Mohmad Maqbool Waggy
The rigorous use of contract tracing, across digital and physical spheres, has been widely credited with helping to limit the spread of COVID-19. While using digital technology for contact tracing, personal data is used to map the location of persons, compare their site with the location history of confirmed cases, and inform the users to take necessary action if they come in contact with COVID-19 cases. This digital surveillance has sparked legitimate concerns about privacy.
The Government of India has developed a contact tracing mobile application, namely, Aarogya Setu, which uses smartphones’ GPS and Bluetooth features to track their location. The Aarogya Setu app uses Bluetooth technology to determine it a person has been within six feet of a COVID-19 infected person. This it does by scanning through a database of known cases across India.
The state of Kerala has traced its people who have tested positive and their secondary and tertiary contacts by using telephone call records, CCTV footage, and mobile phone GPS systems. Punjab is also using cell phone data, including call records and GPS, to enforce lockdown, ensure home delivery of groceries, and for contact-tracing. The states of Karnataka, Rajasthan, and the Mohali district administration have made public the information on COVID-19 suspects through local newspapers and official websites.
Jammu & Kashmir undertook GIS mapping of all cases, including suspects, those under surveillance, quarantined, and isolated. In Ganderbal, the district administration has issued orders for people to install Arogya Setu app.
We are, as individuals, making a trade-off between our safety and data privacy. We understand that in this pandemic situation, our very existence depends on sharing our personal information. Not sharing personal information could result in loss of human life, including one’s own and of one’s loved ones. It seems sensible not to worry about privacy when human existence is in danger.
However, a choice between privacy and public health is an oversimplification. The COVID-19 pandemic is an exceptional circumstance and there has to be a clear purpose, not blanket permission, to give up our right to privacy. Government agencies should not exploit the pandemic as an opportunity to infringe on the privacy of individuals. Governments must make sure that the privacy rights of citizens are not unreasonably breached even in times of health emergencies. What constitutes a reasonable infringement of the right to privacy in a health emergency? It is imperative to understand the legal framework of the right to privacy.
The right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 of the Constitution. Its first scope came in Kharak Singhs vs. Sate of U.P in 1962, which was related to the validity of specific regulations that permitted the surveillance of suspects. However, it was in the nine-judge-bench judgment of K.S. Puttaswamy v. Union of India, in 2017, that the Supreme Court of India declared the right to privacy as an integral part of fundamental rights. It also recognized data protection as an indispensable part of the data privacy of an individual and observed that India lacks a comprehensive legal framework for personal data protection.
Following the same, the Government of India constituted a committee headed by Justice Srikrishna, which submitted its comprehensive report on personal data protection to Parliament. Shortly after that, the government introduced the Personal Data Protection Bill, 2019, in the Lok Sabha on December 11, 2019, mainly incorporating the principles of personal data protection recommended by the Justice Srikrishna Committee.
In the meanwhile, the right to privacy was further strengthened by a five-judge bench of the Supreme Court deciding the constitutionality of Aadhaar. This bench reiterated the principle of informational privacy and recognised personal data protection as part of the right to privacy.
Both Puttaswamy I and Puttaswamy II benches of the Supreme Court held that any incursion on the right to privacy by the government must be reasonable and proportionate, and it should qualify the following three conditions:
a) The restriction in the right to privacy must be effected through a law that pursues a legitimate state aim,
b) It must have a reasonable relationship between the end and means to achieve them.
c) It must be the least meddling means to achieve the state aim.
The Personal Data Protection Bill articulates the essential principles of personal data protection, which are a part of the right to privacy of an individual. As per these principles:
1. The consent of the person whose personal data is collected (Data Principal) is necessary before any person, or the government (Data Fiduciary) can collect and process such data.
2. The personal data collected must be used only for a specific, explicit, and lawful purpose for which the consent of the Data Principal is obtained (purpose limitation).
3. The personal data must also be used fairly and reasonably (lawful processing).
Clause 12 of the Personal Data Protection Bill provides procedures for the collection and processing of data during a health emergency. It has been provided that the Data Fiduciary is exempt from taking the consent of the Data Principal, provided that the collection and processing of personal data are authorised under law. A public health emergency, however, does not offer concessions to governments from other principles of personal data protection such as purpose limitation, lawful processing, storage limitation, transparency, and accountability.
However, the Bill falls short in addressing privacy and accountability as it does not provide for an independent data protection authority that could look into the privacy concerns.
The Personal Data Protection Bill has not been enacted yet, and the data collected by central or state governments is taken on ad-hoc basis, not sanctioned by any law.
Provisions of the Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005, have been frequently implemented by governments during this pandemic to adopt certain emergency containment programmes. The Act and the orders issued thereunder do not provide for a mechanism to collect or process personal data. They do not comply with the principles of personal data protection.
It is obligatory, therefore, that the governments collect and process all personal data only under due process of law and promulgate necessary and comprehensive measures for the same.
In this unprecedented situation, it is in our benefit to provide information and we are providing our data for the lone purpose of containment of this pandemic (‘purpose limitation’). We permit no illicit use of our data and require an understanding of the intention of its use (‘lawfulness, fairness and transparency’). Contact surveillance measures put in place should only pool and analyse data that is pertinent and required for this purpose (‘data minimisation’). We hope our data to be protected from unauthorised access at all times (‘integrity and confidentiality’).
The writer is a Research Scholar at Central University of Kashmir, Department of Politics and Governance.