Data Privacy Amidst COVID-19: Government and Private Sector Considerations
Written by Shivi Chola
First Year, B. Com LLB. Gujarat National Law University
Disclaimer: Please note that the views expressed below represent the opinions of the article's author. The following does not necessarily represent the views of Law & Order.
The situation around the world
As the novel coronavirus (COVID-19) has spread to nearly 213 countries and territories across the world, nations have come up with unique ways to prevent the spread of the virus such as using the travel history of individuals to detect probable patients, establishing isolation centres, and sealing national and international borders. All these measures have been taken to avoid widespread transmission of the disease that would further harm the overburdened healthcare system of the affected countries.
Governments and medical organisations across the world are using the personal and private data of their citizens to identify probable cases of the novel coronavirus. Amidst these efforts, the question of individual privacy and data security are coming to people's attention.
In combating the spread of COVID-19, Italian authorities have approved the use of drones to ensure social distancing.  Many countries have come up with specific mobile applications that monitor physical wellbeing, raise a community alert when individuals leave quarantine zones or when an individual has been in the proximity of a coronavirus patient using Face Recognition Technology (FRT) based CCTV’s and contact tracing. The unforeseen circumstances of the pandemic are reshaping our relationship with surveillance mechanisms at large but at the same time, we must be mindful that this must not become a regular trend.
The situation in India
The Government of India had come out with the Aarogya Setu app  that works on the basis of contact tracing and geo-tagging in order to identify COVID-19 cases near the individual. Although the app was made mandatory for all citizens to install, the software code is not made open to independent security audits. What's more concerning is that the app has shown vulnerability to hacking and disruption from external sources, which can significantly compromise the privacy of an individual's data. For example, the Aarogya Setu app was recently hacked by a French ethical hacker named Robert Batiste , and in another case, a Bangalore techie.  The government is terming it as “amateur hacking.”
In India, states such as Kerala have used telephone call records, CCTV footage and mobile phone GPS systems to trace the primary and secondary contacts of COVID-19 patients. These authorities have even published detailed time and date maps that show the movement of people who have tested positive. Additionally, individuals have been asked to send selfies with geo-tags every hour to the government.  There is a new data privacy concern rising in the state of Kerala. The government has allegedly contracted a foreign company from the United States to collect COVID-19 data and analyze it, a major violation of sovereignty. 
The Karnataka, Rajasthan, and Mohali district administrations have made names and personal addresses of suspected COVID-19-positive individuals public through local newspapers and official websites.  Further, the personal data of around 20 people under quarantine in the city of Hyderabad was leaked from a government agency’s database.
The Laws of Data Privacy applicable in India
The Right to Privacy has been recognized as a fundamental right under Article 21 of the Constitution of India.  The Aadhaar judgement further strengthened the right and gave recognition to personal data protection. The Personal Data Protection Bill has in the pursuance of this judgement, been introduced in the Lok Sabha and is yet to be tabled in the monsoon session. 
In achieving a similar goal, the government has been planning to build a common repository of medical health information in order to provide medical facilities to all its citizens. In this regard, the government drafted the Digital Information Security in Healthcare Act, 2018 (DISHA) to ensure certain limitations on the usage of this health data. It was incorporated in the Personal Data Protection Bill 2019.
However we see, the government has invoked the Epidemic Disease Act 1897, and the Disaster Management Act 2005 to control the spread of the novel coronavirus in the country and is taking active steps to curb the same under the Act. This allows the Centre and State governments to take any action that they deem fit for the prevention, mitigation, or preparation to fight the virus. However, this law entails unlimited power to the administrators and does not provide for the rights of the citizen in such emergencies.  It does not have any legal provisions dealing with the breach of privacy through the dissemination of personal information. It also provides immunity to the government and any responsible organisations  under Section 74 of the Disaster Management Act  against any legal action.
The only standing law that can presently be applied to govern the privacy is the Information Technology (Amendment) Act 2008 and Information Technology Rules 2011 (Reasonable security practices and procedures and sensitive personal data or information – the ‘Data Protection Rules.’) However, these Acts apply only against corporate entities and persons in India, and not against the government. As India lacks a strong legal framework in order to hold the government liable and accountable for infringing upon the privacy of individuals as of now, all the government actions are still capable of standing the test of the 'Right to Privacy' judgment.
The existing and proposed privacy laws have conflicting rules. An interpretation of the Information Technology Rules 2011 states that all the information that can be collected by the government has to have the consent of the concerned individual. However, the scenario is different if the Personal Data Protection Bill, which is not yet in force, is applied. In that case, the government can access the personal information of its citizens if it deems in the “interest of sovereignty and integrity of India” without obtaining the consent of the individual. 
The pandemic situation has made government and corporate entities entitled to collect health information from citizens. It is crucial to note that as per Rule 3 of Information Technology Rules, 2011 , health-related information of an individual comes under Sensitive Personal Information. This information can only be transferred after the due consent of the data provider. 
Acts of the Government and the Law of Privacy
The Right to Privacy is not an absolute right, unlike all other fundamental rights. The Right to Privacy judgment lays down that in case of any infringement of Right to Privacy by the government should be reasonable and proportionate. The present actions of the government including checking and tracking travel history, medical records, measuring body temperature, are all reasonable as it is only used in speedy detection of probable cases of coronavirus. However, the publication of personal information by the states, including name, age, gender, passport number of the quarantined people, or COVID-19 positive patients, becomes excessive in nature and unreasonable, thus violating the privacy rights of such people. The infringement, in this case, is illegitimate and constitutionally unjustifiable. 
Moreover, it will lead to the ostracisation of such people from society, given that in the present time, even front-line workers are not being spared and are being stone pelted, spat on, and injured ruthlessly. COVID-19 fears are at a peak in the country, and people whose information has been leaked are facing undue discriminatory behavior from society. Some of these incidents have even led to suicide and lynching cases. 
Such acts of state governments have taken away a fundamental right from the citizens. As rightly pointed out in the landmark Puttaswamy judgement , if the government chooses to act in conflict with the fundamental rights of individuals, it should first ensure that there is no other alternative less encroaching or detrimental than the one being opted for. This is called the ‘necessity stage'. Here, if the government would not have revealed the names, it would have yielded similar end results. Hence the identity of such citizens could have been kept anonymous.  By doing so, the government has chosen the alternative that deliberately encroaches upon the rights of individuals more than necessary.
The growing use of the mobile application to fight the novel coronavirus also fails the 'necessity stage' in a developing country like India, as most of the population has no mobile phone and internet connectivity.
There is a forward-looking concern of the “Right to Forget” which is given recognition in the Puttaswamy judgement  as well as in the draft of Personal Data Protection Bill, 2018. When the coronavirus outbreak comes to an end and the information available would have to be removed from the public domain. But, in today’s age, the data can never be absolutely removed from the internet, the footprints will always remain. There could be some data floating which could be easily misused.
There is a huge privacy concern as the personal information of citizens is given to a foreign private company, as is being presently done in Kerala.  The IT Rules, 2011 have guidelines regarding the transfer of information outside of India only by corporate bodies that are operating in India. Here, the government is indirectly aiding the transfer of information; this is not only prima facie unlawful but also lacks precedential clarity. India refused to sign the Osaka Declaration on ‘Free Flow of Data Across Borders’ , suggesting that it does not wish to give up the ownership of its data which again highlights the inappropriate action of the State Government. Further, it entails a risk of data being misused and information being sold for commercial gains.
The Aarogya Setu app could easily become a citizen-surveillance tool. The contact tracing technique used by the app raises questions regarding the centralisation of data and manipulation of the app’s feature. Further, since it has been hacked twice, the data may be leaked to private entities who may sell off this data for commercial gains. The government responded to the first hack by saying that the data is encrypted and goes to trash after every 30 days. However, if such hacks continue to happen, then such data would continue to be a part of the public domain and would never really be completely forgotten, which is a clear violation of the fundamental right of privacy as upheld in the Puttaswamy judgement.
Data Privacy Concerns in the Private Sector
The data privacy concern in private sector companies is rather unclear. Sensitive personal data that has been collected from employees with written consent and can only be used for the declared use as listed in Rule 5 of the IT Rules.
Further, all the diseases that employees contracts that are classified as 'occupational disease' must be reported to the employer as per the Factories Act and Employee State Insurance Act. As of now, COVID-19 has not been classified as an occupational disease. Thus the employees have no liability to report to the employers if they have contracted the virus.
This information set gives rise to an indirect problem as well. Vast data sets provide a competitive edge to all the companies, if the collected information is used for other purposes than the intended use of health security, it can cause havoc in the competitive forces. Thus, the disposal of information after its usage is a major concern for any company.
Suggested measures for Private Sector
While it has been realized that curing the novel coronavirus has a large stake involved, it must be ensured that the right to privacy of people should is not sacrificed disproportionately by corporate entities.
Mentioned below are a few ways in which this sensitive data could be handled:
● There should only be one copy of the data collected and under one authority, multiple copies held with different team heads should be avoided.
● The data should be stored with a central depository. Further, there should be traceability of the data shared. This will ensure that sensitive personal information is accessed by only authorized members.
● The companies should give a warning to the employees about the probable sharing of information with the government authorities.
● The companies should also ensure that while dealing with the personal information relating to COVID-19 of the employees, the information should be differentiated from the standard personal information of an employee of the company and it should be stored separately.
● After the outbreak, the providers of the data should be given due right to rectify, forget et cetera for any data that was collected during the coronavirus outbreak. Further, if the data is continued to be stored there is a need for consent to be taken again from the data providing individuals.
Suggested measures for the Government
Even in times of health emergencies, the governments must ensure that the privacy rights of its citizens are not infringed.
● The government should come up with elaborate privacy policies for each of its privacy-invading actions. It should also establish institutional checks and liability regimes in order to raise acceptance in society.
● The government should undergo a long process of consent and wilful declaration of information of individuals, it should consider coming up with an ordinance or ad hoc measures that can bring certain provisions of the Personal Data Protection Bill into force and ease the process. This will also ensure that the information of individuals is well handled, and the privacy of individuals is not infringed.
● Moreover, the government should be transparent in its actions and should disclose information about its surveillance mechanisms, where the information is stored, who all it is accessible to, mechanisms for checking leaks and mishaps, how will the private information be shunned at the end of the pandemic, and other questions to individuals.
Privacy laws have always been dealt with as a “soft” law in the country. Not only does India lack a definite legal framework for data protection that would address situations like COVID-19. It also lacks an enforcing authority that could have issued guidelines to ensure personal data is collected and handled with caution. The government has unlimited and unchecked power. For instance, the Information Technology Act 2000, allows widespread communications interceptions by the government in the event of a security or national threat. Though the COVID-19 pandemic is a national emergency, rights and liberties should not be compromised at any cost, as it may set the wrong precedent and eventually erode the ideals of our democracy.
 Matthew Hollroyd, Coronavirus: Italy approves use of drones to monitor social distancing, Euro News (23rd March 2020), https://www.euronews.com/2020/03/23/coronavirus-italy-approves-use-of-drones-to-monitor-social-distancing.  Timesofindia.com, COVID-19: What is Arogya Setu App and how does it work? (Apr 14, 2020, 13:51 IST), https://timesofindia.indiatimes.com/life-style/health-fitness/health-news/covid-19-what-is-arogya-setu-app-and-how-does-it-work/articleshow/75135623.cms.  Manavi Kapur, India’s Aarogya Setu app is another chapter in its chequered history of data protection, The Scroll ( 14th May 2020, 8:30 PM), ttps://scroll.in/article/961847/indias-aarogya-setu-app-is-another-chapter-in-its-chequered-history-of-data-protection.  India TV Tech Desk, Aarogya Setu app reportedly hacked by Bengaluru techie because it became mandatory, India TV (May 15, 2020, 14:57 IST),https://www.indiatvnews.com/technology/news-aarogya-setu-app-allegedly-hacked-by-bengaluru-techie-all-you-need-to-know-617435.  India Today Web Desk, All those home quarantined in state need to send selfies to govt every hour: Karnataka Minister, India Today (March 30, 2020 22:31 IST), https://www.indiatoday.in/india/story/all-those-home-quarantined-in-state-need-to-send-selfies-to-govt-every-hour-karnataka-minister-1661517-2020-03-30.  PTI, Congress claims US firm involvement in COVID-19 data analysis in Kerala, Financial Express (April 10, 2020, 10:03:12 PM), https://www.financialexpress.com/india-news/congress-claims-us-firm-involvement-in-cvoid-19-data-analysis-in-kerala/1925216/.  Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? (30/MAR/2020), https://thewire.in/government/covid-19-pandemic-privacy-india.  NirupaVatyam, Information leaked, 19 from Hyderabad in-home quarantine face hell, The Times of India (Mar 29, 2020, 09:27 IST), http://timesofindia.indiatimes.com/articleshow/74869073.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.  Justice K.S. Puttaswamy v. Union of India) (2017) 10 SCC 1.
 Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors.AIR 2017 SC 4161.  Panel studying Data Bill seeks extension till Monsoon session, The Economic Times (Mar 24, 2020, 12.33 PM IST), https://economictimes.indiatimes.com/tech/internet/panel-studying-data-bill-seeks-extension-till-monsoon-session/articleshow/74788478.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.  Manish Tewari, India’s fight against health emergencies: In search of a legal architecture, Observer Researcher Foundation (MAR 31 2020),https://www.orfonline.org/research/indias-fight-against-health-emergencies-in-search-of-a-legal-architecture-63884/.  National Authority, National Executive Committee, State Authority and other authorities which might be created under the, and in terms of the Disaster Management Act, 2005 and Epidemic Diseases Act, 1897 can be construed as responsible authorities.  Section 74, Disaster Management Act, 2005 available at https://www.ndmindia.nic.in/images/The%20Disaster%20Management%20Act,%202005.pdf.  Nilanjana Chakraborty, Will govt exemption in new Data Protection Bill affect you?, Live Mint (09 Feb 2020, 10:01 PM IST), https://www.livemint.com/money/personal-finance/will-govt-exemption-in-new-data-protection-bill-affect-you-11581246354859.html.  Rule 3, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, https://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.
 Ibid  Suhrith Parthasarathy, Coronavirus and the Constitution – IV: Privacy in a Public Health Crisis, Indian Constitutional Law and Philosophy, https://indconlawphil.wordpress.com/2020/03/29/coronavirus-and-the-constitution-iv-privacy-in-a-public-health-crisis/.  PTI, Facing 'Social Boycott', Himachal Man Hangs Self Day After Testing Negative for Coronavirus, News 18 (April 5, 2020, 6:01 PM IST), https://www.news18.com/news/india/facing-social-boycott-himachal-man-hangs-self-to-death-day-after-testing-negative-for-coronavirus-2565349.html.  Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.  Abdul Hafiz Gandhi And Tarushikha Sarvesh, Publishing Photos, Names And Addresses On Hoardings Of Alleged Rioters Is A Violation Of Right To Privacy, LiveLaw (15 March 2020 10:54 AM), https://www.livelaw.in/columns/publishing-photos-names-and-addresses-on-hoardings-of-alleged-rioters-is-a-violation-of-right-to-privacy-153858).  Ibid.  Ravi Antani, “The Resistance Of Memory: Could The European Union's Right To Be Forgotten Exist In The United States?”, 30Berkeley Tech LJ 1173 (2015).  Supra no. 6  Scroll Staff, G20 summit: India does not sign Osaka declaration on cross-border data flow, Scroll (Jun 29, 2019 · 08:30 am), https://scroll.in/latest/928811/g20-summit-india-does-not-sign-osaka-declaration-on-cross-border data-flow. BIBLIOGRAPHY
Matthew Hollroyd, Coronavirus: Italy approves use of drones to monitor social distancing, Euro News (23rd March 2020), https://www.euronews.com/2020/03/23/coronavirus-italy-approves-use-of-drones-to-monitor-social-distancing.
The Times of India, COVID-19: What is Arogya Setu App and how does it work? (Apr 14, 2020, 13:51 IST), https://timesofindia.indiatimes.com/life-style/health-fitness/health-news/covid-19-what-is-arogya-setu-app-and-how-does-it-work/articleshow/75135623.cms.
Manavi Kapur, India’s Aarogya Setu app is another chapter in its chequered history of data protection, The Scroll ( 14th May 2020, 8:30 PM), https://scroll.in/article/961847/indias-aarogya-setu-app-is-another-chapter-in-its-chequered-history-of-data-protection.
India TV Tech Desk, Aarogya Setu app reportedly hacked by Bengaluru techie because it became mandatory, India TV (May 15, 2020 14:57 IST) https://www.indiatvnews.com/technology/news-aarogya-setu-app-allegedly-hacked-by-bengaluru-techie-all-you-need-to-know-617435.
India Today Web Desk, All those home quarantined in state need to send selfies to govt every hour: Karnataka Minister, India Today (March 30, 2020, 22:31 IST), https://www.indiatoday.in/india/story/all-those-home-quarantined-in-state-need-to-send-selfies-to-govt-every-hour-karnataka-minister-1661517-2020-03-30.
PTI, Congress claims US firm involvement in COVID-19 data analysis in Kerala, Financial Express (April 10, 2020 10:03:12 PM), https://www.financialexpress.com/india-news/congress-claims-us-firm-involvement-in-cvoid-19-data-analysis-in-kerala/1925216/.
Nikhil Pratap and Kashish Aneja, 1.3 Billion People. One Virus. How Much Privacy? (30/MAR/2020), https://thewire.in/government/covid-19-pandemic-privacy-india.
NirupaVatyam, Information leaked, 19 from Hyderabad in home quarantine face hell, The Times of India (Mar 29, 2020, 09:27 IST), http://timesofindia.indiatimes.com/articleshow/74869073.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.
Justice K.S. Puttaswamy v. Union of India) (2017) 10 SCC 1.
Panel studying Data Bill seeks extension till Monsoon session, The Economic Times (Mar 24, 2020, 12.33 PM IST), https://economictimes.indiatimes.com/tech/internet/panel-studying-data-bill-seeks-extension-till-monsoon-session/articleshow/74788478.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.
Manish Tewari, India’s fight against health emergencies: In search of a legal architecture, Observer Researcher Foundation (MAR 31 2020), https://www.orfonline.org/research/indias-fight-against-health-emergencies-in-search-of-a-legal-architecture-63884/.
Section 74, Disaster Management Act, 2005 available at https://www.ndmindia.nic.in/images/The%20Disaster%20Management%20Act,%202005.pdf
Nilanjana Chakraborty, Will govt exemption in new Data Protection Bill affect you? Live Mint (09 Feb 2020, 10:01 PM IST), https://www.livemint.com/money/personal-finance/will-govt-exemption-in-new-data-protection-bill-affect-you-11581246354859.html.
Rule 3, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, https://meity.gov.in/sites/upload_files/dit/files/GSR313E_10511(1).pdf.
Suhrith Parthasarathy, Coronavirus and the Constitution – IV: Privacy in a Public Health Crisis, Indian Constitutional Law and Philosophy, March 2020 https://indconlawphil.wordpress.com/2020/03/29/coronavirus-and-the-constitution-iv-privacy-in-a-public-health-crisis/.
PTI, Facing 'Social Boycott', Himachal Man Hangs Self Day After Testing Negative for Coronavirus, News 18 (April 5, 2020, 6:01 PM IST), https://www.news18.com/news/india/facing-social-boycott-himachal-man-hangs-self-to-death-day-after-testing-negative-for-coronavirus-2565349.html.
Abdul Hafiz Gandhi And Tarushikha Sarvesh, Publishing Photos, Names And Addresses On Hoardings Of Alleged Rioters Is A Violation Of Right To Privacy, LiveLaw (15 March 2020 10:54 AM), https://www.livelaw.in/columns/publishing-photos-names-and-addresses-on-hoardings-of-alleged-rioters-is-a-violation-of-right-to-privacy-153858).
Ravi Antani, “The Resistance Of Memory: Could The European Union's Right To Be Forgotten Exist In The United States?”, 30Berkeley Tech LJ 1173 (2015).