PRIVACY CHALLENGES DURING COVID-19
As the world witnessed the biggest catastrophe of the century, it was evident that to fight the novel corona virus, the countries worldwide will have to take unprecedented measures to mitigate the effects of the pandemic. The government was best suited for this and had to be at the forefront to stand a chance against the COVID-19. Though it was not only the government that had to be active but also the whole nation because as much as government had to do in the fight it was the duty of the whole nation to keep a check of the unprecedented power that government may acquire. Government used technology like never before and it was infringing or invading the privacy of its citizens i.e. it was violating the fundamental rights of the citizens. It raised several concerns as privacy is not only a fundamental right but also a natural and human right that has to guarded even in times of emergency.
PRIVACY AND RIGHT TO PRIVACY
A preliminary and general deliberation on fundamental rights to privacy and data protection is necessary for scrupulously analysing the ramifications of privacy violations in the ongoing COVID-19 pandemic. Though the right to privacy and data protection are fundamental rights, yet they have their limitations i.e. they can be put under reasonable restrictions at times and are not absolute or unconditional rights. In the past also the fundamental rights have been put under temporary limitations in cases of state emergencies, national interest or exceptional circumstances. As Tedros Adhanom Ghebreyesus, Director-General of WHO, has said “this epidemic is a threat for every country, rich and poor”, this has rendered COVID-19 pandemic the status of an exceptional circumstance leading to the declaration of states of emergency in countries worldwide.
There is no definite legal definition of “privacy”, it is often termed as a human right by legal experts as there is no instrumental backing for this right in particular. Bodily integrity, personal autonomy, informational self-determination, protection from state surveillance, dignity, secrecy, compelled speech, and freedom to protest, move, or think are all examples of privacy. In short, the right to privacy must be assessed on an individual basis. In India it was on 24th August 2017, when a nine-judge Supreme Court bench led by Justice J.S. Khehar gave due recognition to privacy and made a landmark judgement in Justice K. S. Puttaswamy (Retd.) and Anr. v. Union Of India And Ors. It unanimously declared the ‘Right to Privacy’ as a fundamental right and held that the ‘Right to Privacy’ was “an intrinsic part of life and liberty under Article 21”. The supreme court bench overruled its previous judgments in M.P. Sharma v. Satish Chandra and Kharak Singh v. State of U.P., which held that right to privacy was not a fundamental right. The court held that right to privacy was a natural right inherent in all natural persons.
The right to privacy like all other fundamental rights in the Indian constitution is not an absolute right but the supreme court held that it can only be restricted if the action of state passes the ‘proportionality test’, under which it laid down three conditions:
“First, such state action must have a legislative mandate;
Second, it must be pursuing a legitimate state purpose; and
Third, it must be proportionate i.e., such state action — both in its nature and extent, must be necessary in a democratic society and the action ought to be the least intrusive of the available alternatives to accomplish the ends.”
PUBLIC HEALTH V. PRIVATE INFORMATION
The COVID-19 pandemic has become a global emergency, with ravaging impacts in terms of economic decline and loss of life. This situation has called for a response at both collective and individual levels from the nations. World Health Organization (WHO), the UN specialised agency of international public health in a joint statement on data protection and privacy mentioned that, “Mounting evidence demonstrates that the collection, use, sharing and further processing of data can help limit the spread of the virus and aid in accelerating the recovery, especially through digital contact tracing. Mobility data derived from people’s usage of mobile phones, emails, banking, social media, postal services, for instance, can assist in monitoring the spread of the virus and support the implementation of the UN System Organisations’ mandated activities.” This was duly noted by different administrations and prompt actions were taken to keep a check on the spread of the virus, with contract tracing by both public and private organisations becoming the new norm. This widespread collection and storage of personal data triggered privacy concerns among the masses and various international organisations; as such data collection could have certain ill effects if applied for purposes not related to COVID response.
India’s response to the pandemic has been very similar to most of the countries worldwide. Both the state and central governments are taking extraordinary steps to contain the spread of the deadly virus, but are divided in their approaches because of lack of any national protocol or law. Both are most significantly relying on the extensive use of technology that makes use of a person’s personal and health data to mitigate the effects of the virus and get it under control. While the measures employed appear to be appropriate on the surface, the mediums used to carry out the programme ignore key considerations about human dignity and privacy. Processing personal data is important under the specific circumstances of a pandemic in order to take suitable actions to control the virus's transmission and, as a result, minimise its impacts. In pursuance of the same technology has been broadly used for following:
Creating a database with the passport numbers, cellphone numbers, addresses and travel history of the persons quarantined and suspected of being infected by COVID-19.
Monitoring compliance by quarantined individuals by making use of drones and employing the technology of geo-fencing.
Developing mobile applications for contact-tracing such as Aarogya Setu.
Using personal data (such as name, home address, workplace, travel information) to keep a check if a person has visited an infected area or has come in contact with a patient of the virus.
Making use of health data(including diagnostic test results) to understand whether an individual shows infection-related symptoms.
The manner in which governments are handling the private information of the patients has induced a stench of despair as recently lists of persons under quarantine or suspected of infection were released in public domain by various state governments. Though such a measure may seem right from a common man’s point of view but it is an invasion to the personal liberty and privacy of the patients. Also, it has lead to second-order harms such as stigma, physical and emotional distress, and harassment of the patients which have further lead to increased mortality rates, since many with COVID-19 or flu-like symptoms have refused to go to hospitals.
Also, there is no legal backing of the disclosure of the names of the patients and though Ministry of Health guidelines for surveillance allows for sharing of information with state or district surveillance units but there is no provision in the guidelines that allows the governments to make such information public. “Governments have invoked Epidemic Disease Act,1897 and Disaster Management Act,2005 for providing legal immunity to the actions taken in ‘good faith’ during this time. But ‘a bare perusal of the Epidemic Diseases Act, 1897 and the National Disaster Management Act, 2005 shows that no provision in these Acts allows or legitimises publishing personal data of the persons on a public database’.” Making use of drones or deploying geo-fencing technologies for monitoring compliance is similarly unsanctioned. Surveillance through mobile phones can be allowed under Telegraph Act, 1885 but no orders for the same have been released by the concerned ministry and the drones used do not appear to have any visible registration or licensing as mandatorily required by Aircraft Act of 1934. In addition to this drones used posses modern and invasive technologies such as thermal imaging and night-time reconnaissance and many models are simply not permitted to be used in India. So, such actions of the state, prima facie violate the fundamental right to privacy of its citizens.
States are describing the release of data as ‘harmonised data sharing’ to better inform citizens but states must realise that the priority is to contain the spread of virus and not make people hesitate to share their information in fear that it will be released in public domain. If states continue to use such methods it will not only lead to further chaos and un-cooperation and it will also be a disregard to the constitutional order of the supreme court.
PRIVACY CONCERN OVER AAROGYA SETU APP
On April 2, 2020 India launched its first ever contact-tracing application named ‘Aarogya Setu’. It is available in 11 languages for pan India use and is being endorsed by Central government. Developed by the National Informatics Centre under the Ministry of Electronics & Information Technology, the app soon after its launch became one of the most downloaded apps globally after Prime Minister Narendra Modi urged the nation to download it. Since its launch the app has added on functionalities such as accepting donations to PM-CARES Fund and hosting e-passes for essential services providers.
HOW DOES THE APP WORK?
Aarogya Setu keeps a track of a person and the people, the user has come in contact with and if any of the people, the user has come in contact with, tests positive or shows symptoms of COVID-19, the app alerts the user. For this the app uses the Bluetooth and GPS technologies of the smartphones. Through GPS, the app keeps a log of all the locations that the user has been to in 15-minutes intervals and through Bluetooth, it detects other Aarogya Setu users which has come in contact with or were nearby to the user. All this data is kept in app itself until a person which came in contact with the user tests positive or shows symptoms of the virus in a self-assessment test in which case the data is uploaded on the government servers and the user is alerted of the same. Based on the self assessment of the user, the allots the user colour coding of green or yellow. If the user falls in the yellow category- purportedly high risk category- all the app data of that user will be uploaded on the servers while the data of the user with green colour code will be retained in the app itself. At the time of registration also, the app asks for some personal data such as name, sex, age, phone number, current location and travel history, which is used for creating a unique identity for the user in the government servers and as soon as the two app users come in contact, bluetooth recognises the other user thus exchanging the identities along with the time and location where both the users met or came nearby. When a user declares himself positive in the app, all the unique identities that were exchanged with the user are alerted and instructed on self isolation and the following steps.
EFFECTIVENESS OF THE APP
Like every other contact tracing app launched during the pandemic by the countries worldwide, Aarogya Setu comes with the same issue- dependency on self assessment of its users. Its efficiency is mainly dependent on the self reporting and widespread download and usage. In India, as there are lesser people with smartphones and the users of the app would be even less, variations in the self assessments and self reporting levels are bound to happen. According to the terms and conditions of the app, the government cannot be held liable for not identifying or incorrectly identifying a COVID patient through the app. The efficacy is not bulletproof and as Jason Bay, the brain behind TraceTogether, a contact tracing app from Singapore emphasises “Automated contact tracing is not a coronavirus panacea” but “A human-out-of-the-loop system will certainly yield better results than having no system at all”.
In addition to legal problems, there are certain technical issues as well concerning the app. First being, the unique identities that are created in the server are in the form of a static number thereby increasing the chances of identity theft and breach. Instead, the government can learn from the contact tracing app of Apple and Google which uses the constantly-changing digital identification keys for its user. Secondly, Aarogya Setu in comparison to foreign application makes use of both Bluetooth and GPS, thereby collecting a huge volume of data which can be potentially problematic. Another issue is that the government has gone against its own policy of ‘Open Source Software’ and has refused to make public the source code of the app. This restricts the developers, researchers and coders to take a deeper look in the inner working of the app along with auditing it for its potential security flaws. This has lead experts to question the true motives of the app and into believing that it after all is a mass surveillance app. It has also lead International forums such as the Internet Freedom Foundation and the Software Freedom Law Centre as “ a black box”.
Some are also of the view that the government can also use Aarogya Setu as an instrument for regulating the right of freedom of movement of people thus hindering their use of government services and benefits and endangering their right to life. For example, the colour coding in the app can be used to an instrument to allowing or restricting the entry to banks or PDS. Government made it mandatory for all its employees in the public sector to download the application and “this situation could posit the problem of an unconstitutional condition or barter — a situation where citizens are forced to give up their rights (right to autonomy and privacy in this case) in exchange for government benefits.”
CONCLUSION AND WAY FORWARD
In critical times like these, it can be tempting to argue that the government’s powers are limitless and even the fundamental rights can be suspended at will. This argument is based on the fact that the pandemic is an existential threat and supersedes any other interest. However these arguments are not only wrong but dangerous, for reasons that have been outlined by Justice H.R. Khanna: “when faced with crises, governments — acting for all the right reasons — are invariably prone to overreach. Any temporary measures they impose have a disturbing habit of entrenching themselves into the landscape and creating a ‘new normal’ well after the crisis has passed. Paying close attention to civil rights, therefore, becomes critical, not to impede the government’s efforts, but to ensure that rights — fragile at the best of times, and particularly vulnerable in a crisis — are not permanently effaced.”
Though processing personal data and mass surveillance has become indispensable tools in the fight against corona virus yet its the responsibility of the government that they do not invade or infringe the right of privacy of people. Not only are the government's technology solutions unsupported by legislation in this situation, but there is also scant evidence that they are the least restrictive options available. For the protection of constitutional order and safeguarding the privacy of the nation government should refrain from making public the personal information of its citizens and citizens must be thinking of how their data will be handled after the pandemic is over, also they have to be cautious that the executive doesn’t make these new systems the ‘new normal’.
IAS, Drishti. “Aarogya Setu App: A Technological Solutionism.” Drishti IAS, 18 May 2020, www.drishtiias.com/daily-updates/daily-news-editorials/aarogya-setu-app-a-technological-solutionism.
IAS, Drishti. “Regulation of Public Data.” Drishti IAS, 23 July 2020, www.drishtiias.com/daily-updates/daily-news-editorials/regulation-of-public-data
Parthasarathy , Suhrith, et al. “Privacy Concerns during a Pandemic.” The Hindu, The Hindu, 29 Apr. 2020, www.thehindu.com/opinion/op-ed/privacy-concerns-during-a- pandemic/article31456602.ece
Adlakha, Priya. “Cyber Crime During Coronavirus Pandemic - Coronavirus (COVID-19) - India.” Welcome to Mondaq, S.S. Rana & Co. Advocates, 22 Apr. 2020, www.mondaq.com/india/operational-impacts-and-strategy/921026/cyber-crime-during-coronavirus-pandemic
Aneja, Kashish, and Nikhil Pratap. “Implement Aarogya Setu, but Only through Law.” The Hindu, The Hindu, 21 Apr. 2020, www.thehindu.com/opinion/op-ed/implement-aarogya-setu-but-only-through-law/article31391708.ece
Bhargava, Yuthika. “Hacker 'Sees' Security Flaws in Aarogya Setu.” The Hindu, The Hindu, 7 May 2020, www.thehindu.com/news/national/ethical-hacker-robert-baptiste-elliot-alderson-sees-security-flaws-in-aarogya-setu/article31515292.ece
Chowdhury , Probir Roy. “Why Data Privacy Must Be Safeguarded, Even in Times of COVID-19.” The Financial Express, The Financial Express, 19 May 2020, www.financialexpress.com/money/why-data-privacy-must-be-safeguarded-even-in-times-of-covid-19/1963579/
George, P.J. “Coronavirus: What Are the Concerns around the Aarogya Setu App?” The Hindu, The Hindu, 6 May 2020, www.thehindu.com/sci-tech/technology/coronavirus-what-are-the-concerns-around-the-aarogyasetu-app/article31434768.ece
IAS, Drishti. “Privacy Concern Over Aarogya Setu App.” :: Drishti IAS Coaching in Delhi, Online IAS Test Series & Study Material, 4 Apr. 2020, www.drishtiias.com/printpdf/privacy-concern-over-aarogya-setu-app
IAS, DRISHTI. “Privacy Judgement and the Aftermath.” Drishti IAS, 26 Aug. 2019, www.drishtiias.com/daily-updates/daily-news-editorials/privacy-judgement-and-the-aftermath
Rajagopal, Krishnadas. “The Lowdown on the Right to Privacy.” The Hindu, The Hindu, 29 July 2017, www.thehindu.com/news/national/the-lowdown-on-the-right-to-privacy/article19386366.ece
Senger, Ashutosh. “Privacy Challenges during Covid-19.” @Businessline, The Hindu BusinessLine, 20 Apr. 2020, www.thehindubusinessline.com/opinion/privacy-challenges-during-covid-19/article31382552.ece
Team, The Hindu Data. “Data: How Safe Is Aarogya Setu Compared to COVID-19 Contact Tracing Apps of Other Countries?” The Hindu, The Hindu, 19 May 2020, www.thehindu.com/data/how-safe-is-aarogya-setu-compared-to-contact-tracing-apps-of-other-countries/article31618852.ece
VENTRELLA, EMANUELE. “Privacy in Emergency Circumstances: Data Protection and the COVID-19 Pandemic.” ERA Forum, Springer Berlin Heidelberg, 28 Sept. 2020, link.springer.com/article/10.1007/s12027-020-00629-3#Sec2
Vishwanath, Apurva. “Lists of Covid Names Raise Issues of Public Health vs Private Information.” The Indian Express, 29 Mar. 2020, indianexpress.com/article/india/coronavirus-names-private-information-privacy-home-quarantine-6336611/
Wenar, Leif. “Rights.” Stanford Encyclopedia of Philosophy, Stanford University, 24 Feb. 2020, plato.stanford.edu/archives/spr2020/entries/rights/
, Shinjinee. “Covid-19 Surveillance: Is Personal Privacy Overlooked In The Process?” Legal Service India - Law, Lawyers and Legal Resources, 2020, www.legalserviceindia.com/legal/article-2459-covid-19-surveillance-is-personal-privacy-overlooked-in-the-process-.html
, WHO. “WHO Director-General's Opening Remarks at the Media Briefing on COVID-19 - 5 March 2020.” World Health Organization, World Health Organization, 5 Mar. 2020, www.who.int/director-general/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19---5-march-2020
NAME- VAIBHAV GARG
COLLEGE- RAJIV GANDHI NATIONAL UNIVERSITY OF LAW