There’s a good case for using smartphone data in the COVID-19 response, but Indians deserve an explanation for ongoing surveillance systems which could open the doors to more invasive forms of government prying in future.
Over 3 billion pieces of data were leaked, admitted Yahoo! in 2016. At the time, it was ranked as the largest data breach in history. This incident followed by data breaches by Facebook, LinkedIn, MySpace, to name a few, lead us to a larger question of – whether technological advancement and privacy can be allies?
The ongoing COVID-19 pandemic has engulfed over 100 countries, with over 20,000 infections and 650 deaths in India and the government in its efforts to contain the pandemic has placed reliance on technology. So in times such as now, an appropriate adaptation would be – Roti, Kapda, Makaan aur Privacy.
The Ministry of Electronics and Information Technology recently launched ‘Aarogya Setu’ App – meant for contact tracing and information dissemination – which is designed to trace, notify, and provide medical support to those who have come in contact with COVID-19 patients. However, the App has been heavily criticized for its non-compliance with data protection policies, accountability and transparency, all of which are essential for privacy protection. Another major setback is that the App is beneficial contigent on a few conditions – many people have the app installed, have the app running, with Bluetooth and location-enabled. But in a country where smartphones are a luxury, meeting the aforesaid prerequisites maybe unviable leading to questions of the App’s effectiveness.
Further, experts believe that ratcheting up surveillance and population tracking to fight the virus now, could permanently open the doors to more invasive forms of prying later. More likely than not, the government and law enforcement agencies may have access to sophisticated surveillance mechanisms such as geo-location tagging, facial and biometric recognition, much after dust over the pandemic settles. This data may be exploited and repurposed to further political agendas like communalism, anti-immigration policies, etc. Further, increased surveillance and divulgence of data has disintegrated people’s ability to keep their health status private. In the present scenario, Indians have little recourse to challenge digital exercises of sovereign power.
Presently, the Information Technology Act, 2000 and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 govern India’s data protection regime. However, these legislations fail to protect individual interest in today’s time. Geo-location tracking and facial recognition apps could invariably violate the right to privacy, but there is no legal framework that regulates or enables the use such technologies without violating the Fundamental Right to Privacy granted under Article 21 of the Constitution.
Even the Personal Data Protection Bill, 2019 which is likely to be approved by the Parliament in the Monsoon session of 2020 fails to take into account all stakeholders involved in data breaches. For instance, the Bill imposes heavy fines upto Rs 15 crores or 4% of the annual turnover for violations, but exempts the ‘consent’ requirement in certain circumstances where – data is required by the State, for legal proceedings, or to respond to a medical emergency. These regulatory changes, though onerous to many, are almost a natural and necessary trajectory considering India’s growing digital footprint in the world and the enormous amounts of sensitive information they leave at the State’s disposal, with or without consent!
Therefore, given a choice between public health and safety versus privacy in times of a pandemic, we have an obvious answer. This, however, is an oversimplification of the problem and the real challenge lies in balancing the health of many vis-a-vis the privacy of a few. In fact, China is tracking people through their smartphones and classifies each person with a color code — red, yellow or green — indicating contagion risk. On the other hand, Israel resorted to surveillance tools used to counter terrorism to monitor its people and contain the virus. Further, countries like South Korea, Italy and Singapore are also using contact-tracing smartphone app to track infected people and Singapore goes a step further by posting information about each coronavirus patient online with details, including relationships to other patients and infected locations.
In the battle to contain the coronavirus, countries including India have implemented several technologies meant to trace, notify, and indentify potential infected persons. However, deployment of digital surveillance tools poses a serious threat to the balance between public health and individual privacy on a worldwide large scale. Despite the setbacks of collating facial recognition, biometric data and geo-location tagging, these surveillance tolls have been beneficial in the containment of the virus.
While the present deluge of surveillance may be a necessary evil to curb COVID-19, unabated tracking of citizens to curb the virus is a disproportionate act of violation of privacy and may usher in an era of unprecedented privacy violations by companies and the government alike. Thus, strengthening India’s data protection regime and making the government accountable for data breaches may give more confidence to users and keep privacy concerns at bay.
Author- Sonam Chandwani, Managing Partner, KS Legal & Associates