INTRODUCTION
Since the beginning of this year, 2020 a virus started from a small city of China has now spread across the globe. The Covid-19 pandemic is maybe one among the rarest encounters that the modern world has come across. This crisis has entirely shaken the world and has been wiping out lives every day with no cure found yet. As the government faces many challenges during this crisis, it has been trying to seek out various methods to track down affected people in order to minimize the spread as much as possible. Epidemic Modeling, contact tracing and documentation of quarantine patients have now become a priority for tracking.
GOVERNMENT TRACKING
Different countries are adopting various methods to track down people and their history.
- The US and UK are coordinating with private companies in order to track people and their locations.
- Singapore, Iran, Russia and Israel are using mobile applications to track, help, support and identify new cases.
- While China with help of telecom operators rapidly expanded its mass surveillance by tracking people and also with companies developing face recognition technology.[1]
- In South Korea, government agencies are using surveillance-camera footage, smartphone location data and credit card purchase records totrace the movements of coronavirus patients and establish virus transmission chains. But recently being concerned of privacy invasions they ensured to balance protection of human rights and public interest in preventing infections.
- In Lombardy, Italy, the authorities are analyzing location data through citizen’s mobile phones to determine how many people are obeying a government lockdown order and the typical distances they move every day. An official also mentioned that around 40 percent of the people were still moving around.[2]
- The Armenia’s parliament on March 31, 2020, passed amendments giving the authorities very broad surveillance powers to use cellphone data for tracking coronavirus cases. These amendments ensured to impose restrictions on the right to privacy and also permit the authorities to access confidential medical information of people affected with virus.[3]
- In India, the Ministry of Electronics and Information Technology has developed an application which traces the location of a user and let’s inform them when they come in contact with a Covid-19 infected person. Indian government is also collecting data through airlines and railways to track down people who might be suspected with infection and also stamp people who promised not to travel and stay at home. The state of Kerala used CCTV footage, tracing call records and using GPS to find the locations of the infected persons and has published them.[4] The states like Karnataka, Rajasthan and the Mohali district, a satellite city of Chandigarh, have published the names and information of people infected to the public, this list consisted personal details such as names and addresses of more than 300, suspected of carrying the virus. This list was a self-declaration form that the international passengers entering India were asked to fill.
Disclosures like these might be normal from a typical man’s point of view, but it does have a negative impact as a person’s personal information is being spread in public which is against their right to privacy. These disclosures lead to an unhealthy society, as recently there have been cases where several doctors and nurses were forced by their landlords to evict as they feared that the health workers could be a source to spread of Covid-19. [5]
Releasing personal information of a person to deal with the current pandemic may lead to massive and long-term crimes in future. The law enforcements have developed and accessed to higher powered surveillance systems. And the experts also say that the terrorist attacks of September 11, 2001, was a lesson Americans learned, hence an open personal data spread among public, may be repurposed to further political agendas in future.
INVASION OF PRIVACY
Invasion of privacy is indeed an important concern, but during such a pandemic health emergency governments try to ensure safety of health first. When governments take decisions such as tracking people, collecting data and publishing them, gives rise to a serious question i.e., Right to privacy of a person being invaded illegitimately, the action of the executive to upload private information of people undergoing quarantine in the public domain violates the fundamental right to privacy. But Mila Romanoff, data and governance lead for United Nations Global Pulse, a U.N. program that has studied using data to improve emergency responses to epidemics like Ebola and dengue fever, said that, in emergencies like pandemics, privacy must be weighed against other considerations, like saving lives.[6]
Hence, when a public health emergency is in question the governments, take action in accordance to the priorities. It should also be considered that one’s right to privacy must not be completely sacrificed for the sake of public health. Now, this raises the question as to what proportion can the right to privacy of people be invaded during such a public emergency?
CONSTITUTIONAL RIGHT TO PRIVACY
Public health surveillance programs, even if well-intentioned, have to respect principles of liberty, equality and privacy. The Indian Constitution has recognized right to privacy as a fundamental right, but it is also essential to know that it includes protection of one’s personal data as well which includes their health reports. The importance of data protection of a person under their right to privacy was recognized in the case, K.S. Puttaswamy v. Union of India, in 2017. It was recognized under this case that the right to privacy was considered as an essential fundamental right including data protection and that the Indian legal framework lacked in this area. Shortly, it was seen that the government introduced the Personal Data Protection Bill, 2019 (PDP Bill) in Lok Sabha, which constituted principles of data protection. Later in a case of deciding constitutionality of Aadhar in a case (Puttuswamy II), the court further noticed the importance of personal data protection under the right to privacy. Both these cases also helped in proving that if a person’s right to privacy is to be infringed then it should be reasonable and proportionate and that the proportionality is an integral part of the personal data protection rule. They laid down a judgment consisting three-part test to examine whether an action of State alleged of breaching a citizen’s privacy is valid and reasonable.
- It has to be an action officially authorized by law which has a necessary legitimate aim.
- There should be a reasonable connection between the objects and means to achieve them.
- It should be the least intrusive method to achieve them.
The PDP Bill consists of important principles regarding the personal data protection of an individual. It specifically mentions that a person’s consent (Data Principle) is very important before a person or the government (Data Fiduciary) collects their personal data and the data collected must be used only for a specific, clear and lawful purpose for which the consent of the Data Principal must be obtained (purpose limitation). The personal data must hence be used in a fair and reasonable manner (lawful processing). It is also PDP Bill that answers the question as to what amount proportion can the right be invaded. Clause 12 of the PDP Bill specifies a mechanism for the collection and processing of data during a health emergency. Under this, the Data Fiduciary is exempted from taking the consent of the Data Principal, provided that the collection and processing of personal data is authorized under law. Hence the government need not consent the persons while collecting their personal data during a health emergency if an official permission is granted by the law.[7] It however does not let government to exempt from other principles of the personal data protection such as, lawful processing, transparency, storage limitation and accountability. This action of the executives releasing private information of people undergoing quarantine, in public is prima facie violative, of their fundamental right to privacy.[8]
Even if the PDP Bill has not been enacted as a law, the principles of data privacy have been recognized in the case of Puttaswamy II, and the mechanism of those principles is a proportionate interference in the right to privacy of an individual during a health emergency. Thus, violation of the right to privacy of individuals in a health emergency is proportionate only when it is sanctioned by law, and the principles of data protection are followed.
BURNING ISSUES
Presently, the personal data being collected by the Central or state governments is not officially sanctioned or authorized by the law. All the data collection activities are being undertaken on temporary basis. The Indian provisions in reference to the current situations are the Epidemic Disease Act, 1897 and the National Disaster Management Act, 2005, these provisions are being referred and implemented by the government since past few days but they do not specifically provide for any mechanism regarding collection of personal data during such emergencies.
During a public health emergency the authorities may collect personal data of individuals for the purpose of contact tracing, epidemic modeling, quarantine or any other lawful or specific purpose without consulting the individuals but then it must be ensured that the data is used for the specified purpose only and that it’s use must be limited to as much as possible. Later they must also ensure that adequate measures are taken for the deletion of the personal data after its use for the specified purpose. The officials must try to minimize the threats by collecting only the required data which is required for identifying patients, map the spread of the virus spreading or other lawful purposes. The right to privacy could be more respected if the data were tried to keep anonymous, as far as possible. The personal data of the individuals must be carefully stored and secured, in order to prevent leakage and misuse of the data. It would also be better off if the individuals are informed about the usage so that they are aware of the consequences. [9]
If any of the above are exempted or not considered seriously would lead to threat and inappropriate use of personal data which might damage the individual’s right to privacy. It may also lead to issues such as social degradation in the society as there have been such cases that we have been coming across such as people with travel history being targeted in the society which also applies to the health care workers and airline staffs where they are socially excluded. Recently, some health workers were asked to leave their house by the landlords as they were afraid that they could also be a source for the spread of virus.
Disclosure of personal data of individuals not only affects them but also their family in the society, may it be for a short or longer period of time. A person in quarantine when certified as free from virus still face social seclusion, such issues may lead to consequences where people might not report their travel history or any symptoms of sickness due to fear of facing the society and being excluded which makes it even harder for the government to trace cases. Hence, government must take steps wisely and not deteriorate the consequences.
GLOBAL EXAMPLES OF LAWS RELATING TO PROPORTIONATE INFRINGEMENT OF RIGHT TO PRIVACY
EU General Data Protection Regulations (EUGDPR) proportionates infringement of right to privacy by mandating that the data processor and controller even during a public health emergency must ensure protection of personal data. Recently, the European Data Protection Board (EDPB), the statutory authority under the EUGDPR, published a statement of guidelines on the processing of personal data due to the Covid-19 pandemic. It stated that an emergency is a legal condition and so it shall legitimize the right to freedom only during the period of crisis. The EDPB asked the Directorate-General for Communications Networks, Content and Technology, that the outline of data collected by mobile phones of users to track the spread of the virus must also be in according to the principles of EUGDPR and must be kept anonymous.
The Health Insurance Portability and Accountability Act (HIPAA) of the United States, protects health information of every individual in the healthcare system. Under this Act, such sensitive information of patients can be used only for the purpose of prevention or control of a disease, injury, or disability, for public health surveillance, public health investigations, and public health interventions and such use must be in accordance with law that allows for such functions and not otherwise.[10]
THE MOBILE PHONE APPLICATIONS
In various states of India the officials have also tried the stamping method, where the people quarantined will be stamped with an un-washable ink. But yet some of them were found travelling and coming outside increasing the risk of spreading the virus. There have also been many instances where people suspected to be infected by the virus escaped isolation and came out in public. And hence it forced the government to come up with an app that tracked infected people and notified others when they came into contact with one. The app uses location and Bluetooth features of the mobile phone in order to track down the person. This app has again given rise to the questions such as related to privacy such as, how long will a user’s data will be stored and will it be secured? And with India’s data privacy laws being accused lately, there are no proper set of safeguarding laws currently.
Like mentioned earlier, other countries have also come up with their own mobile phone applications, like China lets people scan QR code to establish if they are in contact with an infected person, Singapore launched its own tool which is an open source and anyone shall review, which uses Bluetooth signals to detect mobile phones that are nearby. Later if the app user in case gets infected by the virus, the health authorities examine the data logs from the app to seek out those who crossed their paths. A government official also said that the app preserved privacy by not revealing users’ identities to one another.[11]
CONCLUSION
In the current circumstances, the role of the government is not only limited to protecting the lives and health of individuals but also maintaining public trust and confidence in it. The policies and strategies being adopted by the Indian government to fight the pandemic must therefore ensure to adhere to the constitutionally recognized principles. The false choice between public health and the right to privacy must give way to an affective understanding of the right to privacy and data protection. Even if the present priority of government is to protect the country from the threat, they must also be well aware of future threats that might occur in process of protecting the present. These critical times may call for desperate measures, but definitely not unconstitutional ones.
Ms. Romanoff also mentioned that, “We need to have a framework that would allow companies and public authorities to cooperate, to enable proper response for the public good.”[12] Thus to reduce the risk of the coronavirus surveillance, it might violate people’s privacy but the government and companies must ensure use of data only that is required and must use accordingly. They must also ensure certain protection or security of the data.
FOOTNOTES
[1] Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? , thewire.in, (Mar. 30, 2020), https://thewire.in/government/covid-19-pandemic-privacy-india
[2] Natasha Singer and Choe Sang-Hun, As Coronavirus Surveillance Escalates, Personal Privacy Plummets, nytimes.com, (Apr. 17, 2020), https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html
[3]Armenia: Law Restricts Privacy Amid Covid-19 Fights, HRW.ORG (Apr. 03, 2020, 12:00 AM), https://www.hrw.org/news/2020/04/03/armenia-law-restricts-privacy-amid-covid-19-fight
[4] Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? , thewire.in, (Mar. 30, 2020), https://thewire.in/government/covid-19-pandemic-privacy-india
[5] Ashutosh Senger, Privacy Challenges During Covid-19, thehindubusinessline.com, (Apr. 20, 2020) , https://www.thehindubusinessline.com/opinion/privacy-challenges-during-covid-19/article31382552.ece
[6] Natasha Singer and Choe Sang-Hun, As Coronavirus Surveillance Escalates, Personal Privacy Plummets, nytimes.com, (Apr. 17, 2020), https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html
[7] Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? , thewire.in, (Mar. 30, 2020), https://thewire.in/government/covid-19-pandemic-privacy-india
[8] Ashutosh Senger, Privacy Challenges During Covid-19, thehindubusinessline.com, (Apr. 20, 2020) , https://www.thehindubusinessline.com/opinion/privacy-challenges-during-covid-19/article31382552.ece
[9] Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? , thewire.in, (Mar. 30, 2020), https://thewire.in/government/covid-19-pandemic-privacy-india
[10] Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? , thewire.in, (Mar. 30, 2020), https://thewire.in/government/covid-19-pandemic-privacy-india
[11] Ivan Mehta, India is building a coronavirus tracker app, fueled by your location data, thenextweb.com, (Mar. 25, 2020), https://thenextweb.com/in/2020/03/25/india-is-building-a-coronavirus-tracker-app-fueled-by-your-location-data/
[12] Natasha Singer and Choe Sang-Hun, As Coronavirus Surveillance Escalates, Personal Privacy Plummets, nytimes.com, (Apr. 17, 2020), https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html