COVID-19 | Data privacy in these testing times

In the popular motion picture Star Trek II: The Wrath of Khan, Spock famously states, “the needs of the many outweigh the needs of the few”. Today, as we are faced with the COVID-19 pandemic, a similar sense seems to prevail when making choices about matters relating to data privacy.

The COVID-19 outbreak has caused the deaths of more than 82,000 globally, and has resulted in a global lockdown of sorts. Given the manner in which the virus spreads, there has been widespread panic in ‘distancing’ oneself from those affected with the disease. From reports of violence against Indian medical professionals treating patients, to a reported increase in weapon sales in the United States, public sentiment, it appears, is bent on discovering those infected or in contact with the virus to keep themselves away from such populace.

As medical/health-related information is covered globally under privacy laws, there is an unprecedented demand to do away with privacy of those ‘affected’ by the disease, or in Spock’s words, “the needs of the many” outweighing those of the “few”.

From Google’s hosting of a website collating information about affected persons in the US, to creation of the Arogya Setu App, which informs users about their proximity to affected persons on the basis of general data collected, mass collection of ‘health’-related data has become the new norm.

Section 3(36) of the Personal Data Protection Bill, 2019 classifies ‘health data’ as sensitive personal information, and imposes restrictions on the cross border flow in regards to such data. These restrictions are waived in event of a ‘medical emergency’ which affects the health of the data subject or other individuals as detailed under Section 12(d) of the Bill. The Epidemic Diseases Act, 1897 allows the government to take steps ‘necessary’ to curtail the spread of disease (which may arguably infringe upon a person’s privacy).

In the absence of privacy legislation, and perhaps armed with powers from the above mentioned Act, the Karnataka government recently published a database of persons affected with the disease, which, in turn, led to reports of threats being made against persons declared affected. The Delhi government too handed over a list of patients in quarantine to the Delhi Police to ensure that they abided by such quarantine rules.

What hope lies to protect privacy in these testing times?

The landmark 2017 judgment of KS Puttaswamy, where privacy was upheld as a ‘fundamental right’, requires a threefold test to ensure that any act by the State does not violate such a right. First, the action must be sanctioned by law (legality). Second, the action must be necessary for a legitimate aim (need). Third, the action (interference in privacy) must be proportionate to the need for such action (proportionality).

J Sikri, in the Aadhaar judgment, built upon the proportionality test decided in Puttaswamy and provided further ‘sub-provisions’ in deciding it. It was observed that the interference must have a legitimate goal (legitimacy stage); that it must constitute a suitable mean of achieving the goal (suitability stage); that there must not be any less restrictive but equally effective alternative (necessity stage), and; that the measure must not have a disproportionate impact on the right holder (balancing stage).

Let’s examine the government’s actions in collating and making public the medical records of COVID-19 patients against these four ‘sub provisions’. While it may be argued that the test of ‘legitimacy’ has been fulfilled in preventing further casualties, it could be argued that alternative options such as anonymising patient details could have been followed in the ‘necessity stage’, as the resultant deprivation of privacy certainly failed the ‘balancing stage’.

With the coronavirus pandemic showing no signs of abatement, is India poised to enter into a surveillance state? Previously there was mention of an Automated Facial Recognition System (AFRS) system to be put in place by the National Criminal Record Bureau (NCRB), which would source data from various streams, including Aadhaar records, passport details and the like, to be able to track down an individual. While this system was envisioned to track down criminals, is it too farfetched to envision its usage in tracking affected persons?

Furthermore, in the absence of a privacy legislation, it is shuddering to envision a scenario where the AFRS-derived data, complete with facial features, is leaked. While Spock may have been correct in upholding the needs of the many, ensuring that the rights of the one is not illegally violated remains critical as well.