Back
Finds Privacy Intrusion in CMO's Bulk WhatsApp Messages
In a significant interim development, the has orally observed a intrusion of privacy by the through unsolicited bulk WhatsApp messages sent to government employees, judicial officers, and potentially others. Justice Bechu Kurian Thomas, while hearing Writ Petition (Civil) No. 7090/2026, halted further dissemination of such messages until the state satisfies the court on the lawful acquisition of recipients' personal data, including mobile numbers. The court's sharp questioning of data sourcing—allegedly from e-governance platforms like and KSITL—underscores mounting concerns over governmental data handling in the digital era, particularly amid election campaigning.
This ruling, delivered on , records the state's undertaking to refrain from similar communications until , when it must file an affidavit detailing legal channels for data procurement. The matter spotlights the tension between state promotional activities and fundamental under .
Case Background: Allegations of Unauthorized Data Access
The petition, filed by Dr. Rasheed Ahammed P. and another, represented by alongside Advocates , , and , challenges the CMO's bulk messaging campaign. Petitioners, including advocates who received the messages, allege illegal access to sensitive personal information of state government employees, judicial officers , and scheme beneficiaries.
The messages, dispatched from the WhatsApp Business Account of the CMO , touted government achievements such as pay revisions and housing advances under schemes like Bhavana Nirmana. Petitioners contend this data was illicitly harvested from —the Service Pay Roll Administrative Repository for Kerala, an e-governance platform managing HR and salary data for over 5 lakh employees—and routed via .
Crucially, no was obtained from recipients, violating basic data protection norms. The campaign's reach extended to judges, raising alarms about data leakage across institutional silos. Petitioners argue this constitutes not just spam but a profound breach, forcing unwanted political content into private communication spaces.
Chief Minister Pinarayi Vijayan is arrayed as the 6th respondent, though notice was dispensed with for now; the Special Government Pleader accepted notice for others.
Court's Oral Remarks: Unyielding Scrutiny on Data Origins
Justice Thomas did not mince words, repeatedly emphasizing the gravity of potential data misuse.
"
, I find that there is intrusion of privacy,"
he remarked, directing the state to cease all further circulations post the matter's listing before the court.
The judge zeroed in on a specific averment in paragraph 5 of the petition regarding messages to judges:
"I pointed out paragraph 5, where did you get that information? Where did you get that details? How can it be sent to such persons?... It is not the type of message that you sent that matters, it is about the leakage of data especially to category of persons referred to paragraph 5, which means all those informations have been leaked out....How do you get this data? You can satisfy me."
Questioning the operational mechanics, the court probed:
"How did the Chief Minister get this data? Then who sent this?...What is the protection of individual data if this is accessible for everyone?...The Chief Minister would not be managing the business account...If it is not the Chief Minister, then somebody else has accessed...What do you mean by this business account? Who manages this business account?"
Senior Advocate Poonthottam highlighted the official WhatsApp Business Account provenance, amplifying accountability concerns. The court concurred:
"It is really alarming if it has actually been sent from the business account. But till then, you cannot send messages like this to everyone."
Petitioners' Arguments and State's Rebuttal
Petitioners stressed the absence of consent to KSITL or any entity, rendering the data flow unauthorized. They portrayed the messages as un solicited propaganda—e.g., details on employees' housing advances—irrelevant to most recipients.
The state countered that messages targeted only scheme beneficiaries , like those under state pay revisions. However, Justice Thomas dismissed this:
"You are wrong. These details have been sent to other persons as well. I pointed out that paragraph. They are not persons who are receiving any benefits from the State government."
He mandated an affidavit affirming exclusivity to beneficiaries and lawful sourcing.
The state invoked KSITL as the conduit, but petitioners rebutted lack of user consent. The court remained skeptical of promotional content:
"Those are not messages that the citizens want to know. Not all citizens. Which citizen is interested to know about what government employee got Bhavana Nirmana advance?... Such a message cannot be sent to any person."
Legal Analysis: Anchoring in Privacy Jurisprudence
This interim order resonates deeply with the Supreme Court's landmark , which elevated privacy to a fundamental right under Article 21, encompassing . The Aadhaar judgment articulated three facets—decisional, spatial, and informational privacy—with the latter directly implicated here. Bulk messaging sans consent mirrors overreach critiqued in Puttaswamy, where state surveillance via biometrics was struck down absent proportionality.
Emerging frameworks amplify this. mandates and consent for processing; voids processing without free, . Public data fiduciaries like CMO/ must notify breaches ( ) and enable data principal rights (access, erasure). Sending judges' numbers suggests cross-departmental leakage, breaching 's accuracy and (7)'s purpose tests.
Electorally, this intersects under , prohibiting misuse of official machinery. Digital equivalents—seen in recent ECI advisories on social media—prohibit government handles for campaigning. The WhatsApp Business Account blurs lines between official and partisan use.
Implications for Legal Practice and Governance
For legal professionals , this case heralds a template for privacy writs against public bodies. Advocates can leverage oral findings for interim relief, demanding data flow audits. Data protection litigators may cite it in DPDP challenges, especially for e-gov platforms handling millions' data.
Governments face compliance imperatives: Audit /KSITL pipelines for consent logs; implement opt-out mechanisms; segregate political comms. Judicial independence is fortified—messaging judges risks contempt optics.
Broader ripple: Amid Lok Sabha polls shadow, it cautions digital campaigning. Parties must source voter data ethically, avoiding state databases. Globally, parallels EU GDPR fines for unsolicited political SMS underscore risks.
Potential Outcomes: If state falters on affidavit, permanent injunction looms; escalation to contempt or DPDP regulator referral possible. Precedent could mandate privacy impact assessments for govtech.
Conclusion: A Call for Data Accountability
Justice Thomas encapsulated the ethos:
"You undertake that you shall not circulate any such messages. Of course, it's an intrusion into the privacy...Suppose I don't want to receive any messages, you are forcing me to read a message which I don't want to. It's intruding into my privacy."
This Kerala HC intervention compels introspection on balancing governance outreach with privacy sanctity. As the hearing approaches, the legal fraternity watches if this sparks systemic reforms in India's data ecosystem, ensuring technology serves, not subverts, constitutional rights.
