India - Double Trouble In 2020 – Tackling Covid-19 While Protecting The Right To Privacy.
Legal News & Analysis - Asia Pacific - India - Regulatory & Compliance
27 May 2020
Dire times call for ingenious, and often, radical measures. The COVID-19 pandemic, which has led to actions being taken under the Epidemic Diseases Act, 1897, and the Disaster Management Act, 2005, in India, is one such unprecedented and grim event. While governments and health workers all over the world are grappling to curb the spread of the virus, it has been realised that surveillance of affected persons is of paramount importance in order to assess and implement preventive and control measures.
Data tracking and analysis has emerged as an unlikely hero. This analysis has enabled governments to implement measures to stop the pandemic at its source and to prevent deaths, social disruption, unnatural burden on the healthcare system and economic loss. As government authorities are required to control the pandemic not only in their own country, but also understand how the same is evolving in other countries, governments all over the world have taken the stance that free flow of information that is updated in real time will allow for the formation of a steady global picture and help in curbing the spread of the pandemic.
The mobile applications developed and being used in various countries, and also in India, do contain therein privacy guidelines, and terms and conditions to which these applications are bound. However, while data sharing and contact tracing through alternate means seem to be a viable option, privacy concerns with respect to utilisation, storage and sharing of such data remains an issue that is unanswered.
Tracking Methods used Worldwide
China, being the epicentre of the Coronavirus, naturally was the first country to harness sophisticated surveillance practices, such as accessing and monitoring citizens’ usage of social media and communication applications, and usage of drones equipped with facial recognition technology, in order to monitor the movement of its citizens and to track suspected patients in real-time. Russia seems to have taken this surveillance model a step further by using thousands of CCTV cameras in urban areas, enabled with facial recognition technology originally developed for counter-terrorism purposes, to enforce the lockdown.
In relation to containment measures, Hong Kong is using wristbands, which are connected to a mobile application to enforce self-quarantine measures for passengers who have arrived from abroad. Similarly, Taiwan has implemented an “electric fence programme”, which uses mobile phone location tracking to ensure that quarantined persons remain in their homes.
To contain the transmission of the virus, Singapore has developed a mobile application which uses Bluetooth signals between cell phones to see if potential carriers of the infection have been in contact with other individuals. Similarly, in South Korea, the government is using credit card transactions, location data and CCTV recordings, resulting in a map that notifies an individual if he or she is in the proximity of an infected person. Based on the same, citizens are sent an alert message each time they are in proximity with a confirmed case, a service that the citizen cannot opt out of.
The United Kingdom government, which was initially apprehensive of using digital data tracking techniques, has paired up with Google and Apple to track the location of its citizens. Further, several mobile applications have been approved by the United Kingdom National Health Services and released for data tracking and contact tracing. The European Union has also implemented similar techniques, which has been approved by the national authorities and which also adhere to the General Data Protection Regulation of the European Union wherein the right to privacy has been recognised as a fundamental right.
While the governments of most of the above nations maintain that they are respectful of the citizen’s right to privacy and the data collected is subject to stringent legal protection, concerns such as how the personal data is collected and stored, whether the data that is being collected is utilised only for the purposes of containing the spread of the virus, what happens to the data once the pandemic is contained, or better yet, eradicated, and whether such practices may continue beyond the pandemic have arisen and rightly so.
Contact Tracing in India
Along with mobile applications such as Aarogya Setu and other applications introduced by State Governments, India has been using mapping techniques from contact tracing to creating buffer zones for Covid-19 clusters and hot spots, along with location tracking techniques to track infected patients. The various mobile applications and Bluetooth trackers also look at techniques of mapping the spread of the disease through geographic information system (“GIS”), which assist policymakers and authorities during outbreaks. The Indian Government has also tested an application that uses telecom data to send emails and text-message alerts to the authorities if a person has evaded quarantine.
Some of the innovative methods used by state authorities include the Karnataka government mandatorily asking for all infected persons to send their pictures every hour, along with the geotag, and the Gujarat government launching a GIS based mobile application to monitor the movement of those advised to be home-quarantined, thereby geo-fencing them in their houses. Similarly, the Punjab Government is using call detail records and global positioning systems to ensure quarantining, while the local police authorities in Tamil Nadu are using facial recognition and geo fencing measures for the same. Municipal corporations in Maharashtra have been generating heat maps with the locations of infected persons to understand the spread of the infection, while in some extreme cases, have also employed drones for surveillance of densely populated regions. Further, slightly crude measures such as publishing personal details of infected persons in Rajasthan and pasting posters outside the homes of individuals in New Delhi, who were suspected to have been infected, declaring that they were under ‘home quarantine’ have also been employed.
In some of the above cases, the authorities have relied upon the Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005, to derive legitimacy of the actions being taken by them. However, apprehension regarding the legal usage of the data collected through these methods still remains. While the Indian government authorities have declared that the data would be encrypted as a safeguard and no personal data such as name, age, sex, etc., will be released to any party, the above methods used by the state authorities seem to belie such declarations.
The Right to Privacy of Indian Users
To determine whether the above actions taken by the various districts and state authorities strike the precarious balance between being beneficial for the larger good and being intrusive, the tests as laid down by the Hon’ble Supreme Court in its judgment in KS Puttaswamy v. Union of India have to be looked at. On August 24, 2017, the Supreme Court held that the right to privacy was a fundamental right under Article 21 of the Indian Constitution. As with all fundamental rights, the right to privacy is not absolute and can be overridden by competing state and individual interests.
Any state action should be measured against the three tests as laid down in the majority judgment passed by Justice DY Chandrachud. Firstly, the legality of the action has to be questioned. While the central government may rely on residuary powers under Section 6 of the Disaster Management Act, 2005, and the state authorities have claimed that they derive their powers from Section 2(1) of the Epidemic Diseases Act, 1897, it may be difficult to assert that such laws do in fact grant powers to the authorities to collate, organise and disseminate information of the citizens in the manner in which it has been done.
Even if it is argued that the actions taken have a basis in law, the second test of legitimate aim has to be fulfilled. In the present pandemic, where the overbearing question of public health is juxtaposed against the seemingly privileged concept of privacy, the answer seems simple. However, as pressing as the need to contain the virus may be, it is necessary to ensure that the right to privacy does not get curtailed in the process, thereby setting a dangerous precedent.
The third prong of the test laid down by Justice Chandrachud deals with the proportionality of the legitimate aim with the object sought to be achieved. The objective behind the implementation of the above measures is straight-forward, to contain the spread of the virus to ensure lesser infections and deaths. However, in order for the actions to be proportional and not manifestly arbitrary, states may collect minimum data, ensure that it is anonymised, used for the limited purpose of handling the public health situation and not stored or transferred to any parties not authorised to access such data. It is pertinent to note at this stage that Section 12 of the Personal Data Protection Bill, 2019, does allow processing of personal data without consent during medical emergencies and pandemics. However, the Bill has not been passed till date.
Based on the above tests, while generation of maps demarcating the COVID-19 hotspots and the usage of geo fencing may make the cut, if accompanied by procedural safeguards against the abuse of interference with fundamental rights, measures such as publishing of lists of affected individuals, along with their personal details are definitely unconstitutional. Not only are such lists released without the consent of the named individuals, thereby violating their reasonable expectation of privacy, it also leads to unnecessary stigma and harassment. In fact, recently, a petition was filed before the High Court of Madras, seeking to reveal the identity of COVID-19 affected persons, wherein the Court, without delving upon the privacy aspects, held that there would definitely be social stigma and aspersions pursuant to such revelation and the petition was accordingly dismissed.
The dichotomy between public health preservation and protection of the citizens’ fundamental right to privacy, albeit viewed simplistically at present, is a serious concern and cannot be ignored. Tracking and surveillance in the present situation does serve a compelling state interest, however, for the purposes of constitutional sanctity, it is imperative to enforce safeguards as well.
Public health interest may be a legitimate reason to increase monitoring of individuals, but monitoring by government authorities must be approached with utmost caution. If caution is not exercised in times of urgency, we may be successful in containing the spread of the virus, but may irreparably damage the constitutional fabric.
For further information, please contact:
Ankoosh Mehta, Partner, Cyril Amarchand Mangaldas
 Justice KS Puttawamy (Retd.) and Another v. Union of India and Others, (2017) 10 SCC 1.
 Order dated April 21, 2020 in Writ Petition No. 7494 of 2020 before the High Court of Madras.