Doctrine of Necessity Justifies Pandemic-Era Data Arrangements Despite Procedural Lapses: High Court of Kerala - 2026-01-28

Navigating Public Interest and Privacy: Kerala High Court Delivers Verdict on COVID-19 Data Era

The High Court of Kerala has brought a sense of closure to a long-standing legal battle concerning the data privacy of citizens during the height of the COVID-19 pandemic. Division Bench Justices Soumen Sen (C.J.) and Syam Kumar V.M. delivered a judgment that balances the "doctrine of necessity" against the government's procedural obligations in handling sensitive health data.

The Backdrop: A Crisis and a Controversy

In early 2020, as the state of Kerala faced the unprecedented challenge of being one of the first regions in India to confront the COVID-19 virus, the state government, led by the then-Principal Secretary of the Electronics and Information Technology Department, entered into a contract with an American SaaS company, Sprinklr Inc. The goal was to build a robust system to track, trace, and monitor individuals vulnerable to the virus.

The move sparked widespread public and legal concern, with petitioners arguing that the lack of transparency, the bypassing of Cabinet approvals, and the potential exposure of personal health data to a foreign entity constituted a violation of the constitutional right to privacy.

Arguments from Both Sides

The petitioners, represented by various counsels, contended that the government acted with "gross negligence" by hurriedly executing an agreement that potentially compromised sensitive data relating to international travelers, health workers, and vulnerable populations. They further highlighted that the agreement lacked essential protections, including a clause designating a foreign jurisdiction for dispute resolution, which would have made it nearly impossible for ordinary citizens to seek legal redress.

Conversely, the State of Kerala justified its actions by pointing to the "unprecedented crisis" posed by the pandemic. The State argued that health agencies like C-DIT lacked the technical infrastructure to manage the projected data surge, and Sprinklr provided a pro-bono service that was lifesaving at the time. They asserted that no data theft actually occurred and that the actions fell under the protective ambit of directive principles aimed at safeguarding public health.

The Court’s Legal Analysis

The Court acknowledged the validity of the procedural criticisms, noting that the Principal Secretary failed to adhere to the Rules of Procedure for the Government of Kerala and the Secretariat Instructions . However, the Bench refused to intervene further, emphasizing that when a state acts to prevent loss of public life during a catastrophe, the doctrine of necessity must apply.

Citing the majority view in the landmark K.S. Puttaswamy (Aadhaar) case, the court determined that the State’s action was a valid attempt to strike a balance between individual privacy and the collective right to life. With the data having been purged and the contract long terminated, the court viewed the privacy concerns as having been adequately addressed by previous interim measures.

Key Observations

The judgment provides significant clarity on how the judiciary views administrative action during emergencies:

• On the necessity of state action: "If the State is able to justify its entering into the contract having regard to the prevailing circumstances and if this Court is satisfied that the situation was such and critical that an immediate decision was required to be taken... the doctrine of necessity would broadly apply."
• On the breach of procedure: "We agree with the submission of the learned counsel for the petitioners that the Principal Secretary ought not to have entered into the said agreement without proper Cabinet approval or the consent of the Chief Minister. This was a gross dereliction on his part."
• On the balance of rights: "The nature of the information sought for and shared with Sprinklr Inc... was not such a kind of information as would give rise to any breach of privacy of the persons providing it. The information was necessary to find out the number of persons affected by Covid-19."

Final Verdict: A Measured Closure

While the Court did not find evidence of data theft, it served as a stern reminder of the accountability expected from government officials. By upholding the interim directions passed earlier in the litigation, the court ensured that although the immediate threat has passed, the government remains bound by the principles of cautious data management. For the state, the case serves as a precedent: emergencies may justify urgent measures, but they do not override the requirement for rigorous adherence to administrative protocol.

The petitions were disposed of, and the interim directions issued on 24.04.2020 were confirmed, marking the end of a pivotal chapter in the history of Kerala’s pandemic governance.