Shivam Mishra and Vanaj Vidyan

A perspective of Privacy during a Pandemic at home and abroad.

This is 12th piece in our COVID19 Series

INTRODUCTION

On April 18, the number of people affected by coronavirus worldwide crossed 2.2 million with 156 thousand fatalities. In what has emerged as the worst global public health crises of the era, half of humanity is under State-imposed lockdown orders. The World Health Organization has declared the coronavirus a pandemic and has declared a Public Health Emergency of International Concern. The massive impact of this virus transcends beyond the consequently pressurized health sector- it has swayed the global economy into disarray and the possibility of a global recession, kept millions of children out of schools, forced countries to postpone elections and disrupted the global travel & tourism industry.

Unsurprisingly, governments across the world are exhausting all their resources and taking unconventional measures in mitigating the transmission of the virus.

In these challenging times, a subject that has somewhere been forced to take a backseat- is  individual privacy. To identify, monitor and track the individuals who carry or may be carrying the virus, personal information such as name, address, contact number and occupation, is being collected along with the individual’s travel and medical history. Granted that the purpose behind this collection is controlling the damage caused, activists have raised pertinent questions over the proper handling of such sensitive data, doubting the credibility of the States, based on their past records.

The authors take a dichotomous approach in first analyzing the disparate practices adopted by nations across the globe and their strategy to collect and store personal data, and then the developments in the Indian context, followed by multi-fold suggestions to balance both health and privacy.

PRIVACY BREACH- A GLOBAL PERSPECTIVE

The novel coronavirus does not hyet ave a vaccine, and scientists estimate that the mass-manufacture of one would take no less than a year. In such circumstances, preventing human-to-human transmission is the only measure available.

The Government of Singapore furnished details of all 108 cases in their press release and uploaded them on their website, which was later circulated unrestricted by the media. The Hong Kong administration also released a similar database, except that it also included a map routing the residence of a patient.

The South Korean database posits the detailed location of individuals who test positive, which is updated so minutely so as to include data as to when they left for work, whether they wore a mask, and even which parlors and bars they visited. To track movement with higher accuracy, CCTV records, call records and credit card purchases are also monitored.

In China, the place of the virus’ origin, getting into the workplace or even one’s home requires identification, recording body temperature and scanning a QR code. Social sites such as WeChat are encouraging users to report those who are sick, facial recognition techniques are used to detect those not wearing masks, and apps have been developed by companies to alert if in the proximity of any affected individual.

The United States, the country with the most number of affected people (as on April 18) and labeled as the current hotspot of the virus, is moving ahead with the surveillance of mobile data of its citizens and is already in talks with tech giants such as Google and Facebook.

Italy, the nation with the second-highest death toll (as on April 18), has been tracking movements of its citizens by monitoring location data. The United Kingdom has also contemplated similar tracking mechanisms.

The European Union has relaxed certain regulations of the widely hailed General Data Protection Regulation, and put its strategy to provide data sovereignty on hold, to allow member-states to locate the affected individuals with better accuracy. The relaxation of the GDPR alone stands as a testament of the EU establishing a hierarchy between the State’s and individual’s rights.

Most disturbing, however, is a report christened ‘Community Mobility Reports’ released in the public domain by Google- something which has baffled privacy experts worldwide. The report consists of per country, or per state, downloads (with 131 countries covered initially), further broken down into regions/counties — with Google offering an analysis of how community mobility has changed vs. a baseline average before COVID-19 arrived. The extremely comprehensive report comprises data collected from billions of phones used globally and indicates the percentage drop in the use of public amenities such as parks or subways and more movement in residential areas. The mere notion of the infrastructure Google possesses and the short time required to publish a report of such a vast magnitude raises apposite concerns over breach of privacy not just from States but also trillion-dollar corporations.

The major underlying issue is the absence of a relevant law, which ensures no certainties about the extent of protection of people’s privacy. This is especially unsettling concerning the prevailing narrative of pandemics likely to become more common in the near future. The absence of law leaves everything to the whims of the government in power. Edmund Burke rightly put it, “The greater the power, the more dangerous the abuse.”

The attack of 9/11 opened the gates of surveillance by the State on grounds of security. It led the citizens to accept the widely criticized USA PATRIOT Act, which has gradually but prominently been accepted and normalized. Albert Fox anticipates that this pandemic might empower the Government to take measures that “fundamentally change the scope of American civil rights”.

In the East, experts have expressed concerns that COVID-19 could act as a catalyst to expand the notoriously opaque Chinese surveillance regime, as was historically seen in the 2008 Beijing Olympics that made mass surveillance more permanent. Edward Snowden had voiced his concerns that have been reiterated by Hu Yong, “No system of mass surveillance has existed in any society that we know of to this point that has not been abused.”

The question raised earlier about the role of tech giants such as Facebook, Google, and Microsoft in this data collection process has raised questions about their accountability as well as the capability of infringing privacy. Both the US and China have asked tech companies to assist the government in data collection- a step that provides them greater legitimacy and prominence in the eyes of people.

This pandemic has also witnessed tech companies developing applications that alert the user on being in proximity to an infected individual. These apps track the location of both the user and the infected individual, scan and collect the user’s data, and could be sharing this with any third party. This probability gets higher for applications developed by mostly unregulated small tech companies with underdeveloped backdoor security measures. Such companies could be hacked, or even worse, be selling this data to players in regulated sectors such as telecommunications. This integration of these unregulated companies into regulated sectors in an unregulated manner could very well continue even after the end of the crisis, something that would have a considerably negative impact on the decades-long and ongoing struggle for individual privacy.

THE CONUNDRUM IN INDIA

Experts indicate that India is dangerously close to the Stage of Community Transmission. As of April 18, total cases have crossed 14,000 with a death toll of 488. While the Government has taken pre-emptive measures that have been successful at least to a certain extent, several instances have emerged which highlight how these ignore an individual’s privacy.

Recently, the Karnataka Government published a database with details of more than 14000 people including uninfected persons with travel history, with similar instances observed in Punjab, Rajasthan, and Maharashtra. Other administrations stigmatized people by placing hoardings of patients in public places. Such circulation causes social ostracism while making victims vulnerable to cyber-crimes such as fraud and identity theft. Certain administrations took it a notch above in Delhi and Chandigarh, wherein posters signed by the magistrate were glued outside suspects’ residences with the tagline, “COVID-19: Do Not Visit. Home under Quarantine.” Maharashtra and Karnataka authorities used indelible ink to stamp the hands of persons indicating their dates of quarantine, something that has repeatedly led to social ostracism in public places and international criticism for restricting bodily autonomy and privacy. Privacy aside, the stigma that comes attached with COVID-19 due to the State’s acts alone becomes a reason for patients to not confront its symptoms, which could potentially lead them to be carriers of the virus.

Additionally, Union and state governments have released umpteen applications including ‘Corona Kavach’ and ‘Aarogya Setu’ that alert users when in a high-risk zone or proximity of infected individuals, by analyzing user data every hour. The Governments of Delhi and Kerala have resorted to monitoring call records, CCTV footage and GPS locational history. The harnessing of such technology while problematic in itself manifests into a mammoth when applied in a place like India with no organized data protection mechanism, or even basic guidelines in place.

With the Data Protection Bill yet to be passed by the Parliament, the only inkling of relevant legislation in India would be section 43A and section 72A of the Information Technology Act, 2000 [IT Act] and the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, that define sensitive personal data as extending to the body corporate and persons located in India.

These inadequate and ineffectual statutory provisions stand in sharp contrast to other countries that either had an existing data protection mechanism such as GDPR in place or came up with laws and guidelines amidst the chaos. The latter is exemplified by the CAC Circular in China (Circular on Ensuring Effective Personal Information Protection and Utilization of Big Data to Support Joint Efforts for Epidemic Prevention and Control), and the guidelines released by Italian authorities and France’s national data protection authority, CNIL.

ANALYSIS ON THE CONSTITUTIONAL TOUCHSTONE

In light of the disturbing developments, the examination of the aforementioned endeavors of the State on the touchstone of KS Puttaswamy v. Union of India, the case that designated the right to privacy as a fundamental right under Article 21, becomes imperative.

Justice Chandrachud categorically held the right to privacy to be encompassing of the right to informational self-determination, which gives every individual the fundamental right to determine the extent of his personal information being disseminated. The publication and unrestricted distribution of private information of individuals without consent are thus prima facie illegal. An individual possesses the right to control the dissemination of any information personal to her/him/them, but this right has been violated dichotomously, first by the government and subsequently by news broadcasters and social media.

Granted that no fundamental right is absolute and that amidst this pandemic, the right to privacy can be diluted. But the problem arising out of the employment of these mechanisms pales when compared to the predicament of an absent legal apparatus to check these mechanisms. There is no valid legislation backing such dilution.

The test under Puttaswamy is- 1. There exists a necessity; 2. A valid piece of legislation allowing such restriction; and 3. Such restriction being proportionate in nature. While a necessity exists, both the second and third conditions remain unfulfilled.

The judgment, recognizing public health as a valid restriction to the right to privacy, allows the State to assert analysis of data borne from hospital records to deal with public health epidemics, as long as the anonymity of the individuals is maintained through an appropriately-designed necessary and proportionate intervention policy- something that remains absent.

The Government, for the majority of its actions, relies upon the 123-year-old colonial-aged and antique Epidemic Diseases Act, 1897 [EDA Act] comprising of just four sections. The national lockdown was imposed under the National Disaster Management Act, 2005 [NDMA Act]. Neither of these statutes empowers the government to disclose personal information of any kind, making the State’s actions illegitimate.

Sections 2 and 2A of the EDA Act allow the Union and state governments to take measures in furtherance of preventing the spread of disease through temporary regulations. However, no such regulations have been issued by either government dealing with such data collection and dissemination.

Section 6(2)(i) of the NDMA Act authorizes the Centre to “take such other measures for the prevention of disaster, or the mitigation, or preparedness and capacity building for dealing with the threatening disaster situation or disaster as it may consider necessary.”

In arguendo, even if this provision is relied on, it still needs to pass the proportionality test. For a measure to pass this test, it needs to fulfill the following criteria- 1. Valid purpose; 2. Rational connection with the object sought to be achieved; 3. Absence of alternatives; and 4. Distinguishable relationship between the importance of the aim sought to be achieved and the social importance of imposing a limitation on the constitutional right.

CONCLUSION

From a lens of logic, health assumes higher importance that any other right- An individual will have no right if deceased. This, however, does not justify the violation of other rights. At this stage, it is unclear whether the intrusive measures adopted (as opposed to isolation and testing policies) provide benefits enough to outweigh the price individuals are paying and would continue to pay in terms of civil liberties. Nations bring-up imminent public interest as the ground of diluting the right to privacy. This discourse cannot be granted limitless acceptance- Privacy is as much of a vital aspect of the right to life, and ergo, of public interest.

The peculiarity of the  situation in India is such that there is no knowledge as to what personal data is being collected, the authority collecting and responsible for it, and the fate of that data after the pandemic. The questions are many, but there is no one to answer.

Modern human rights took rebirth after their gross violation in the Second World War. As humanity again faces a crisis, disparate in origin but with equally disastrous consequences, India desperately needs a data protection mechanism that balances health and privacy, legislated in anticipation of future crises and applicable with retrospective effect to govern the data collected from January.

The letter addressed to the members of the US Congress signed by 13 organizations highlights the need for a data protection bill in the US that comports with certain principles. The authors are reproducing these principles with adjustments for the Indian Context-

1. Necessity, Proportionality, and Minimization
   1. The collection and processing of personal data shall be the minimum necessary and shall conform to the touchstone of the right to privacy as protected by the Constitution and international human rights conventions.
   2. Data collection shall be transparent, and individuals shall be concisely informed of the purpose of collection. The data, without consent of the data subject, shall be barred from commercial use by any public or private entity.
2. Security and Confidentiality
   1. Any data processing or remote technology deployment should not minimize the needed security protection.
   2. Data collected shall be maintained in a secure environment transmitted through secure methods.
3. Time-limit
   1. The measures employed shall be temporary in nature, limited and adopted as a response to the COVID-19 pandemic.
   2. Data retention shall be limited to the period of pandemic response, and shall not be repurposed without the subject’s express consent.
4. Accountability and due process
   1. Decision-making related to data collection and processing shall be public and documented.
   2. There shall exist pro-rata consequences for companies failing to abide by privacy regulations. Penalties may be imposed based on the indigenous ‘Deep Pocket Theory’ model of punitive measures.

The authors are BA.LLB Students at Ram Manohar Lohiya National Law University

Image Credits – Privacy International

Click on the book images below to make your Amazon purchases. All affiliate commissions earned are donated to Stranded Workers Action Network.