Back
Kerala HC Hears Privacy Plea on CMO Bulk Messages
In a significant challenge to government data practices, the on delved into arguments alleging that the breached the fundamental right to privacy by harvesting personal details from a state payroll database and dispatching bulk promotional messages to government employees and judges ahead of elections. , representing the petitioners, contended that this constituted unauthorized without informed consent, violating the landmark ruling, as the remains only partially operational. Justice Bechu Kurian Thomas, presiding singly, posed probing questions on the legitimacy of the communications and the applicability of pre-DPDP privacy jurisprudence. The state's undertaking not to send further bulk messages holds until the next hearing, underscoring mounting judicial scrutiny over state repurposing of citizen data for political ends.
This case, , spotlights tensions between administrative efficiency and constitutional safeguards, potentially reshaping how public sector databases like SPARK are leveraged.
Case Background: From SPARK Data to Election-Time Messages
The controversy traces back to bulk SMS and email campaigns by the CMO, targeting lakhs of recipients including government employees, judges, and beneficiaries of schemes like "Sthree Suraksha Padhathi." The petitioners—Dr. Rasheed Ahammed P. and advocates
,
,
, and
—allege these messages touted achievements such as Dearness Allowance (DA) hikes and welfare assurances, with phrasing like:
"This government will always be there to protect the welfare and rights of employees; this care will continue in upcoming days."
Sent in
, proximate to elections, the communications were drawn from
, Kerala's centralized payroll and HR management system for public servants.
SPARK collects sensitive personal data—names, mobile numbers, email IDs, addresses, signatures—for salary processing and administrative purposes. Petitioners argue this data was requisitioned by the government via internal communications to departments, bypassing individual consent for secondary uses like mass messaging. Exhibits in the plea reveal government orders directing data sharing, including a directive for an Aadhaar Vault and Unified Registry. However, counsel emphasized these are mere administrative instructions from the Chief Secretary, lacking statutory force to justify privacy intrusions.
The timing amplifies concerns: messages praising a "functional" government through
were disseminated
"at the eve of the elections,"
blurring lines between official updates and campaign propaganda. This setup frames a classic
dispute—data furnished for one legitimate aim (payroll) cannot be freely repurposed without safeguards.
Petitioners' Arguments: No Consent, Puttaswamy Violations
Senior Advocate Poonthottam mounted a robust assault, anchoring on the Puttaswamy decision, where a nine-judge Supreme Court bench affirmed privacy as intrinsic to 's life and liberty guarantees. He dissected the judgment's for any privacy restriction: (1) legality (backed by law), (2) legitimate aim, and (3) proportionality (necessity and balanced means).
"The details were given for the sole purpose of processing of salary and no consent was given for accessing the numbers for disseminating messages,"
Poonthottam submitted, asserting none of the tests were met. Petitioners' data, including signatures, was stored in SPARK without authorization for dissemination. He labeled the process
"
"
, triggered by government requisitions:
"This is
...That
was not on the basis of an informed consent given by those citizens who have parted their details by various departments, agencies, including the State."
Poonthottam rejected defenses hinging on the DPDP Act, noting its partial notification leaves the field governed by Puttaswamy. Government orders for data aggregation
"cannot be elevated to the status of a law,"
he argued, culminating in a stark warning:
"No free hand available with the State in dealing with the data as they like."
He further highlighted the state's counter-affidavit silence on the "sophisticated systems" enabling bulk dispatch, unavailable to routine IT missions.
Court's Sharp Queries and Oral Observations
Justice Thomas engaged dynamically, interrogating the message's innocuous tone:
"This talks about three things. One is about increase in DA... When it should be sent is a matter for the government to decide. What is wrong in this message?"
On data scope, he queried:
"Name is what has been mined? What is the data that has been mined?...Data - name and mobile number. This is called
?"
Poonthottam stood firm, linking it to broader requisitions. The judge then pivoted to post-Puttaswamy developments: applicability amid the DPDP Act? Counsel clarified its incomplete rollout—
"That appears to be the defence of the State as well"
—insisting Puttaswamy's "scrupulous" requirements persist. The court sought specifics on notified DPDP provisions, posting the matter for Advocate General's rejoinder.
These exchanges reveal judicial wariness: is routine governance messaging defensible, or does electoral proximity tip it into impropriety?
Navigating Puttaswamy and the Incomplete DPDP Regime
Puttaswamy's enduring legacy is pivotal. The ruling mandates government data collection be for specified purposes, with notice, consent where feasible, and safeguards against misuse. Here, SPARK data's salary-centric collection precludes promotional repurposing without fresh legitimacy.
The DPDP Act, assented , promises a comprehensive framework—consent managers, data fiduciaries (states as significant ones), breach penalties. Yet, as of the hearing, rules remain pending, partial notifications cover only basics like appointing a . Petitioners rightly argue a legislative vacuum empowers judicial oversight via .
Comparative lenses sharpen this: Aadhaar cases (e.g., Justice K.S. Puttaswamy v. UoI , ) struck unauthorized sharing; electoral bonds invalidated for donor privacy breaches. Kerala's Unified Registry echoes national efforts like India Stack, but without DPDP teeth, invites Puttaswamy challenges.
Legal Analysis: and Safeguards
At core is —aggregating disparate personal data sans consent. Poonthottam's framing aligns with global norms (GDPR's , Art. 5), but India's context amplifies stakes for 10+ crore public employees nationwide. Failure on proportionality is glaring: less intrusive alternatives (public campaigns) exist versus invading judicial/official phones.
The state's requisition model circumvents individual agency, raising deficits. Puttaswamy demands " ," yet bulk harvesting ignores this. Sophisticated bulk tools imply systemic repurposing, evading accountability.
For litigators, this bolsters templates: demand data flow audits, consent trails, impact assessments in privacy writs.
Implications for Government Data Practices and Elections
Victory for petitioners could straitjacket pre-election comms, mandating opt-outs for public databases. SPARK-like systems (e.g., Uttar Pradesh's Samvedna, national NPCI) face audits, curbing political weaponization. Amid 2024-2026 polls, it deters incumbent advantages via data asymmetry.
Broader: accelerates DPDP rules, pressures for state privacy laws. Public trust erodes sans boundaries—recall WhatsApp spams or CoWIN leaks. Lawyers gain ammunition in class actions; enterprises eye fiduciary duties.
Looking Ahead: AG's Response and Potential Precedents
Posted for tomorrow's hearing, the Advocate General must address data mechanics, DPDP defenses, and messaging propriety. Extended no-bulk undertaking signals caution. A ruling could pioneer purpose-bound public data doctrine, cementing Puttaswamy as interim bulwark.
For legal professionals, this saga underscores vigilance: privacy isn't waived by employment. As digital governance swells, courts remain arbiters against "free hand" over data.
