Disease surveillance and data privacy
By: Mohammad Maqbool Waggy
The rigorous use of contact tracing across the digital and physical spheres has been widely credited with helping to limit the spread of COVID-19. While using digital technology for contact tracing, personal data is used to map the location and mark out the communication of persons, compare their site with the location history of confirmed cases and inform the users to take necessary actions if they come in contact with COVID-19 cases. This digital surveillance has sparked legitimate concerns about privacy.
The Government of India has developed a contact tracing mobile application — Aarogya Setu — which uses smartphones’ GPS and Bluetooth features to track the coronavirus infection. The Aarogya Setu app uses Bluetooth technology to determine the risk if one has been in contact with the COVID-19 infected person within six feet of distance by scanning through a database of known cases across India. It uses location information and determines if the location one is in belongs to the infected area based on available data.
The state of Kerala has traced its people who have tested positive and their secondary and tertiary contacts by using telephone call records, CCTV footage, and mobile phone GPS systems.
Punjab is also using cell phone data, including call records and GPS, to enforce lockdown, ensure home delivery of groceries, and for contact-tracing.
The states of Karnataka, Rajasthan, and the Mohali district administration have displayed biodata of COVID-19 suspects publicly through local newspapers and official websites.
The Jammu & Kashmir undertook GIS mapping of all cases, including suspects, those under surveillance, quarantined, and isolated. In Ganderbal, district administration has issued orders for people to install Arogya Setu app.
The use of these methods has sparked legitimate concerns of incursion on the right to privacy of individuals. But we are, as individuals, making a trade-off between our safety and data privacy. We understand that in this pandemic situation, our very existence depends on sharing our personal information. Not sharing your personal information could result in loss of human life, including yours and that of your loved ones, and it seems sensible not to worry about privacy when human existence is in danger without sharing personal data.
Swapping between privacy and public health, an oversimplification though, but in the face of COVID-19, it is an exceptional circumstance and a clear purpose, not blanket permission, nor an admission of our willingness to give up our right to privacy. Government agencies should not exploit this pandemic as an opportunity to infringe on the privacy rights of the individuals. The governments must make sure that the privacy rights of its citizens are not unreasonably breached even in times of health emergencies.
What constitutes a reasonable infringement of the right to privacy in a health emergency? It is imperative to understand the legal framework of the right to privacy.
The right to privacy is an intrinsic part of Right to Life and Personal Liberty under Article 21 of the Constitution. Its first scope came in Kharak Singh v/s State of U.P in 1962, which was related to the validity of specific regulations that permitted the surveillance of suspects. However, it was in the nine-judge-bench judgment of K.S. Puttaswamy v/s Union of India, in 2017, that the Supreme Court of India documented the right to privacy as an integral part of fundamental rights (Puttaswamy I). It also recognized data protection as an indispensable part of the data privacy of an individual and observed that India lacks a comprehensive legal framework for personal data protection.
Following the same, the Government of India constituted a committee headed by Justice Srikrishna, which submitted its comprehensive report on personal data protection to the parliament. Shortly after that, the government introduced the Personal Data Protection Bill, 2019, in the Lok Sabha on December 11, 2019, mainly incorporating the principles of personal data protection recommended by the Justice Srikrishna Committee.
In the meanwhile, it was further strengthened by a five-judge bench of the Supreme Court deciding the constitutionality of Aadhaar (Puttaswamy II), which further reiterated the principles of informational privacy and recognized personal data protection as a part of the right to privacy.
Both Puttaswamy I and Puttaswamy II held that any incursion on the right to privacy by the government must be reasonable and proportionate; it should qualify the following three conditions:
- a) the restriction in the right to privacy must be effected through a law that pursues a legitimate state aim,
- b) has a reasonable relationship between the end and means to achieve them, and
- c) is the least meddling means to achieve the state aim.
The Personal Data Protection Bill articulates the essential principles of personal data protection, which are a part of the right to privacy of an individual. As per these principles:
- The consent of the person whose personal data is collected (Data Principal) is necessary before any person, or the government (Data Fiduciary) can collect and process such data.
- The personal data collected must be used only for a specific, explicit, and lawful purpose for which the consent of the Data Principal is obtained (purpose limitation).
- The personal data must also be used fairly and reasonably (lawful processing).
Clause 12 of the Personal Data Protection Bill provides procedures for the collection and processing of data during a health emergency. It has been provided that the Data Fiduciary is exempt from taking the consent of the Data Principal, provided that the collection and processing of personal data are authorized under law.
A public health emergency, however, does not offer reservations to governments from other principles of personal data protection such as purpose limitation, lawful processing, storage limitation, transparency, and accountability. The Bill however falls short in addressing privacy and accountability as it does not provide for an independent data protection authority that could look into the privacy concerns.
The Personal Data Protection Bill has not been enacted yet, and the data collected by central or state governments is taken on Adhoc bases — not sanctioned by any law.
Provisions of the Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005, have been frequently implemented by governments during this pandemic to adopt certain emergency containment programs. The Act and the orders issued thereunder, do not provide for a mechanism to collect or process personal data. They do not comply with the principles of personal data protection.
It is obligatory, therefore, that the governments collect and process all personal data only under due process of law and promulgate necessary and comprehensive measures for the same.
In this unprecedented situation, it is in our benefit to provide information and we are providing our data for the lone purpose of containment of this pandemic (‘purpose limitation’); we look forward to no illicit use of our data and require an understanding of the intention of its use (‘lawfulness, fairness and transparency’); contact surveillance measures put in place should only pool and analyze data that is pertinent and required for this purpose e.g., drones, phone GPS tracking, etc…(‘data minimization’). We hope our data to be protected from unauthorized access at all times (‘integrity and confidentiality’).
(Author is a Research Scholar at Department of Politics & Governance, Central University of Kashmir, Ganderbal, can be reached at firstname.lastname@example.org)