By Gaurav Kumar Yadav ~ Faculty Of Law, Integral University Lucknow
& Manahil Kidwai ~ Institute of Legal Studies, Shri Ramswaroop Memorial University
“No system of mass surveillance has existed in any society that we know of to this point that has not been abused.”
According to the Ministry of Health and Family Welfare Website, as of 27 October 2020 India had 62,5,857 active cases of covid-19 and 72,010,70 cured/discharged covid-19 patients and 11,95,02 deaths due to the disease. As society struggles to stay on top of the COVID-19 pandemic, governments have a greater responsibility to deal effectively with this public health crisis, in a way that is least restrictive to the civil liberties of its citizens. The use of technology as a part of disaster reaction cannot be ruled out, but the regulatory flaws regarding the use of such technology in India mean that one should proceed carefully. Contact-tracing applications have been determined as an important way to make efficient and localized decisions regarding the proliferation of COVID-19. In the midst of unprecedented and factious pandemic in the country, fear is being articulated about the use and competence of India’s contact tracing app ‘Arogya Setu’ and its technological interventions; which however is acting out as an extraordinary measure in the pandemic; can become permanent solutions to government intrusion into our lives. The main controversy in the use of technology in dealing with such public crises is violation of citizens’ privacy. In a trade-off between struggles of a public health crisis and facets of violation of individual’s privacy the government’s scale tip in favour of the former, which is unjustified within its constitutional validations. Whatever the extent of a situation is, the government must make sure that the privacy of everyone is secured and it is not disproportionately violated. Justice B.N. Sri Krishna expressed his latest views regarding the app that the push for compulsory use of the app is “completely illegal”. While there is no strong legislative framework to protect personal data (as the Personal Data Protection Bill, 2019 is unavailable), we are placed with the question of how to secure our personal data as the extraordinary look of the circumstances.
DATA PROTECTION AND PRIVACY CONCERNS WITH AROGYA SETU-
India launched its official contact tracing app – Arogya Setu on 2 April. The app has been seeing frequent downloads since its launch until May 26, reaching 115 million, making it the most downloaded contact tracing app in the world (and the seventh most downloaded worldwide app in the month of April). 70 % of the contact tracing applications run on a centralized order which emphatically means that the location and data processed by the apps are funnelled into a centrally run database preserved by the government or local health body. The contact tracing App of India also works on this centralized system and requires continuous access to location history via Bluetooth and GPS. All data collected through the app is stored and managed on government servers, which fails its credibility in terms of privacy. MIT recently downgraded the rating of this app to 1 out of 5 because of its non-fulfilment of the doctrine of ‘data minimalization’. The app collects data in four categories (1) demographic, (2) location (3) self-assessment (4) contact. The information collected by the database of the app is a person’s name, number, location, age, gender, profession, travel history, and people nearby. The app continuously accesses one’s location. From the date of launch, the Aarogya Setu app has faced continuous ire by privacy advocates and cybersecurity experts for its privacy and transparency concerns. The constant surveillance on one’s location via a Bluetooth as per critics, intrudes individual’s personal security and privacy.
According to Nikhil Pahwa, editor of Medianama, an internet supervisory body, The big problem with the app is that it observed a situation that is considered pointless globally; “Any app that tracks with whom you’re always in touch and tracks your location is a clear breach of privacy.” Arogya Setu empower the authorities to upload the collected information in a government-owned and controlled directory which provides data to persons carrying out necessary medical and administrative interventions in connection to “Covid-19”. This arises the questionability of the application, as this ability permits the administration to share data with roughly anyone. Identically arogya setu’s unique digital identity is a constant pin that increases the likelihood of identity breach. India anyways bear the blame of an unlikely privacy protection history because of the launch of Indian Aadhaar, the largest and most controversial biometric identification database in the world. Similarly, it is also right to note that the traditional check on the executive surplus of the application is corrupt under current covid-19 circumstances, considering the mid postponed parliamentary sessions. Parliament and the judiciary still working virtually with minimal cases. The app is not supported by any law, ordinance or regulation. Although it is run by the National Informatics Centre under the Ministry of Electronics and Information Technology, the standard of validity under Puttaswamy has thus failed. While a legal purpose exists – that is, the protection of public health, the affinity of the measures being presumed under the app can be challenged on the ground of its breach of valid constitutionality. The fourth standard of procedural safety measures is also infringed because the government has a wide discretionary power to use data without any accountability system.
PRESENT LEGAL FRAMEWORK
The Draft of Personal Data Protection Bill, 2019 (“Bill”) was proposed before the Lok Sabha, which requires that the personal data is properly and reasonably handled or principal data for purposes of consent, or for incidental or linked purposes while ensuring the confidentiality of the principal data. While the Personal Data Protection Bill, 2019 is still laid out before Parliament, India currently is in absence of a comprehensive data protection system. The only other relevant law is the Information Technology IT Act, 2000, and (Reasonable Security Practices, Procedures and Sensitive Personal Information) Rules, 2011. Yet, their applicable provisions have a confined scope, being more tailored to compensate for individual breaches of confidentiality by corporate bodies. These laws thus, do not create any framework for the intervention of the state. The Information Technology Act of 2000 set specific penalties for data breaches and privacy, in the computer domain and cybercrime. The four sections of the Information Technology Act relate specifically to penalties against misuse and breach of data in India. These are sections 43, 65, 66 and 72
The legal framework is thus non-existent. But constitutional limitations exist. In the case of Justice K.S.Puttaswamy (Retd.) vs Union of India a 9-judge constitutional bench of the Apex Court recognized the right to privacy as a part of the right to life and personal liberty under Article 21 of the Indian Constitution and shall not lose its importance/status between the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) and Article 21 (Right to Life and Personal Freedom). Thus this right can only be encroached by the procedure established by law, which must be just and proper, held in MANEKA GANDHI V. UNION OF INDIA
Considering India’s current complicated and constantly changing social and political landscape, especially concerning covid-19 and its procuring challenges the expansion of digital cyberspace and updated laws and standards on global privacy and data security is a unique requirement. Initiatives of this sort that were already being tested and placed need to be reformed and updated into their better forms. Considering the extreme importance of health in public interest, privacy is also a notion cannot be denied or neglected, as it is an undeniable aspect or right to life. Noting that it is not incorrect to prosecute that even in the state of a global pandemic, sacrificing one’s individual privacy would be an unfair trade. Current statutory governance and traditional individual consent-based models of data-governance fall short of harmonizing between these two public interests. Use of emergency measures should remain within the scope of emergency situations; otherwise the risk of creating an Orwellian state is upon us.
Irrespective of the government’s good or bad intentions of its launch, Arogya Setu perpetually fails to meet the bare requirement of the popular informational privacy framework. Workings of the application could have been executed in better ways for its better functionality, an instance of which could be voluntary, instead of obligatory installation of the application. for the free will of the individual. The entity of an individual’s right to privacy is governed by Article 21 of the Constitution of India, any intervention in which must at least be a discussion or debate, and not free end order of the centre. Nevertheless, there is no doubt in exclaiming that a contact tracing app was a necessary step observed by the government to control the community spread of coronavirus, yet its database and transparency concerns could have been managed better, for the safety and contentment of individual installing the application. Similarly, there is also a need to establish base laws and regulatory authorities for purposeful and benevolent implementation. Government must find a way that protects both the health and the right to privacy of citizens also. India needs better laws in 21st century and for the coming centuries are of the virtual world and digital era. Today the right to privacy becomes very very important for daily progress. After analyzing the all the laws and statutes by some previous cases and incidents some suggestions and action which government can take to tackle the issue of data breach. Government impose high penalty in form of punishment and fine both put this in non-bailable offences category. Make laws to protect the citizen identity from theft. Make proper ways to control the all laws and made a central level authority to deal this type of matter. Make an amendment in IT act 2000 add that it also check the government intervention in cases of cyber crime.