Article 21.

Like any other right the right to privacy too need to be protected and defended with every option at our hands, but is also important for us to understand that it can't be an absolute right just like the other forms of right.

For example a home is where one can expect absolute privacy and the happenings of which the government has no role interfering with. However time has shown that the government need to legislate on things like, domestic violence, child sexual abuse and other factors to make sure that the state is doing its duty in protecting the rights of all.

Similarly it is only fundamental that we understand and operate on the principle that while the right to privacy is one of the most important one, it should not be extended to a level where it hampers the ability of the state to protect the right of others involved.

This could not be more evident in a public health emergency and situations where the government need to act with intentional curb of certain rights to save lives. The government, the public and the judiciary need to work such situations with caution to make sure the situation does not disrupt the balance of power between the public and the state and strange situation is not misused by those at power to silence dissent and eliminate fundamental rights.

However, what is interesting about the case that came in front of the court was that it was not privacy by itself but the role of technology and its use by the state, and the possible violation of privacy by such act.

The courts interim decisions on this regard shown how we need to strike a balance between privacy absoluteness and privacy absence, especially in a technically challenging situation.

Technology and privacy

In the world of technology-privacy arguments there are different groups of people and ideologies that are pushed for the public to choose from.

Centralism – These people believe the best technology and technology driven capacity comes from centralizing and controlling the information flow and technology through wither large corporations or through governments. This is also a favorite among governments as this gives them the thing that they crave for the most 'control'.

Bodies such as Facebook and Google have demonstrated through their actions that this might not be a good model in itself. This produces the chances of exploitation of data, surveillance capitalism, censoring of dissent, creation of information bubbles and unbalanced power in controlling the narrative.

This is one reason I run my own Mastodon service on my home page and use it as one of my primary locations for sharing things instead of relying on FB or others.

Decentralization – Make no mistakes, this is the best model if you considering privacy. The main example of such a model is the email that we used day in and day out. It allows us to have a way of communication while allowing us all to used different servers or service providers (gmail, yahoo, rediff and so on) while still being able to communicate with each other.

When social medias grew it was only normal that the entire thing would be created as centralized system and as the trend shows the centralized model is breaking down into a decentralized model such as with Mastodon that I use.

In time I like to believe that mammoth systems such a Facebook will phase-out to an era of decentralized systems.

However demanding that this model be the norm is no where close to reality that we can hope it to be as such systems come with their own problems. Starting with not all software systems can be decentralized.

Open only – This is another trend which is opposed to the concept of “proprietary software”. In simple words its the claim that in time all software we used should be open source and free (free as in free speech and not free beer).

While software like Linux have out performed and in the software-Darwinism context will probably swallow other operating systems the same can't be said about all kinds of software.

Enterprise quality software such as SAP and other ERP tools don't find good open-source alternative as the complexity that goes into developing something of that kind is huge.

In summary one can say the more widely used and necessary a software is the better chance it has a good open-source software alternative available than software with niche use cases. This is because the quality of software is directly proportional to the developers idea of what the software is and what it should be doing. Allowing better contribution from a larger number of programmers only in situations where the concept of such program (such as Linux, which is a kernel for an operating system and hence is useful to everyone with a PC).

Made by state

It is also super critical for us to understand that governments do not usually make the best tech. At least not the governments in India. They rely of fraudulent consultants who often take the governments for a ride and end up wasting huge amounts of public money on a shamelessly inefficient system that doe not even do half the work of what it should have.

To any Indian citizen (or even citizens of other countries who have used software made by their government) it is more than evident that the software skill of the state are borderline pathetic.

Further security of data that we trust with government can be non-existent due to the fact that the government usually spends peanuts for designing, developing implementing and maintaining good cyber security systems. They once again rely on highly self-serving consultants and companies for possible solutions and end up getting delivers the shortest of all sticks.

Private companies on the other had pour in huge amount of money, manpower and efforts to maintain security because their necks are often on the line if the data leaks. A fear that governments are devoid off because they are pretty happy to grant immunity for themselves from such regulations as the recent data protection bill in India will show.

The duty of law

It is an usual misguided idea that the problem of privacy can be solved with any of the three above mentioned technology systems by. The arguments for a centralized systems bring with it issues that can be only related to a dystopia where we slowly loose our rights to a more and more powerful central eye. Where things can be censored and monitored and dissent can be killed.

The distributed models do not work in all places and can hinder proper use especially in an urgent situation.

Hence the only reasonable way that privacy and technology capability can be properly protected shall be by means of strong and stringent legislation that permit the use of any and all technology but forces the users (state or body corporate) to be strictly bound by penal provision for violating peoples privacy in an unbalanced and non-consensual way.

What did the high court do

We will go through the observation and decision of the court see how the Hon. High court set an amazing example of balance and sensibility.

  1. The government may continue to use the Sprinklr software - By refusing to not interfere with the government decision on their selection of software the court protected the states need to be able to make proper and justified technical decisions themselves than have bad and improper tools slapped on them and then having to deal with it.

This is very obvious because one of the affidavits submitted ot the court was from the central govt which claimed that NIC (National Informatics Center) a central govt owned entity that is notorious for making half baked software that cant stand the test of kids checking their exam scores without crashing into a million pieces as a “very competent” provider of big data service.

Relying on an incompetent provider could be the difference between the state managing a pandemic and the state managing a public meltdown from software crashes. NIC needs to prove its software capability to the public and the state government before their products can be trusted.

  1. The court issued injunctions to Sprinklr mandating the following – a) The company strictly adhere to confidentiality of the data trusted with them. b) the company may not use the data for any other chimerical purpose other than to serve analytical data to the government. c) the company shall not use the governments logo in any of their advertising.

These are critical factors and is reassuring for the citizens of the state who may have been spooked by the campaign which seemed to ignore thing like the confidentiality of the data was already guaranteed in the master service agreement and the non disclosure agreement from the from the company.

By preventing the use of the government logo the court eliminated the chance that the company might exploit the contract in an unfair manner.

  1. The court directed the government to inform the public that the data shall be processed using Sprinklr and the consent for the same to be obtained.

Consent and the right to be informed – cornerstones in protecting data privacy and right to privacy gets its well deserved place in this action.

  1. The court directed the government to anonymize the data used within sprinklr.

This is a very legally mature and technically sound way of handling this sort of a situation where the courts need to take care in empowering the government to use the right kind of tools while addressing the chance of misuse or accidental data leak.

By taking a very constructive look at the allegations raised aganst he government and the sprinklr company the court in this regard has managed to protect the right of the citizens to the reasonable limit necessary while not stripping the state off critical tools necessary to fight an epidemic.

The golden ratio

It is not the total elimination or the absoluteness of a right that bring about its use, but the responsible balance which is set as per the requirement of the time that make our rights the best things we have. Rights should empower the weak and neglected and control the power grab from the powerful.

When a huge section of media and opposition tried to attack the technical competency, technical capacity and scientific sensibility of one of the most IT enabled states in the country, it paved way for the the high court of kerala to became a shining example in protecting citizens' rights and from people who wanted to exploit the public for political gain.