In the
previous post, we
discussed how we do not ‘trade-off’ or waive our right to privacy when we give
our personal data to the State or a private entity. We highlighted how we
continue to have a right to privacy over the data that we have parted with, as
privacy is a right that belongs to ‘people, and not places’.
In this post, we will analyze a similar
trade-off that is being discussed today, which is the trade-off between privacy
and public health. This is in light various data collection measures that have
been adopted by the Central and State Governments, with the intention of
checking the spread of Covid-19.
Different data
collection measures and their privacy concerns
To take
steps to prevent the spread of the virus, the Central and State Governments
have been collecting different types of sensitive personal data. An important
category of sensitive personal data that is being collected by State
Governments is geo-location data (through GPS). This is being collected for two
primary purposes – (i) to ensure that those who have been advised either home
or institutional quarantine do not escape the same; and (ii) to conduct
contract tracing of those who have been diagnosed positive for Covid-19. This
is done to identify those who have come in contact with an infected person, as
they have a higher risk of catching the infection and hence need to be tested or
isolated immediately.
For
instance, the Karnataka Govt. mandated that
those who are under home quarantine should upload selfies every one hour with
their GPS coordinates on a mobile application.
The only exemption granted is from 10 P.M. to 7 A.M, during which the
selfie need not be uploaded. This practically means that the State is deciding
the sleep cycle of those who are under home quarantine, as not uploading a
selfie within the designated hours may invite harassment from govt. officers. This
goes against bodily autonomy and personal choice, which as Justice Chandrachud held
in Puttuswamy I, are integral aspects of the right to privacy.
Another smartphone-based
application that has gained prominence is the Aarogya Setu application – which
is being vehemently promoted by the
Central Government. Even this app requires GPS data to work, and provides
information with respect to whether you have come in close contact with a
Covid-19 patient, the number of positive cases near your area etc. While this
app was promoted as a voluntary service that could be downloaded by the user,
it is now becoming another recipe for coercion, under the latest lockdown guidelines issued
by the Ministry of Home Affairs.
The
guidelines state that within containment zones, the local authorities should
ensure 100% coverage of the app among the residents – which effectively means
that local authorities can coerce all residents to download the app and part
with their geo-location data. The guidelines also make it mandatory for
employees in both private and public workplaces to download the app, and has
cast a duty on the employer to ensure that the employees comply with the same.
A third instance
that should concern us is with respect to Sprinklr,
which is a New York based company that had received a contract from the Kerala
Govt. to manage Covid-19 related data. The data collected by healthcare workers is shared with Sprinklr,
which is required to manage the data on its servers. A petition was also filed in Kerala High Court, on the ground
that the medical data collected should only be stored locally in government
servers, and that the confidentiality of the medical data collected must be ensured.
In a significant decision, the Court inter alia directed that Sprinklr should not disclose the data to any
third party, and must anonymize all collected data. The Court noted that this
is necessary to ensure that “there is no data epidemic after Covid-19 epidemic
is controlled”. The decision of the Kerala High Court is also of utmost
relevance to the other measures that I have referred to above.
All the other instances referred above involve
collection of sensitive personal information. They bring to light several
privacy concerns such as non-consensual collection of data, and possible
sharing of data with third parties. But, instead of addressing such concerns,
different state governments have merely contended that such collection of data
for purposes such as contract tracing is necessary to check the spread of the
disease.
The State’s attitude towards privacy in times of a
pandemic
The attitude that both the Central Govt and the State
Govts have adopted towards privacy can be highlighted by referring to the
arguments of the Kerala Govt. counsel in the Sprinklr matter. The Govt. counsel
argued that ‘data management’ is one of the reasons as to why Kerala has
successfully managed to control the spread of Covid-19. Now, there can be no
quarrel with the proposition that collection of personal data is necessary for
contract tracing – which is an important measure to stop the spread of the
virus. But, the problem arises when the State disregards privacy under the
pretext of meeting the larger objective of public health.
As we discussed in the previous post, a person does
not ‘waive’ his privacy when he gives certain personal information to the State,
for accessing a benefit or a service. The person continues to have a right to
privacy over his data even when it is consensually given to the State (or to a
private entity) - and is entitled to a legal remedy if there is an unauthorized
use of his personal data. Hence, even if a person voluntarily downloads the
Aarogya Setu app, he does not waive his right to privacy over the data that he
is sharing with the State. The necessary corollary to this in the current
Covid-19 scenario is that even when a person is voluntarily parting with his
data for purposes such as contact tracing, he is not ‘trading-off’ or waiving his right to privacy in
order to safeguard public health.
With respect to measures such as uploading periodic
selfies and sharing of geo-location data, or parting with medical information,
there is no question of consent involved as it is mandatory for certain
categories of individuals to part with that information. As consent is not
being taken, there is no question of ‘waiving’ or foregoing the right to
privacy that arises here. Taking this forward, even non-consensual data
collection for protecting public health during the Covid-19 pandemic does not
involve any ‘trade-off’ or sacrifice of privacy.
This leads to one common end – which is that when the
State collects, uses and stores Covid-19 related data, it should do so in a
manner that safeguards privacy. As long as the State does not stick to its
rigid stance of viewing privacy and public health as a direct trade-off, it is
very much possible to simultaneously safeguard privacy and public health,
during this pandemic.
Simultaneously safeguarding privacy and public health
Now, all the measures that have been referred to above
can be replaced with alternatives that safeguard privacy, and achieve the
objective of protecting public health with equal efficacy. Instead of coercing
those under home quarantine to upload hourly selfies, the State can facilitate
their quarantine by asking officers or healthcare workers to visit them on a
periodic basis, and ensure that they have access to all basic facilities. Such
a process shall build mutual trust, which may be more beneficial in ensuring
that the quarantine requirements are adhered to.
Uploading of selfies with geo-location data also
results in a certain level of stigma. To avoid this stigma, individuals in
future may refuse to cooperate and give details about their symptoms, and may
also refuse to come forward to get themselves tested. This shall ultimately
affect the objective of protecting public health. Hence, not safeguarding
privacy may also compromise the State’s larger objective of safeguarding public
health.
With respect to sharing and storing of medical data,
the State can very well store the data in govt servers, and need not open a
Pandora’s box by delegating such actions to a private entity, which is not
accountable to ensure confidentiality. It should also ensure that the data is
anonymized, in a manner that ensures that no personally identifiable
information is publicly accessible. This localized storage of data in govt
servers and data anonymization was one contention in the petition filed against the Kerala
govt - for sharing the data with Sprinklr. Even in this scenario, storing the
data in govt servers and ensuring data anonymization shall not in any way
compromise the objective of safeguarding public health.
Finally, making Aarogya Setu mandatory when the app is
in its nascent stages leads to further complications, as the State may not have
adequately tested the security infrastructure where large amounts of sensitive data
(such as geo-location data) are supposed to be collected and stored. The State
also has an interest in ensuring that this sensitive personal information such as medical
data or geo-location data is not misused by foreign entities for nefarious purposes. Hence, along with
compromising privacy, making Aarogya Setu mandatory may create new security
vulnerabilities and additional complications for our data infrastructure.
The above discussion highlights that giving scant
regard to privacy may lead to unintended consequences. Giving scant regard to
privacy for public health may, along with compromising privacy, also compromise
public health and security. As Covid-19 is unlikely to die down anytime soon, a
lack of privacy safeguards may create a data epidemic along with this pandemic.
We, as citizens, must hence continue to be vigilant.
No comments:
Post a Comment