advertisement
The urgency of addressing public health concerns in the midst of the COVID-19 pandemic has resulted in the relegation of privacy protection to a position of lesser priority. The World Health Organization has discussed how public health surveillance can assist officials in developing precautionary policies to contain the outbreak. Such intensive surveillance is premised on big data and technological innovations.
The experiences in these countries differ from the Indian story in two critical ways. First, these countries have a highly centralised government with a robust healthcare system and a history of strong epidemiological surveillance.
With the systematic incorporation of technology in governance, the Indian digital surge is well under way. But the corresponding legislative process that would strengthen digital governance with a system of checks and balances is still in the pipeline. The Personal Data Protection Bill, introduced by the Indian government in 2019, awaits the Joint Parliamentary Committee scrutiny. However, the pendency of the Bill has not curtailed the State’s prerogative in executing extensive surveillance measures to contain the spread of coronavirus.
Many states are mandating that quarantined individuals download the government’s app and upload a selfie every hour from 7 AM to 10 PM. Data analysts then examine geotags to ascertain the individual’s compliance with the quarantine rules.
To the central government’s credit, the privacy policy of the app appears to have been designed to allay concerns surrounding misuse and appropriation of data. It clearly sets out a timeline for deletion of data from servers and prohibits sharing of data with any third party except to persons carrying out medical and administrative interventions in relation to COVID-19. Even so, there remain two issues.
Hence, even if the privacy policy was a blatant violation of fundamental rights, there would be a void where there ought to be statutory accountability and grievance redressal mechanisms. Second, consequent to such a lack of statutorily imposed standards, state governments have not been as vigilant as the central government in ensuring that digital governance during the pandemic does not jeopardise the fundamental rights of citizens.
The Aarogya Setu app states that it will not share any individual’s name and number with the public at large at any time, but state governments have not displayed the same sensitivity to citizens’ privacy.
While the pandemic may offer a ‘justification’ for such invasive surveillance, India stands at the cusp of normalising compromised privacy rights which serves to reinforce the argument made by the Centre before the Supreme Court that there is no right to privacy.
This is made evident by the vast difference in data security and privacy protection standards with respect to recent surveillance mechanisms between the central and state governments.
It is important to assess the measures devised to monitor and process data during the current pandemic against the pending Personal Data Protection Bill for two reasons. First, actions taken on this front today provide an insight into the possible interpretation of the scope of legal provisions granting executive discretion to act in ‘public interest’, and the manner in which authorities may exercise such discretionary powers. Second, current circumstances offer an opportunity to rethink the balance between power and accountability with respect to data protection. At present, the Bill empowers the government to exempt any agency of the government from fulfilling obligations under the Bill for certain broadly stated purposes including ‘public order’.
This contentious provision acquires a perilous dimension, and could dismantle efforts to secure the fundamental right of privacy.
Clause 9 of the Personal Data Protection Bill restricts the retention of personal data beyond the period necessary to satisfy the purpose for which it is collected and stipulates its deletion at the end of the processing. However, a longer period of retention is permissible if it is necessary for compliance with any obligation under any law. The scope for exercise of discretion by the government is further widened by Clause 14(c) which eliminates the requirement of consent if processing of personal data is necessary for any public interest.
On the whole, the Bill creates a perverse incentive for the government to create black holes of public interest, which rapidly evolve with changing national interests. The culmination is unfettered discretion without adequate accountability, and a scenario wherein public health may be preserved at the cost of personal and public data security.
This runs the risk of normalising a state of crisis where the government is justified in loosening the rules of privacy. Today, in the wake of the coronavirus pandemic, the measures taken by the government can be viewed as symptomatic of their intentions after the Bill is enacted. Take for instance, the map circulated by the Ahmedabad Municipal Corporation. This may have its advantages in the present moment, but without robust security measures, there is a risk of the space of emergency being preserved to justify exemption from obligations pertaining to data processing.
This is compounded by the lack of sunset clauses which limit the operation of such digital platforms with sensitive personal data until the pandemic ends, and leaves room for misuse by third parties in non-emergency times.
Digital governance to contain COVID-19 has exemplified the need to eliminate the possibility of a blanket exemption for the government from security obligations under the imminent data protection law. Even when it is necessary for the government to exercise its discretion and act urgently in response to a ‘medical emergency’ or in ‘public interest’, the ambiguity of these terms, the extent of unchecked surveillance, and potential of misuse that is possible, makes it imperative for the government to be liable to fulfil the obligations of a data fiduciary set out in the Bill.
These include security safeguards including encryption and prevention of misuse of data; and establishing grievance redressal mechanisms for individuals who are adversely affected by data collection, processing, storage or misuse during the pandemic, to have their complaints addressed.
The road towards institutionalising the Personal Data Protection Bill cannot be on the basis of compromised consent and coercive measures based on enhanced surveillance and inadequate accountability. The need of the hour is to develop surveillance tools in line with existing jurisprudence and civil right standards while designing the scope of the Personal Data Protection Bill to tackle future health emergencies. The coronavirus pandemic, despite its imminent threat, provides valuable lessons on the desirability of devising data protection measures for a model of digital governance which ensures that the interests of citizens, in the short-term and long term, are second to none.
( The authors are Namrata Maheshwari and Arjun Joshi, lawyers who are currently pursuing a Master of Laws (LL.M.) at Columbia Law School, New York. This is an opinion piece. The views expressed above are the author’s own. The Quint neither endorses nor is responsible for them.)
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)
Published: 18 Apr 2020,08:08 AM IST