1.3 billion people, one virus, how much Privacy?

The COVID-19 pandemic has now assumed global proportions, the likes of which the modern world has rarely encountered. The alarming rise of fatalities has necessitated prompt and large scale action by governments across the world.

Faced with this challenge, different countries are now attempting to find unique and innovative ways to track the spread of the disease and prevent it by all possible means. Epidemic modelling, contact tracing and the documentation of quarantined patients have now become the priority for most countries and they are increasingly relying on technological tools to carry out these processes.

Government tracking

The authorities in the US and the UK are coordinating with private companies to retrieve granular location data of its citizens, mapping their whereabouts and devising strategies to trace their exposure. Singapore, Iran, Russia and Israel are using mobile applications to support the contact tracing of its patients, predict the next hotspot or allocate health resources.

These applications track the users, compare their location with the location history of confirmed cases, and inform the users to take necessary actions if they come in contact with COVID-19 cases. China has exponentially expanded its mass surveillance, with telecom operators tracking people’s movements and companies rolling out facial recognition technology.

In India, the Ministry of Electronics and Information Technology has developed a contact path tracing mobile application which geo-traces user location and informs them if they have come in contact with an infected person. The Indian government is already using airline and railway reservation data to track suspected infections and find hand-stamped people who have promised not to travel.

The State of Kerala has used telephone call records, CCTV footage, and mobile phone GPS systems to trace primary and secondary contacts of COVID-19 patients, and has published detailed time and date maps showing the movement of people who have tested positive. The States of Karnataka and Rajasthan, and the Mohali district administration have made names and personal addresses of COVID-19 suspects public through local newspapers and official websites.

Hobson’s Choice ?

The use of these methods may raise legitimate concerns of invasion of privacy of individuals. But during a public health emergency of such a magnitude, the priority of any government is to take all measures to address the emergency. It is a compelling justification for sacrificing an individual's right to privacy. The choice between public health and privacy has an obvious answer.

However, articulating the issue at hand as an either-or choice between privacy and public health is an oversimplification. The right to privacy must not be completely sacrificed in favour of public health considerations. Even in times of health emergencies, the governments must ensure that privacy rights of its citizens are not disproportionately infringed. This begs the question: what constitutes a proportionate infringement of the right to privacy in a health emergency?

To answer the question, a detailed understanding of the legal framework of the right to privacy in India is necessary.

The Constitutional Right to Privacy

The Supreme Court of India, in its 9-judge bench judgment of KS Puttaswamy v. Union of India (Puttaswamy I) in 2017, recognized the right to privacy as an integral component of Fundamental Rights. It also recognized data protection as an essential part of informational privacy of an individual and observed that India lacks a comprehensive legal framework for personal data protection.

Accordingly, an expert committee headed by former Supreme Court judge, Justice BN Srikrishna was constituted by the Government of India, which presented a comprehensive report on personal data protection to the Parliament. Shortly thereafter, the government introduced the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha, largely incorporating the principles of personal data protection articulated by the Committee.

In the meanwhile, a 5-judge bench of the Supreme Court deciding the constitutionality of Aadhaar (Puttaswamy II), further reiterated the principles of informational privacy and recognized personal data protection as a component of the right to privacy.

Both Puttaswamy I and Puttaswamy II held that any infringement of a right to privacy by the government must be reasonable and proportionate, which broadly means that the following conditions must be met: the restriction in the right to privacy must be effected through a law which pursues a legitimate state aim, has a reasonable nexus between the objects and means to achieve them, and is the least intrusive means to achieve the state aim.

The Justice Srikrishna Committee Report also incorporates the principles of proportionality as an integral part of the personal data protection regime.

The Dilemma Resolved

The Report and the PDP Bill articulate the important principles of personal data protection which are a part of the right to privacy of an individual. As per these principles, the consent of the person whose personal data is collected (Data Principal) is necessary before any person or the government (Data Fiduciary) can collect and process such data. The personal data collected must be used only for a specific, clear and lawful purpose for which the consent of the Data Principal is obtained (purpose limitation).

The personal data must also be used in a fair and reasonable manner (lawful processing). Further, the Data Principal should have the right to access information regarding the manner and purpose for which their personal data is used by the Data Fiduciary and also the right to be forgotten. Personal data must not be retained with the Data Fiduciary beyond the period necessary to satisfy the purpose of data collection and processing (storage limitation).

The answer to the question posed earlier, that is, what is a proportionate infringement of the right to privacy in case of a public health emergency, can also be found in the Report and the PDP Bill. Clause 12 of the PDP Bill institutes a mechanism for the collection and processing of data during a health emergency.

Under the said mechanism, the Data Fiduciary is exempt from taking the consent of the Data Principal, provided that the collection and processing of personal data is authorized under law. A public health emergency however, does not exempt governments from other principles of personal data protection such as purpose limitation, lawful processing, storage limitation, transparency and accountability.

Even though the PDP Bill has not been enacted as law, the principles of data privacy enshrined therein have already been recognized in Puttaswamy II, and the mechanism therein is an expression of a proportionate interference in the right to privacy of an individual during a health emergency.

Thus, the infringement of the right to privacy of individuals in a health emergency is proportionate only when the infringement is sanctioned by law and the principles of data protection are followed.

Burning Issues and a Way Forward

As of now, any collection and processing of personal data by the Central and state governments is not sanctioned by law and is being undertaken on an ad-hoc basis. Provisions of the Epidemic Diseases Act, 1897 and the National Disaster Management Act, 2005 have been frequently exercised by governments in the last few days to order emergency response measures. The Act and the orders issued thereunder do not provide for a mechanism to collect or process personal data. They do not comply with principles of personal data protection.

It is essential therefore that the governments collect and process all personal data only under due process incorporated in law and promulgate necessary and comprehensive measures for the same. The orders issued by the governments must expressly provide for such measures along with safeguard mechanisms that reflect the principles of personal data protection.

Authorities may collect personal data of individuals for contact tracing, epidemic modelling, quarantine or any other lawful and specific purpose prescribed under the law, without the consent of the individual, but they must limit the use of the data to the specified purpose only.

The authorities must also establish adequate measures for the deletion of personal data, after it has been used for the prescribed purposes of identifying potential patients and designing response strategies.

Further, the authorities should only collect the minimum required data to identify patients, map the spread of the disease, or any other lawful reason. Anonymized data should be used by the governments as far as practicable, and all security measures must be adopted by them to prevent leaks and misuse of such personal data, which may lead to unnecessary breach of confidentiality and privacy.

The citizens must also be informed of the usage of their personal data by the authorities, so that they have knowledge of possible adverse consequences that may arise from such usage.

Any derogation from the said suggestions may lead to a disproportionate disclosure of personal data of individuals to the public, which may cause irreversible damage to the individual’s right to privacy. Information which may be critical for public health officials to design responses to combat the epidemic, may lead to grave social stigma, if disclosed in the community.

For instance, if the travel history of a person having travelled abroad or the health status along with personal identification is disclosed in public forums and social media, it may lead to targeting of such individuals. There have already been reports of airline staff, medical workers, and COVID-19 suspects being shunned by their neighbours and facing social seclusion.

Moreover, disclosure of details of a person in quarantine may distress patients and their families in both short and long term, even after they are certified to be infection free. It may also deter people from reporting their illnesses and revealing their travel/exposure history for the fear of social intimidation and exclusion. This, in turn, would make it even harder for the governments to trace cases and contain the virus, which is the very purpose for which these measures were adopted.

Global Examples

A good example of a proportionate infringement of the right to privacy in a health emergency can be found in the EU General Data Protection Regulations (EUGDPR). The EUGDPR mandates that even in exceptional times of an epidemic, the data controller and processor must ensure the protection of the personal data of the data subjects.

Recently, the European Data Protection Board (EDPB), the statutory authority under the EUGDPR, published a statement with guidelines on the processing of personal data in the context of the COVID-19 outbreak.

The statement reiterates that an emergency is a legal condition which may legitimise restrictions of freedoms, provided these restrictions are proportionate and limited to the emergency period. The EDPB, in a letter sent to the Directorate-General for Communications Networks, Content and Technology, has outlined that the data collected by mobile phones of users to track the spread of the virus must also be compliant with the principles of EUGDPR and must be appropriately anonymized.

Similarly, the Health Insurance Portability and Accountability Act (HIPAA) of the United States protects individually identifiable health information of patients in the healthcare system. Under the Act, use of such sensitive information of patients may only be allowed for the purpose of prevention or control of a disease, injury, or disability, for public health surveillance, public health investigations, and public health interventions. Any such use must be in accordance with law allowing for such functions and not otherwise.

In the current circumstances, the governments’ role is not only limited to protecting the lives and health of individuals, but also maintaining public trust and confidence in it. The policies and strategies adopted by the Indian authorities against COVID-19 must therefore adhere to the constitutionally recognized principles of proportionality.

The false choice between public health and the right to privacy must give way to a nuanced understanding of the right to privacy and data protection. While national priorities are fixed on the fight against a collective threat to our society, the governments must be conscious of its heightened responsibility. These unprecedented times may call for desperate measures, but definitely not unconstitutional ones.

Nikhil Pratap is a lawyer practicing at the Supreme Court of India, the Delhi High Court and other fora in the capital.

Kashish Aneja is a Delhi-based practising lawyer who specialises in Global Health and Privacy Law and has recently consulted for the World Health Organization.

This article was first published in The Wire.