The novel coronavirus pandemic has ignited a raging debate regarding the protection of one of the fundamental elements of human rights – the right to privacy. There is no doubt that this extraordinary public health emergency has necessitated radical, short-term measures to contain the spread of the virus and protect the health of billions of global citizens. What is alarming, however, is the threat that these temporary measures will become a permanent fixture of civil society, long after the pandemic is over.
In August 2017, a nine-judge Supreme Court bench delivered a unanimous verdict in Justice KS Puttaswamy vs. Union of India whereby it read the right to privacy into Article 21 of the Indian Constitution (right to life and personal liberty). This affirmation of the right to privacy as a fundamental right was a momentous event in India’s constitutional history. The Constitution (Forty-fourth Amendment) Act, 1978 amended Article 359 of the Constitution to provide that Article 21 could not be suspended even during a national Emergency.
As with all other fundamental rights, the right to privacy is not absolute. It may be subject to reasonable restrictions under specific circumstances, particularly if they concern the larger public interest, and must be sanctioned by specific legislation.
In India, privacy concerns during the coronavirus pandemic have primarily arisen due to three interventions:
Publicly disclosing personal information of quarantined individuals
Deploying drones, facial recognition and geo-fencing technologies for surveillance
Mandating the use of contact tracing apps such as Aarogya Setu
It can be argued that the government may, if it so chooses, exercise limitless powers in the larger public interest to fight the coronavirus. However, this where the maximum risk lies. In vulnerable times such as these, governments are prone to overstepping their authority and diluting civil rights in the garb of public interest. The critical issue to be reckoned with in the current scenario is that all these interventions are not backed by legislation specifically enacted for these purposes.
The government has relied on ancillary laws to justify the solutions proposed for waging war on the coronavirus. The Epidemic Diseases Act, 1897 has been cited as the basis for publicly disclosing personal information of quarantined individuals in Rajasthan, Karnataka and other states. Provisions under the Disaster Management Act, 2005, the Aircraft Act, 1934 and the Telegraph Act, 1885 are being reinterpreted to justify the legitimacy of deploying drones/geo-fencing technologies and sanctioning the use of contact tracing apps. Using generic laws to dilute the right to privacy is in itself untenable.
Some believe that by disclosing personal information without consent, government authorities have endangered citizens’ lives and compromised their safety. They have also failed to use the ‘least intrusive measures’ under the circumstances.
The Puttaswamy judgment laid down a three-fold test to determine if it was reasonable to dilute the right to privacy in public interest:
Legality: The restrictive action should be legal, i.e., it should be sanctioned by law
Legitimate aim: The action should have a legitimate aim, i.e., it should not be arbitrary
Proportionality: Rational connection between the objective and the measures adopted to achieve it
The ancillary laws mentioned above have no express provisions which authorize surveillance activities. State governments disclosed personal details of people who were quarantined, not necessarily infected, that too without their consent; the apprehension was that such people could breach quarantine restrictions and spread infections. The disclosure of personal details on government websites increased stigma and led to people being ostracized and harassed, endangering their lives and compromising their safety.
The Supreme Court, in Modern Dental College vs. State of Madhya Pradesh, advocated a four-pronged proportionality test to permit the restriction of a constitutional right. One of the prongs (‘least intrusive measures’) seeks to assess if alternative measures “with a lesser degree of limitation” are available to achieve the same purpose. Based on an analysis of facts, it can be reasonably concluded that authorities have not adopted ‘least intrusive measures’ to achieve their objectives. Accordingly, coronavirus-related interventions fail the proportionality test laid down by the apex court.
Even if these actions were sought to be justified by relying on Section 12 (grounds for processing of personal data without consent) of the Personal Data Protection Bill, 2019, the important point is that the Bill has still not been enacted into law.
India urgently needs a robust and dedicated law to deal with epidemics; such a law should specifically deal with the protection of privacy during epidemics and health emergencies. Data collected via various interventions must be used for the intended purpose and not be disseminated to third parties without consent.
Key concerns regarding the data collected for preventing coronavirus infections include:
Misuse: Disclosing data to third parties without consent or using it for state surveillance
Unauthorized distribution: Disseminating data for non-commercial purposes (such as research) without anonymizing it
Leakage: Perceived security vulnerabilities in government websites and contact tracing apps which can cause data leakage
Due to the sensitivity of data involved, it becomes incumbent upon government authorities to be fully accountable for maintaining the confidentiality of information collected and prevent its misuse. In the Puttaswamy judgment, Justice Bobde had ruled that consent was essential for the distribution of inherently personal data such as health records. Besides being a breach of privacy, unauthorized disclosure can have severe social ramifications in the form of stigma, ostracization and harassment.
A question mark remains as to what will happen to the data once the pandemic is over. There are serious concerns that in the absence of regulatory oversight, the data will be used to build a sophisticated surveillance tool which will monitor citizens without their consent. Despite government assurances, citizens and civil liberty organizations fear that the lack of a robust data protection law is a weakness which can be exploited to use personal data for unintended purposes.
I repeat that India urgently needs a robust and dedicated law to deal with epidemics of the scope and magnitude of the coronavirus. Besides other regulations, such a law should specifically deal with the protection of citizens’ rights, including the right to privacy, during epidemics and health emergencies. In balancing public health and privacy, the law must rely on the tests of legitimate aim and proportionality, as mandated by the Supreme Court. And finally, citizens should have the right to request for deletion of their data when the objective for which it was collected has been achieved.
Syed Iqbal Tahir is a Supreme Court Lawyer