Why data privacy must be safeguarded, even in times of COVID-19

May 19, 2020 11:29 AM

While mass monitoring and data processing systems appear to be indispensable weapons in a government’s arsenal against the ongoing pandemic, citizens should exercise extreme caution to ensure that these systems do not become the new normal.

data privacy, COVID-19, data privacy in times of COVID-19, Aarogya Setu App, supreme court of india, PDP Bill, General Data Protection Regulation, GDPR, Aadhaar databaseThe larger and, perhaps, more important concern is the impact that the COVID-19 pandemic may have on India’s forthcoming data protection law.

India realized, early on, that contact tracing, communication, and data analytics would need to form the backbone of the country’s efforts to check the spread of the COVID-19 pandemic. To carry out this exercise, the Central and State governments have had to collect reams of personal data from individuals across the country. The collection, processing, and dissemination of personal and aggregated data has played a pivotal role in the government’s proactive response to the deadly virus. Healthcare workers and municipal authorities have been directed to elicit the maximum data on every confirmed case in order to recreate the patient’s life for the days leading up to infection. Through this process, authorities identify potential sources of infection and vulnerable individuals who may need to be treated or quarantined.

Unsurprisingly, India quickly joined a host of other countries that have used mobile applications as a means of collecting and disseminating COVID-related information. The government introduced the controversial ‘Aarogya Setu’ mobile application to enable contact tracing, improve situational awareness, and publish relevant information to the public. The download and use of the App was made mandatory for all public and private sector employees by the Ministry of Home Affairs, in its notification on April 29, 2020. And the App has, to date, been downloaded by nearly 10 crore users.

These data processing practices have been widely accepted as being necessary and, in fact, extremely helpful in responding to the pandemic. They have allowed the government to formulate and implement policies and deploy resources efficiently and effectively. However, this relative success has come at a price, namely, the right to privacy of the country’s citizens. During the ongoing pandemic, state functionaries have been allowed to operate free from the constraints that generally bind private data collectors. The government has failed to provide any sort of guidance or prescribe any boundaries for the data processing activities of its agents. No effort has been made to provide clarity to citizens on how their personal information may be used, stored, or transferred, once collected. And, similarly, the lack of transparency on the security measures implemented by the State to safeguard this information triggers doubts in the public mind.

The principles of proportionality and reasonableness, which have been recognized by the Supreme Court as essential elements of valid State actions, have been ignored. The privacy policy of the Aarogya Setu App, for instance, allows for information collected from citizens to be disclosed to any government authority for any reason. Instead of specifically calling out the list of authorities that would have access to this data, and limiting the purposes for which it may be used, the government has remained silent on these vital norms, and thereby raised concerns among citizens that the App could be used as a tool for mass surveillance.

More broadly, the government’s strategy appears to be to collect as much information as possible and to keep it for as long as possible. This is a far cry from the principles prescribed by the Supreme Court in its landmark verdict on the Aadhaar database, which, among other things, requires the State to adopt the ‘least intrusive’ option to achieve a given purpose.

Those who argue in favour of the government’s unrestrained processing practices fail to note the manner in which other countries have launched similar contact tracing applications. The European Union (EU), for instance, released guidelines on the features of contact tracing apps and requirements to ensure compliance with the General Data Protection Regulation (GDPR). These guidelines require app developers and EU states to ensure that any restrictions imposed on the privacy rights of an individual are necessary and proportionate. The EU’s guidelines further require app developers to deactivate contact tracing apps as soon as the pandemic is declared to be under control. As a result, EU member states may not transfer the burden of uninstalling contact tracing apps on to individual users.

The larger and, perhaps, more important concern is the impact that the COVID-19 pandemic may have on India’s forthcoming data protection law. Readers may note that the last draft of the Personal Data Protection Bill, 2019 (PDP Bill) came under heavy criticism owing to the absence of any safeguards against abusive data collection and processing by the State. The PDP Bill, in its present form, confers unrestrained powers to State functionaries and fails to protect citizens from gross privacy violations. This, among other things, still leaves the current legal vacuum in respect of India’s surveillance and intelligence services unaddressed, which, stakeholders have argued, is fundamentally incompatible with an effective privacy regime. Privacy advocates worry that the government may use the COVID-19 experience to justify the sweeping exemptions conferred in the PDP Bill to the State and use the prevailing pro-administration sentiment to enact the PDP Bill into law without the reforms being demanded.

While mass monitoring and data processing systems appear to be indispensable weapons in a government’s arsenal against the ongoing pandemic, citizens should exercise extreme caution to ensure that these systems do not become the new normal. India would do well to follow the example of other jurisdictions (democracies, to be more precise) where governments have relied on well-designed and clearly-delimited exemptions to robust data protection requirements for the collection and process personal data. A useful rule of thumb is that data privacy must be safeguarded even in times of emergency.

(By Probir Roy Chowdhury, Partner; Yajas Setlur, Senior Associate; and Kavya Katherine Thayil, Associate; J Sagar Associates)

Disclaimer: Views are personal

Get live Stock Prices from BSE, NSE, US Market and latest NAV, portfolio of Mutual Funds, calculate your tax by Income Tax Calculator, know market’s Top Gainers, Top Losers & Best Equity Funds. Like us on Facebook and follow us on Twitter.

Financial Express is now on Telegram. Click here to join our channel and stay updated with the latest Biz news and updates.

Next Stories
1Mastercard introduces contactless payment on SBI Card App
2Mirae Asset Banking and Financial Services Fund NFO opens today – Check features
3Having a problem with your EPF? Get it resolved through WhatsApp