Regulating digital and public health surveillance are a top priority for MeitY and MoHFW
By Vibhav Mariwala & Nikita Kwatra
Chaos over the Pegasus software interrupted the Monsoon Session of Parliament, making it one of the least productive sessions for the Lok Sabha. Ironically, the draft Personal Data Protection (PDP) Bill, 2019, a legal provision to protect personal data of Indian citizens, which was due for deliberation in this session, got delayed. The Joint Committee of Parliament examining the Bill was given another extension to present its report till the Winter Session. Without this Bill, India lacks a statutory basis to regulate personal data in the country. This has severe privacy implications for citizens, especially with the threat of another Covid-19 wave looming.
The government will use disease surveillance to monitor and control the spread of the infection. But with no legal provisions regulating collection and use of patients’ data, the civil liberties of Indian citizens, specifically the right to privacy, remain unprotected. Since the start of the pandemic in India, there have been several instances where patients’ health data has been breached: from the accidental leak of Covid-19 data on Delhi government portals in January to deliberate sharing of personal information of Covid-19 patients by Karnataka government. The private sector has been no better at protecting personal data, with records from private institutions being leaked and sold on the dark web.
More dangerously, the government has been issuing Covid-19 surveillance and management guidelines and directions under the legal framework of the National Disaster Management Act (NDMA) and/or using executive powers. The NDMA has overarching and generic clauses guiding the rules for disaster management. This allows the executive authority to use any order felt necessary to tackle the disaster.
One such instance was the mandatory imposition of the Aarogya Setu through executive decree. The mobile application was heavily criticised for its data sharing mechanisms and excessive personal data collection when it was mandated at airports and other establishments.
The extraordinary contract-tracing surveillance measures adopted to tackle Covid-19, without any legislative or statutory backing or without a robust data governance framework, set a dangerous precedent of disregarding civil rights of citizens in the name of crisis management.
The absence of a fit-for-purpose data protection law—the IT Act, 2000, is certainly not that—makes it impossible to know what rights are available to citizens. The absence of a common understanding of these rights can also lead to contrasting interpretations in case of dispute. Without a legal framework there are also no disincentives for data fiduciaries to collect personal data unlawfully as there is no penalty for non-compliance with the National Digital Health Mission guidelines.
But given the lengthy parliamentary process passing this law could entail, a well-calibrated ordinance that observes the Puttaswamy principles could fill the gap for the time being. This would differentiate between primary healthcare data provided by the patient, and broader public health data for planning and research, similar to the European Union’s approach. For the latter, the data must be anonymised and let patients opt-in to sharing the said data.
This is not to say that the government has limited means to implement policy changes in times of crises. It enacted the Epidemic Diseases Amendment Act (2020) as an ordinance during the Covid-19 pandemic and aimed to protect medical personnel from harm. This shows that there are various routes to enact policy frameworks in the country, if there is political will to do so.
The aforesaid stop-gap measures are necessary but they must be treated as temporary. To truly protect the right to privacy of Indian citizens and to guide the government to assess and analyse India’s disease burden, Parliament must move swiftly to enact a modern, fit-for-purpose personal data protection law. In 2017, the Supreme Court ruled that the right to privacy is a fundamental right, clubbing it with the right to life. The pandemic has shown the work that needs to be done to uphold both through statutory backing; it should be a top priority for recently appointed Cabinet ministers Mansukh L Mandaviya (Ministry of Health and Family Welfare) and Ashwini Vaishnaw (Ministry of Electronics and Information Technology).
Mariwala and Kwatra are, respectively, senior analyst and associate at the IDFC Institute