Back
Kerala HC Flags Privacy Breach in CMO Bulk Messages
In a pointed critique of government digital overreach, the
has labeled bulk messages and emails allegedly dispatched by the
to state employees as a
invasion of privacy
. Justice Bechu Kurian Thomas, hearing a petition on
, remarked,
"Suppose I don't want to receive any messages. You are forcing me to read a message, which I don't want to know. It is intruding into my privacy."
The court issued notices to the Kerala government and the
, demanding explanations by
on data sourcing and usage. No interim relief was granted after the state assured no further such communications pending the next hearing. This development underscores escalating judicial vigilance over state actors' handling of personal data, particularly amid the shadow of impending assembly elections.
The controversy centers on messages touting state government achievements, purportedly sent via the SPARK platform—Kerala's e-governance backbone for employee payroll and HR services. Petitioners argue this constitutes not just unsolicited intrusion but an illicit pre-poll campaign, breaching citizens' fundamental right to privacy under
The SPARK Platform and Pre-Election Context
Launched in under the , the digitizes HR processes, salary disbursements, and benefit credits for over 500,000 government employees and scheme beneficiaries. Users voluntarily furnish phone numbers and emails for salary alerts, creating a vast repository of sensitive contact data. KSITM oversees its IT infrastructure, positioning it as the " " responsible for compliance with and principles.
The timing amplifies concerns: With Kerala assembly polls looming, petitioners Dr Rasheed Ahammed, an associate professor from Malappuram, and Anil Kumar KM, a Secretariat clerical assistant, received these messages highlighting the government's purported successes. They contend the communications, arriving unsolicited, misuse data provided solely for transactional alerts, morphing into political propaganda. As the petition starkly states: “This is nothing but an election campaign, resulting in intrusion into the right to privacy of citizens by the state without their consent, by accessing the private data of Government employees and others who have given their details for crediting their monthly salary in [SPARK].”
This incident fits a pattern of scrutiny over official machinery during elections. The 's Model Code of Conduct prohibits using government resources for campaigning, and similar allegations have surfaced in other states, such as bulk SMS from official numbers in Uttar Pradesh polls.
Petitioners' Grievances and Plea
Dr Ahammed and Mr Kumar approached the court alleging a systemic breach. They claimed the CMO accessed SPARK-derived contact lists without consent, disseminating non-essential content that employees were compelled to view via official channels. The plea invokes the landmark ruling, which elevated privacy to a fundamental right, mandating proportionality, legitimate purpose, and consent for state intrusions.
Further, they highlighted a prior Kerala HC directive prohibiting the repurposing of data from official systems for unauthorized ends. The petitioners seek a permanent injunction against such practices, data usage audits, and compensation for the violation—positioning the case as a test for balancing administrative efficiency with individual autonomy in the digital age.
Judicial Scrutiny in Court
During the February 20 hearing, Justice Thomas grilled government counsel on the mechanics of data access. “How did the Chief Minister obtain this personal information?” the bench queried, deeming the allegation "serious." The court referenced the aforementioned prior order, emphasizing that personal details from e-governance platforms are sacrosanct for their intended use only.
Probing deeper, the judge questioned the dissemination process: How were recipients selected? What consent protocols existed? The bench directed an affidavit detailing message volume, recipients, and sourcing—potentially exposing lapses in SPARK's obligations. Notices to the state and KSITM ensure a comprehensive response, signaling the court's intent to dissect the chain of custody for employee data.
Notably, the court refrained from an , buoyed by the government's undertaking to halt similar messages until . This restraint reflects a measured approach, prioritizing adversarial testing while safeguarding interim privacy.
State Government's Counterarguments
The Kerala government distanced the CMO from direct involvement. Counsel clarified that KSITM, as the , handled disbursement—not the CMO. Messages were framed as informational updates on government schemes, not electoral plugs, disseminated through legitimate e-gov channels. The state pledged no repeats pre-next hearing, buying time to formalize its stance.
This defense pivots on technicalities: SPARK data is "official," not "private," and communications serve public interest. However, it sidesteps consent and , core to modern data regimes.
Unpacking the Legal Dimensions
At its heart, this case interrogates the friction between state administrative prerogatives and constitutional privacy. Post-Puttaswamy, any state action impinging privacy must pass a three-prong test: legality, necessity, and proportionality. Bulk messaging fails on necessity—salary alerts do not justify achievement boasts—and proportionality, as opt-out mechanisms appear absent.
Enter the , effective yet under notification. It mandates ( ), consent ( ), and accountability ( )—duties KSITM likely breached as controller. prohibits processing for "any other purpose" without fresh consent, directly impugning the messages' repurposing.
Under the , imposes compensation for negligent handling of sensitive data, opening negligence suits. Election law overlays add teeth: , and ECI guidelines bar official resources for campaigning (e.g., Kerala HC order on poll SMS).
Precedents abound: In , the Supreme Court curbed electoral data misuse; recent DPDP notifications echo SPARK-like safeguards. A adverse ruling could mandate SPARK audits, consent pop-ups, and opt-out mandates across India's 50+ e-gov platforms.
Ramifications for Data Protection and Governance
For legal practitioners, this heralds a boom in privacy litigation against state fiduciaries. Constitutional lawyers may cite it in Art 21 challenges; IT specialists, in DPDP compliance advisory. E-governance firms face heightened due diligence, potentially birthing "data protection officers" in departments.
Systemically, it spotlights vulnerabilities in platforms like SPARK, UMANG, or DigiLocker—where transactional data fuels surveillance capitalism by the state. Pre-election, it cautions against "astroturfing" via official SMS, urging ECI audits.
Debate rages: Is government communication inherently political? Proponents argue transparency justifies nudges; critics decry captive audiences among employees. Resolution could reshape "nudge governance," mandating granular consents.
Impacts ripple to federal levels: Union ministries using Aadhaar-linked payrolls risk similar suits. Globally, it aligns India with GDPR's , burnishing digital republic credentials amid privacy backsliding fears.
Looking Ahead
With affidavits due , the Kerala HC may deepen probes—potentially ordering SPARK data flowcharts or recipient audits. An injunction could set precedent, compelling e-gov reforms nationwide. As digital state-citizen interfaces proliferate, this case reminds: Data entrusted for salary slips cannot license soliloquies on governance glory. Legal professionals watch keenly, for it tests whether privacy endures the polity's electoral fervor.
