In the popular motion picture STAR TREK 2: the wrath of Khan, Spock famously quotes: “the needs of the many outweigh the needs of the few.” In the wake of COVID 19, this statement is aptly suited because when there is no food, employment or adequate facilities for the masses, the issue of privacy seems to be a third-string. But do we realize the aftermath of this issue being belittled?

With the wrath of the epidemic unleashing against the whole of humanity, lakhs of individuals becoming victims of this cruel predator, the government had to rely more and more on technological driven solutions. Be it epidemic modelling, contact tracing or documentation of quarantined patients, the public has been in full support of this initiative to conquer the disease.

Moreover, the rudimentary Indian laws regarding the privacy issue also support this initiative, through the exceptions provided in this basal law. India presently does not have any express legislation governing data protection or privacy. However, the relevant law in India dealing with data protection is the Information Technology Act, 2000.

There are various provisions in the IT Act, 2000 which punishes the wrongful handling of private data but at the same time provides exceptions where these issues are given leverage.

According to sec 43A of IT Act, 2000, Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.

But the important exception to sec 43 A is sec 69 of the IT Act, 2000 which lays down that as an exception to the general rule of maintenance of privacy and secrecy of the information, where the Government is satisfied that it is necessary in the interest of:

• the sovereignty or integrity of India,
• defence of India,
• security of the State,
• friendly relations with foreign States or
• public order or
• for preventing incitement to the commission of any cognizable offence relating to above or
• for investigation of any offence,

In the present scenario of COVID 19, defence of India and security of the state are important issues regarding which any such breach of privacy is validated. But if we carefully analyze these situations, we come to a conclusion that there are some serious lacunae in this only, insufficient law of privacy in the Indian subcontinent.

The pertinent lacunas are that:  Is there a provision which tells how much information could be collected by the government and to what extent could it be used for the security of the state? And after the risks have subdued, is there any mechanism validated that would ultimately erase the personal data so collected? And also, which information could be termed as private or “classified” for the purpose of collecting them?  The latter issue was tried to be resolved by constituting an expert committee headed by Justice Srikrishna, by the Government of India which presented a comprehensive report on personal data protection to the parliament. Shortly thereafter, the government introduced the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha, largely incorporating the principles articulated by the Committee.

Section 3(36) of the Personal Data Protection Bill, 2019 classifies ‘health data’ as sensitive personal information, and imposes restrictions on the cross border flow in regards to such data.

But according to sec 12(d) of the bills, these restrictions are waived in event of a ‘medical emergency’ which affects the health of the data subject or other individuals.

But it is pertinent to note that these are certain rules by which these exceptions could be brought into operation. In the major ruling by justice Puttaswamy in Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors[1] 2017, which is also known as the privacy case, basic conditions are laid as to when and how these infringements are brought into the arena.  These are the tests that have been laid down by the Supreme Court in the Puttaswamy case, against which privacy infringements will be evaluated:

Legality: The existence of a law.

Legitimate Goal: The law should seek to achieve a legitimate state aim. The proposed action must be necessary for a democratic society for a legitimate aim.

Proportionality: There should be a rational nexus between the objects and the means adopted to achieve them. The extent of interference must be proportionate to its need.

Procedural Guarantees: To check against the abuse of State interference [2]

Let’s examine the government’s actions, keeping in mind these abovementioned provisions. For the issue of legality, government. relied on the Disaster Management Act, 2005 and Epidemic Diseases Act, 1897 (currently invoked in India)  which empower the central government and other responsible authorities to take any measure, whatsoever, for prevention, or mitigation, or preparedness and capacity building for dealing with the threatening disaster/ epidemic, as it may consider necessary. The aforesaid legislations further provide immunity to the central government, state governments and other responsible authorities from legal processes undertaken in their official capacity.[3] Also as noted above, sec 69 of IT Acct, 2000 is applicable.

While it may be argued that the test of ‘legitimacy’ has been fulfilled in preventing further casualties as the objective has been legitimate i.e. to curb a pandemic, it could be argued that according to review by multiple studies over the effectiveness of the contact tracing app, at least 40 to 70% of the population should be actively using it. However, according to the India Internet 2019 report by IAMAI and Nielsen, smartphones lie significantly below this benchmark range. Thus, there is no cohesion between aim which the State hoards as legitimate and the policy implemented, thus rendering the second test unfulfilled.[4]

The proportionality test also doesn’t seem to be satisfied. This could be elaborated by how the “Arogya Setu app” introduced by the govt. infringes upon the major privacy concern when a more lenient approach was very much possible to be adopted, that is the much-required proportionality test has been failed by the govt.

With the launching of the Arogya Setu app, which helps to trace location of other users and warns them if any of them have contracted COVID 19 and in this way prevents them from coming in contact. It achieves this using the phone’s Bluetooth and GPS capabilities. The app will keep a record of all other AarogyaSetu users that it detected nearby using Bluetooth, and also a GPS log of all the places that the device had been at 15-minute intervals.

Now with the vacuum of privacy laws in India and …with no legislation that spells out in detail how the online privacy of Indians is to be protected, AarogyaSetu users have little choice but to accept the privacy policy provided by the government. The policy goes into some detail on where and how long the data will be retained, but it leaves the language around who will have access to it vague. As per the terms and conditions of this policy the government is not liable for disclosure of any unauthorized access to an individual’s data stored by any third party, “persons carrying out medical and administrative interventions necessary in relation to COVID-19” will have access to the data. According to a working paper from the Internet Freedom Foundation, this “suggests interdepartmental exchanges of people’s personal information”. Beyond the legal loopholes, there are technical loopholes as well. The unique digital identity in AarogyaSetu is a static number, which increases the probability of identity breaches. A better approach would be constantly-changing digital identification keys like what Google and Apple deploy in their joint contact tracing technology.[5]  After deleting the account, an individual’s data will be deleted after 30 days, but how the account will be deleted is also not known. These measures suggest that the proportionality test has definitely not been maintained by the govt.

The fourth point regarding procedural guarantees also is a major point of concern because Purpose limitation is a prominent point — that the app could be used beyond the purpose it was created for without clarity and limits. The abundance of data collection via Bluetooth and GPS both, makes it an over skill. And deviates from “privacy-focused global standards”, which are restricted to Bluetooth-based technology, which can match devices by not revealing the exact location. Other countries like Singapore uses just the Bluetooth, in the case of tracetogether app.

These are some instances in which data capturing can lead to stigmatization of individuals and lead to degradation of their mental health, self-conscience and physical worth. For instance, if the travel history of a person having travelled abroad or the health status along with personal identification is disclosed in public forums and social media, it may lead to targeting of such individuals. There have already been reports of airline staff, medical workers and those suspected to have COVID-19 being shunned by their neighbors and facing social seclusion.

For the fear of such social stigmatization and public patronization, the people will stop sharing their travel history, or worse, their medical report. This in turn may prove more difficult for government to trace the cases and contain the epidemic, for which these various privacy breaches were adopted

Conclusion

Hence, we come to the conclusion that unprecedented times may call for desperate measures, but definitely not unconstitutional ones. To unleash the fight against COVID-19, it is very important o maintain a balance between right to privacy and public interest. Measures like Medical records of the patient to be disclosed to authorized agencies with the prior approval of patient, maintaining transparency with the public about the usage of personal Non-Identifiable Data and the applicable legal framework[6] are the measures which could be followed among others to prevent privacy breach. There are various foreign models which respect privacy protection needs to be adopted.  In the garb of public interest, essential rights like right to privacy couldn’t be sidelined. Careful data management practices should govern data collection and processing. If we do not cater to these needs, then though we may take it with a grain of salt now, in the future it may unleash a whole series of privacy infringement which we may not be able to undo at future. Hence remember, “you may delay, but time will not.”

1 (2017) 10 SCC 1

[2] Bhandari, V., Kak, A., Parsheera, S., & Rahman, F. (2017). An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict. IndraStra Global, 11, 1-5. https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2

3 Section 74 of the Disaster Management Act, 2005

⁴https://www.barandbench.com/apprentice-lawyer/monitoring-covid-19-right-to-privacy-amidst-contact-tracing-applications

⁵ P.J George, Coronavirus | What are the concerns around the AarogyaSetu app? , APRIL 26, 2020 00:02 IST, https://www.thehindu.com/sci-tech/technology/coronavirus-what-are-the-concerns-around-the-aarogyasetu-app/article31434768.ece UPDATED: APRIL 26, 2020 11:26 IST

[6] https://www.dsci.in/sites/default/files/DSCI_COVID19_Data_Privacy_Outlook.pdf

---

ABOUT THE AUTHOR

Sanskruti Jain

Sanskruti Jain is a first-year student, pursuing BA.LLB (Hons.) from Hidaytullah National Law University, Raipur.