“In this time of crisis, we face two particularly important choices. The first is between totalitarian surveillance and citizen empowerment. The second is between nationalist isolation and global solidarity” – Yuval Noah Harari 1
COVID-19 has de-globalized the world and yet, ushered a new global citizenship, where the order is simple – solidarity in isolation. In battling the highly contagious pandemic, governments are focused on breaking the transmission chain. They are deploying old and new tracking and surveillance technologies, with minimal checks, and in certain instances, at the cost of an individual’s right to bodily and informational privacy. Indeed, desperate times call for desperate measures, but this may have significant cascading effects outlasting the pandemic.
Case in point – the Karnataka government to deter contact transmission published a consolidated list of quarantined residents’ addresses, irrespective whether covered individuals had travel history to affected areas, or tested COVID-19 positive. The proportionality of such measure probably will remain unevaluated in these dire times, even though the covered individuals can be subjected to social stigmatization, and not just social distancing.
In this post, we scrutinise the case for government deploying technology for COVID-19 surveillance, its impact on containing further spread of pandemic, the suspension of informational privacy, global approaches followed and way forward.
1. Key issue around COVID-19 tech tools
Amidst identifying the cure, governments are unprecedentedly collaborating with private parties to develop and utilise technology for handling the emergency. As of date, tech tools are being used for 3 major purposes – strategic planning, tracking of possibly infected individuals (also called contact tracing), and provision of healthcare services to affected individuals. These tools utilize varied pools of personal data such as location, travel history, time and contact maps, existing medical history, biometrics, test results, temperature readings, etc. While there is unanimity that technology holds the potential to mitigate the crisis, there is stark difference in the approaches underlying implementation methods. The issue is not merely confined to a difference in approach, culture and extent of crisis. Rather, it has a direct bearing on the legality of such measures and the bargain struck with an individual’s privacy when confronted with a global crisis.
2. Indian government steps
Indian government announced a 21 days nationwide lockdown effective March 25, 2020, bringing lives and businesses to a standstill. Apart from travel ban, the government has used universal health screening and hand stamping for mandatory quarantine. Some states are using airline and railway reservation data, telephone call records, CCTV footage and mobile phone location data to contact trace through detailed time and date maps. Some of them have also mandated using of government developed apps for contact tracing and quarantine implementation. Additionally, as per Indian Council of Medical Research COVID-19 testing guidelines, any laboratory (private or public) before starting COVID-19 testing and treatment must ensure immediate/real time reporting of the test results along with contact details to the ICMR database. Further, data access to stakeholders like Ministry of Health & Family Welfare or partnering agencies (which may be private entities as well) will be provided through application program interface for timely contact tracing and appropriate control measures2. Thus, personal and sensitive personal data sets are being processed to plan strategy, contact trace and cure.
In normal circumstances, the underlying data sets and specifically, sensitive personal information such as test results, medical condition, and other biometric or health data could not be collected and processed without consent or lawful contract. Further, since informational privacy has been recognized as a fundamental right under the Constitution of India by the Supreme Court in Justice K.S. Puttaswamy (Retd.) vs. Union of India3, failure to comply with legal due process while abrogating the said right would have violated the Constitution. The same legal rigors will not apply as rights are not absolute, and can be suspended to deal with emergency situations such as state security, public law and order, and public health. This means, government can suspend an individual’s fundamental right to privacy and adopt drastic measures including tech surveillance in the overriding interest of national and public health. However, the question is – do governments have absolute powers, or are there checks and balances that they must follow?
3. Case for suspension of informational privacy
As it may be, there is a majority consensus that governments and partnering private agencies must have access to and process personal data to disrupt the pandemic chain, invent cure and save human lives. There are 3 pre-dominant narratives that presents invasive technology as the “hero of the hour” and compellingly justifies the importance of unfettered access to data:
- Healthcare: Until such time medicines and vaccines are developed, mobile and digital health technology have a substantial role to play. There is emergence of new epidemiology tools to tackle COVID-19 such as alerts, pregnancy advice, structure mapping, survey, evaluation, awareness, quarantine management, diagnostics discoveries, contamination checking, progression mapping, assessing risk intake, screening and support, tracking, surveillance, curbing contamination, insurances and reimbursements, symptoms identification4 and so on. All of this depends not just on aggregated data, but actual identified or identifiable electronic health records and other personal data.
- Curbing fake information: COVID-19 is not just a pandemic, but also an “infodemic”, and it has become far more important than ever to curb fake news and misinformation. For instance, there is wide spread misinformation about surgical masks and its efficiency in preventing transmission of COVID-19. There is misinformation that Vitamin C is cure to COVID-19, spiking its retail sales on e-commerce platforms. Fake information has also gone far to cast a racial undertone to the breakout, discourage people from taking treatment, quarantining, and cooperating with containment measures. In February 2020, World Health Organization (WHO) met Big Tech to discuss how misinformation can be tamped down5. With an objective to curb this trend, Big Tech has started putting credible information sources at priority, prohibiting ads creating panic or claiming cure, providing free ad spaces to WHO, limiting hashtags, getting fact checking, creating SOS alert on relevant searches, and halting misleading search prompts6. All of this is possible with constant monitoring of one’s online behaviour and profiling.
- State measures: WHO has observed that China has rolled out perhaps the “most ambitious, agile and aggressive disease containment effort in history”.7 The outcomes are well known and many countries including India may be inclined to follow the China blueprint. China managed to mitigate, contain and in all likelihood, break the transmission chain through a series of strict lockdowns, movement control through social media apps, electronic surveillance, supply chain management through drones, identifying potential carriers through mobile application, and quick response from government healthcare providers. Private entities like WeChat and AliPay facilitated Chinese government with data needed to enforce social distancing restrictions, track their movements and restrain those who did not confirm. Colour coding with red, yellow or green through mobile phones helped officials to guard at train stations and other checkpoints. With COVID-19 crippling entire countries, governments may find it imperative to follow suit and adopt stricter measures that curtail social, private and public lives.
4. Alternative approaches
The European Union and the United States of America have followed different approaches than China. Their COVID-19 coping mechanisms are an exception, as both accord highest degrees of privacy vis-à-vis health data or any data that could relate thereto.
- EU: The European Data Protection Board on March 19, 2020 issued a statement on the processing of personal data during COVID-19.8 As per this, employers and governments must process data on the baseline of EU General Data Protection Regulations (GDPR), and not assume its suspension. It states that processing must guarantee lawful processing under GDPR that enables controllers and competent public authorities to process personal data without consent in the context of epidemics, public health or protection of vital interests9. Countries which have adopted the e-Privacy Directive must aim at processing anonymised location data for generating reports on concentration of mobile devices at certain location (i.e., cartography). If not possible, member states can introduce emergency legislative measures that are necessary, appropriate and proportionate. They must implement adequate safeguards such as granting individuals the right to judicial remedy. Guided by the principle of minimization, processing must be for specified and explicit purposes. Transparent notice must be provided to concerned individual about processing activities including period of retention. Supervisory authorities have also issued guidelines on how to make use of GDPR articles to process personal data in current times10. Thus, EU countries in their march to use technology for fighting COVID-19 are likely to strike a delicate balance, which will apply to government and private entities alike.
- USA: While the Federal Trade Commission guards privacy as an aspect of consumer protection and there are multiple laws in different American provinces, the Health Insurance Portability and Accountability Act (HIPAA) imposes strict privacy mandate regarding health data on any entity who is privy to health data. This includes employers, hospitals, health plan providers, insurers, and business associates supporting these covered entities. Department of Health and Human Services (HHS) has emphasized that privacy and security safeguards under HIPAA cannot be sidelined during an emergency. Any disclosure should be minimal, case specific, with a finite purpose (which cannot be a generic one such as public health interest). However, to ensure that technology can be deployed for treatment, HHS has exempted hospitals and healthcare providers who provide good faith provision of telehealth during COVID-19 through use of non-public video chats (like Google Hangouts, Apple FaceTime, Facebook Messenger, Skype). However, there should be proper notice that usage of third party tools could pose privacy risks11. Based on this, it can be inferred that the approach is to dilute only to the extent absolutely essential.
5. Indian regime
Private entities seeking to use tech tools must comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (IT Rules). As per IT Rules, a private entity can only collect and process personal data if it has implemented privacy practices and reasonable security measures as prescribed thereunder. Specific to sensitive personal data such as health data and medical information, collection and any form of processing must be with an individual’s consent and only for an identified purpose that is connected with the entity’s functions. Further, the data collected must be necessary. There must be adequate disclosures about privacy practices, retention agency details, purpose of processing, and intended recipients. It also obligates entities to not retain information longer than is required.
Nonetheless, sensitive personal data can be disclosed to government agencies without consent if mandated under any law, including for the purpose of verification of identity, prevention/detection/investigation of cyber incidents, prosecution and punishment of offences. At the same time, government and its agencies are not covered within the purview of the IT Rules. Essentially, government, its collaborating private parties and any other entity who is directed to disclose can freely process personal and sensitive personal data in complete disregard to the bare minimal safeguards under the IT Rules. Further, the draft Personal Data Protection Bill, 2019 (“PDP Bill, 2019”) carves specific exemptions for government and private entities to process personal data of all kinds, without prior notice or consent of the data principal, if processing is required for responding to any medical emergency, provide medical treatment or health services to any individual during epidemic, outbreak of disease or any other threat to public health.
While the PDP Bill, 2019 is still in the making, personal and sensitive personal data processing in wake of COVID-19 outbreak is no longer hypothetical. It is happening in an unregulated manner that tends to jeopardize an individual’s right and legitimate expectation of fair, transparent processing of data and informational privacy. Thus, the legality must be analysed in the backdrop of the Constitution and jurisprudence on when can fundamental rights be derogated. It is settled law that government can suspend or limit fundamental rights only upon satisfaction of the “legality, necessity and proportionality” test. Curtailment has to be (i) as per procedure established under law, (ii) the steps taken must be fair, necessary and reasonable, and (iii) proportionate to the legitimate aim pursued. As it stands today, there is no law providing the procedural and substantive safeguards on how government will access, process, store and disclose personal data.
But, does it mean that government can surveil, disclose, publish, and mine data in an unfettered manner? The answer to this is likely to be in the negative. In a case where it is proved that the implemented methods are unreasonable, unnecessary and there are lesser privacy invasive alternatives to contain and cure COVID-19, the government’s methods can be adjudged unconstitutional. For instance, Karnataka government’s move to publish address details of quarantined residents has no reasonable nexus with public health and COVID-19 emergency. Such publication is an unauthorized disclosure and can actually result in adverse consequences for an individual, such as targeted threats, social stigmatization and discrimination.
6. Way forward
Totalitarian surveillance can no longer be the route for Indian government and it must ensure that the implemented methods are pursuant to due legal process. The manner in which government processes data during this crisis and balances informational privacy with public health emergency will behold important lessons for the future of India’s data protection bill, which has faced stern criticism on state’s power to process data without adequate checks and balances. The need of the hour is for the government to have an immediate policy with clear and accurate public statements on what data is being collected, why, who are receiving it, how third parties will process it, security measures that are put in place, and how long will data be retained. Under no circumstance should COVID-19 data be repurposed or commercialised. Needless to state, measures taken must definitely be temporary, necessary and proportionate, as it will truly test the maturity of the entire governance system.