Introduction:

In Balu Gopalakrishnan versus State of Kerala and Others reported as 2026 LiveLaw (Ker) 51, the Kerala High Court dealt with a batch of writ petitions challenging the legality and constitutional validity of the Kerala Government’s agreement with US based data analytics firm Sprinklr Inc for managing COVID 19 related health data during the initial phase of the pandemic, where the petitioners alleged serious breaches of privacy, violation of constitutional safeguards under Article 21 and Article 299, and unlawful exposure of sensitive personal data to a foreign private entity, while the State justified its actions on the ground of extraordinary public health emergency and the urgent need for technological assistance to track infections and quarantine measures, and the Division Bench comprising Justice Soumen Sen and Justice Syam Kumar V M was required to determine whether the agreement and the data handling process violated constitutional and statutory protections or whether the doctrine of necessity could justify procedural lapses committed in the face of an unprecedented health crisis, especially when earlier directions had already been issued by another Division Bench of the High Court on 24 April 2020 regulating the manner of data usage and restricting any sharing with third parties, and the present proceedings were meant to examine whether any further reliefs were required in light of subsequent developments and continued concerns regarding data confidentiality and government accountability.

Arguments:

The petitioners strongly contended that the State had unlawfully shared sensitive personal and health related data of citizens with a foreign private company without adequate legal safeguards, thereby exposing individuals to serious risks of misuse, profiling, commercial exploitation, and cross border data transfers beyond the control of Indian law, and it was argued that even if no actual data breach had been reported, the very act of placing confidential health information on external platforms created a real and substantial threat to privacy which itself constituted a constitutional violation requiring judicial intervention and compensation, and reliance was placed on the landmark decision of the Supreme Court in K S Puttaswamy versus Union of India to submit that privacy is a fundamental right and cannot be compromised without clear legislative sanction, proportional safeguards, and necessity grounded in law rather than administrative convenience, and the petitioners further submitted that the agreement with Sprinklr violated Article 299 of the Constitution which mandates that government contracts must be executed in a prescribed manner to ensure transparency, accountability, and protection of public interest, and it was argued that bypassing these constitutional requirements cannot be retrospectively justified merely by citing urgency, especially when alternative public sector technological institutions such as the National Informatics Centre were available to provide similar services within the sovereign framework of Indian law, and the petitioners also argued that the absence of financial consideration in the agreement did not make it legally immune from constitutional scrutiny because data itself is a valuable asset and surrendering control over data management architecture to a private foreign company amounted to an indirect transfer of sovereign digital functions, and they maintained that the earlier directions of the Court were insufficient because they did not address the foundational illegality of the agreement itself, and therefore the writ petitions should not be closed merely by reaffirming earlier safeguards but should result in declaratory relief, strict accountability measures, and policy level directions to prevent similar violations in the future.

On the other hand, the State of Kerala defended its actions by emphasizing the unprecedented and rapidly evolving nature of the COVID 19 pandemic which required immediate deployment of technological solutions to identify infected persons, trace contacts, manage quarantine, and coordinate health responses, and it was submitted that the agreement with Sprinklr did not involve sharing of ownership or control over the data, as the data remained stored with the State and Sprinklr only provided analytical and dashboard tools to assist government officials in managing large scale health information, and the State categorically asserted that no instance of data theft, leakage, or misuse had ever been reported during or after the use of the platform, and therefore speculative fears could not form the basis for constitutional condemnation or compensation claims, and it was further argued that the agreement did not impose any financial liability on the State as the services were rendered free of cost, which itself demonstrated that the objective was public welfare rather than commercial exploitation, and the State invoked the doctrine of necessity to submit that when faced with an immediate public health emergency, procedural formalities may temporarily yield to urgent executive action aimed at protecting lives, and it was argued that once the crisis stabilized, the State had already complied with the earlier directions of the Court by ensuring data deletion, preventing third party sharing, and enhancing internal safeguards, and the State also submitted that Article 299 must be interpreted pragmatically and cannot be applied mechanically to emergency administrative arrangements that do not resemble conventional commercial contracts, and finally it was argued that judicial interference at this stage would serve no practical purpose when the data was already under State control and the technological arrangement had ceased to operate, and therefore the writ petitions deserved to be closed.

Judgment:

The Kerala High Court held that no further directions were necessary and confirmed the earlier safeguards imposed by the Division Bench in April 2020, concluding that while procedural lapses were evident, the extraordinary circumstances of the pandemic justified the State’s actions under the doctrine of necessity, and the Court categorically observed that the question of sharing data with Sprinklr did not arise because the State had only used Sprinklr’s tools for identification and management of COVID victims while retaining custody and control of the data itself, and the Bench clarified that the agreement did not result in transfer of data ownership or jurisdictional control to the foreign company, which significantly reduced the apprehensions regarding privacy breach and foreign surveillance, and while the Court rejected the State’s argument that Article 299 was inapplicable, it nonetheless accepted that the critical and unprecedented nature of the pandemic justified emergent executive decisions that might not strictly conform to ordinary contractual procedures, and the Court emphasized that Article 299 applies to all government contracts irrespective of financial implications, but constitutional compliance must be assessed in context and not in abstraction from real world crises, and the Bench further noted that there was no material to suggest any ulterior motive or misuse of data by the State and that no complaints had been received from affected individuals alleging harm caused by the data collection process, and the Court also acknowledged that in hindsight the State should have exercised greater caution and ideally explored alternatives such as the National Informatics Centre, as suggested by the Assistant Solicitor General of India, but it held that retrospective judicial condemnation of crisis management strategies would be neither fair nor constructive when public health protection was the dominant objective, and therefore the Court concluded that the directions issued in April 2020 sufficiently regulated data handling, restricted third party access, and ensured deletion protocols, and since those safeguards had already been complied with, no further relief was warranted, leading to closure of all connected writ petitions while confirming the earlier regulatory framework imposed by the Court.