While mass monitoring and data processing systems appear to be indispensable weapons in a government’s arsenal against the ongoing pandemic, citizens should exercise extreme caution to ensure that these systems do not become the new normal.
India realized, early on, that contact tracing, communication, and data analytics would need to form the backbone of the country’s efforts to check the spread of the COVID-19 pandemic. To carry out this exercise, the Central and State governments have had to collect reams of personal data from individuals across the country. The collection, processing, and dissemination of personal and aggregated data has played a pivotal role in the government’s proactive response to the deadly virus. Healthcare workers and municipal authorities have been directed to elicit the maximum data on every confirmed case in order to recreate the patient’s life for the days leading up to infection. Through this process, authorities identify potential sources of infection and vulnerable individuals who may need to be treated or quarantined.
Unsurprisingly, India quickly joined a host of other countries that have used mobile applications as a means of collecting and disseminating COVID-related information. The government introduced the controversial ‘Aarogya Setu’ mobile application to enable contact tracing, improve situational awareness, and publish relevant information to the public. The download and use of the App was made mandatory for all public and private sector employees by the Ministry of Home Affairs, in its notification on April 29, 2020. And the App has, to date, been downloaded by nearly 10 crore users.
These data processing practices have been widely accepted as being necessary and, in fact, extremely helpful in responding to the pandemic. They have allowed the government to formulate and implement policies and deploy resources efficiently and effectively. However, this relative success has come at a price, namely, the right to privacy of the country’s citizens. During the ongoing pandemic, state functionaries have been allowed to operate free from the constraints that generally bind private data collectors. The government has failed to provide any sort of guidance or prescribe any boundaries for the data processing activities of its agents. No effort has been made to provide clarity to citizens on how their personal information may be used, stored, or transferred, once collected. And, similarly, the lack of transparency on the security measures implemented by the State to safeguard this information triggers doubts in the public mind.
More broadly, the government’s strategy appears to be to collect as much information as possible and to keep it for as long as possible. This is a far cry from the principles prescribed by the Supreme Court in its landmark verdict on the Aadhaar database, which, among other things, requires the State to adopt the ‘least intrusive’ option to achieve a given purpose.
Those who argue in favour of the government’s unrestrained processing practices fail to note the manner in which other countries have launched similar contact tracing applications. The European Union (EU), for instance, released guidelines on the features of contact tracing apps and requirements to ensure compliance with the General Data Protection Regulation (GDPR). These guidelines require app developers and EU states to ensure that any restrictions imposed on the privacy rights of an individual are necessary and proportionate. The EU’s guidelines further require app developers to deactivate contact tracing apps as soon as the pandemic is declared to be under control. As a result, EU member states may not transfer the burden of uninstalling contact tracing apps on to individual users.
The larger and, perhaps, more important concern is the impact that the COVID-19 pandemic may have on India’s forthcoming data protection law. Readers may note that the last draft of the Personal Data Protection Bill, 2019 (PDP Bill) came under heavy criticism owing to the absence of any safeguards against abusive data collection and processing by the State. The PDP Bill, in its present form, confers unrestrained powers to State functionaries and fails to protect citizens from gross privacy violations. This, among other things, still leaves the current legal vacuum in respect of India’s surveillance and intelligence services unaddressed, which, stakeholders have argued, is fundamentally incompatible with an effective privacy regime. Privacy advocates worry that the government may use the COVID-19 experience to justify the sweeping exemptions conferred in the PDP Bill to the State and use the prevailing pro-administration sentiment to enact the PDP Bill into law without the reforms being demanded.
While mass monitoring and data processing systems appear to be indispensable weapons in a government’s arsenal against the ongoing pandemic, citizens should exercise extreme caution to ensure that these systems do not become the new normal. India would do well to follow the example of other jurisdictions (democracies, to be more precise) where governments have relied on well-designed and clearly-delimited exemptions to robust data protection requirements for the collection and process personal data. A useful rule of thumb is that data privacy must be safeguarded even in times of emergency.
(By Probir Roy Chowdhury, Partner; Yajas Setlur, Senior Associate; and Kavya Katherine Thayil, Associate; J Sagar Associates)
Disclaimer: Views are personal