The urgency of addressing public health concerns in the midst of the COVID-19 pandemic has resulted in the relegation of privacy protection to a position of lesser priority. The World Health Organization has discussed how public health surveillance can assist officials in developing precautionary policies to contain the outbreak. Such intensive surveillance is premised on big data and technological innovations.
Democracies like Taiwan, South Korea and Singapore, that are successfully purging the outbreak, are banking on ‘transparency’ while adopting invasive monitoring measures.
The experiences in these countries differ from the Indian story in two critical ways. First, these countries have a highly centralised government with a robust healthcare system and a history of strong epidemiological surveillance.
But the more consequential contrast is that each of these countries has an enforceable framework surrounding personal data protection which holds governments accountable for data collection, processing and reduced privacy privileges.
How Karnataka, Tamil Nadu, Gujarat Are Surveilling Dense Populations
With the systematic incorporation of technology in governance, the Indian digital surge is well under way. But the corresponding legislative process that would strengthen digital governance with a system of checks and balances is still in the pipeline. The Personal Data Protection Bill, introduced by the Indian government in 2019, awaits the Joint Parliamentary Committee scrutiny. However, the pendency of the Bill has not curtailed the State’s prerogative in executing extensive surveillance measures to contain the spread of coronavirus.
States such as Karnataka, Tamil Nadu and Gujarat are developing novel ways to monitor dense populations, through measures like geo-fencing, hydrogen balloons with cameras and other suspect tech practices.
Many states are mandating that quarantined individuals download the government’s app and upload a selfie every hour from 7 AM to 10 PM. Data analysts then examine geotags to ascertain the individual’s compliance with the quarantine rules.
More recently, the Indian government launched the Aarogya Setu app which serves as a centralised database of voluntarily uploaded sensitive patient data.
To the central government’s credit, the privacy policy of the app appears to have been designed to allay concerns surrounding misuse and appropriation of data. It clearly sets out a timeline for deletion of data from servers and prohibits sharing of data with any third party except to persons carrying out medical and administrative interventions in relation to COVID-19. Even so, there remain two issues.
First, the policy’s strong focus on data protection is merely a result of the central government’s good sense and a result of its discretionary powers, and not a consequence of any law that keeps the government accountable.
India Stands at Cusp of ‘Normalising’ Compromised Privacy Rights
Hence, even if the privacy policy was a blatant violation of fundamental rights, there would be a void where there ought to be statutory accountability and grievance redressal mechanisms. Second, consequent to such a lack of statutorily imposed standards, state governments have not been as vigilant as the central government in ensuring that digital governance during the pandemic does not jeopardise the fundamental rights of citizens.
The Aarogya Setu app states that it will not share any individual’s name and number with the public at large at any time, but state governments have not displayed the same sensitivity to citizens’ privacy.
The Ahmedabad Municipal Corporation, for instance, has made public the details of COVID-19 patients, including names and addresses, through a customised and constantly updated map.
While the pandemic may offer a ‘justification’ for such invasive surveillance, India stands at the cusp of normalising compromised privacy rights which serves to reinforce the argument made by the Centre before the Supreme Court that there is no right to privacy.
In the absence of an enforceable data protection framework, the surveillance mechanisms operate in a legislative vacuum that amplifies the scope of administrative discretion.
This is made evident by the vast difference in data security and privacy protection standards with respect to recent surveillance mechanisms between the central and state governments.
How Data Protection Bill ‘Empowers’ Govt Amid a Pandemic
It is important to assess the measures devised to monitor and process data during the current pandemic against the pending Personal Data Protection Bill for two reasons. First, actions taken on this front today provide an insight into the possible interpretation of the scope of legal provisions granting executive discretion to act in ‘public interest’, and the manner in which authorities may exercise such discretionary powers. Second, current circumstances offer an opportunity to rethink the balance between power and accountability with respect to data protection. At present, the Bill empowers the government to exempt any agency of the government from fulfilling obligations under the Bill for certain broadly stated purposes including ‘public order’.
The foundation of the Personal Data Protection Bill in its earlier version was touted to be informed consent. But the Bill, as it stands today, carves out an exception for the consent requirement if data is being processed for reasonable purposes, which includes a ‘medical emergency’.
This contentious provision acquires a perilous dimension, and could dismantle efforts to secure the fundamental right of privacy.
Clause 9 of the Personal Data Protection Bill restricts the retention of personal data beyond the period necessary to satisfy the purpose for which it is collected and stipulates its deletion at the end of the processing. However, a longer period of retention is permissible if it is necessary for compliance with any obligation under any law. The scope for exercise of discretion by the government is further widened by Clause 14(c) which eliminates the requirement of consent if processing of personal data is necessary for any public interest.
Room For Third-Party Misuse Post-Coronavirus Pandemic
On the whole, the Bill creates a perverse incentive for the government to create black holes of public interest, which rapidly evolve with changing national interests. The culmination is unfettered discretion without adequate accountability, and a scenario wherein public health may be preserved at the cost of personal and public data security.
This runs the risk of normalising a state of crisis where the government is justified in loosening the rules of privacy. Today, in the wake of the coronavirus pandemic, the measures taken by the government can be viewed as symptomatic of their intentions after the Bill is enacted. Take for instance, the map circulated by the Ahmedabad Municipal Corporation. This may have its advantages in the present moment, but without robust security measures, there is a risk of the space of emergency being preserved to justify exemption from obligations pertaining to data processing.
While such measures are launched in the midst of a pandemic, there is suspect silence around their existence and scope post COVID-19.
This is compounded by the lack of sunset clauses which limit the operation of such digital platforms with sensitive personal data until the pandemic ends, and leaves room for misuse by third parties in non-emergency times.
The accessibility of data and its dissemination on social media suggests that the firewall is thin, which risks data being appropriated for other governmental or commercial purposes.
How to Inspire Trust of People Amid Corona
Digital governance to contain COVID-19 has exemplified the need to eliminate the possibility of a blanket exemption for the government from security obligations under the imminent data protection law. Even when it is necessary for the government to exercise its discretion and act urgently in response to a ‘medical emergency’ or in ‘public interest’, the ambiguity of these terms, the extent of unchecked surveillance, and potential of misuse that is possible, makes it imperative for the government to be liable to fulfil the obligations of a data fiduciary set out in the Bill.
If the trust of the people is to be inspired and their fundamental rights are to be protected, the government cannot be exempt from the transparency and accountability measures that a data fiduciary is required to undertake.
These include security safeguards including encryption and prevention of misuse of data; and establishing grievance redressal mechanisms for individuals who are adversely affected by data collection, processing, storage or misuse during the pandemic, to have their complaints addressed.
Unhindered growth of surveillance mechanisms is already normalising interference with personal liberty and privacy.
The road towards institutionalising the Personal Data Protection Bill cannot be on the basis of compromised consent and coercive measures based on enhanced surveillance and inadequate accountability. The need of the hour is to develop surveillance tools in line with existing jurisprudence and civil right standards while designing the scope of the Personal Data Protection Bill to tackle future health emergencies. The coronavirus pandemic, despite its imminent threat, provides valuable lessons on the desirability of devising data protection measures for a model of digital governance which ensures that the interests of citizens, in the short-term and long term, are second to none.
( The authors are Namrata Maheshwari and Arjun Joshi, lawyers who are currently pursuing a Master of Laws (LL.M.) at Columbia Law School, New York. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)