Some narratives around privacy during the COVID19 pandemic appear to be offering up a binary choice between the choice between the health of a population versus the privacy of a few. However, it need not be a binary choice, and there can be some norms, checks and balances to ring-fence any violations of privacy by governments. MediaNama held an online event on discussing Privacy in the era of COVID19, on April 29, 2020, with participation of key stakeholders from law and policy, to discuss these norms. The discussion was supported by the Internet Society, Google, Facebook and the Centre for Communications Governance at NLU, Delhi.
Norms for disease surveillance and contact tracing
- Anonymise data as early and as well as possible, according to Rahul Matthan. “The best way is to anonymise data,” Shweta Reddy from CIS added, but warned that “there are questions around the effectiveness of anonymisation. Research by Sean McDonald indicates that the only way call data records data during the Ebola crisis were usable was with de-anonymisation of data. There need to be more technical conversations around anonymisation and utility.” Divij Joshi pointed out that there is no clarity on what kind of anonymisation techniques are being used in contact tracing apps, and that “The government has used anonymisation as a substitute for de-identification.”
- Data minimisation: Collect only what you need, Sreenidhi Srinivasan, Ikigai Law. For example, contact tracing doesn’t require location. You only need proximity data. You don’t need direct identification of individuals. Try and avoid that. Rahul Matthan added that data collected through contact tracing apps should only be pulled into government servers when it is needed. “Contact tracing requires a history of data, but that requires to turn tracking on, but you don’t need to pull it up to the cloud unless you need it.” Divij Joshi suggested a focus on minimisation and decentralisation technologies: “The DP-3T protocol that has come up in the EU is particularly interesting. Decentralisation builds democratic trust in the user itself. It says that if you want to volunteer the information to the central government for your own benefit, you may choose to do so. If you don’t want to, it is only going to give you the information that you are possibly infected, so you can choose to take any action based on that information. It doesn’t say that if you download this app the cops are going to arrest you.”
- Proportionality: “Proportionality is really important: not just a suitability test”, Vrinda Bhandari added. “Is it [the technology or the data collection] necessary or solving this purpose? Is it the least restrictive measure, and what is the balancing that you have to do? What are the rights and obligations on the other side?”
- Purpose specification: The purpose of the data collection should be clearly specified. Purposes should be specific enough that you can exclude any kind of further processing for purposes that are unrelated to COVID19, and function creep should be avoided, Sreenidhi Srinivasan said. Rahul Matthan added that in case of the Aarogya Setu app, the purpose of data collection was clearly specified.
- Limitation on sharing of data: “If you’re using the data for a secondary use, are you starting the notice cycle again?” Shweta Reddy from CIS asked. Rahul Narayan added that there has to be a limit on sharing of data. “When data is collected compulsorily for a purpose, by one particular department, it cannot be shared with another department for any reason, unless there is a warrant or some such thing. It comes from a pretty important judgment called Marcel vs Commissioner of Police, in which the Chancellory Court in the early 1990’s. It’s an important judgment for Government sharing of data. It’s not that if I give my data to the department of health, it shouldn’t be that the police department knows what is going on, or the tax man. This would encourage people not to share data.”
- Map out data sharing for addressing the pandemic: “This is a health pandemic and we are looking at a economic crisis later. There will be other moves by the government to use the information that is not just from the [Aarogya Setu] application”, Malavika Raghavan added. “I would like it mapped out, from the government, what personal information is currently being leveraged in this pandemic, for the health crisis, and ring-fence it, so that six months later, we are trying to target something somewhere, is a clear rationale why we’re trying to access this data. Can we have ringfencing in parliament, in terms the personal dataflows that are happening to deal with the health crisis? Many countries do have this norm.”
- Principle of non-discrimination: “My number one priority”, Divij Joshi said, “is incorporating a principle of non-exclusion or non-discrimination in the way that we’re using these [contact-tracing] applications. This is not new. Both the proposed legislation in the UK and as well as the actual legislation in Australia a few days ago, incorporates the principle that says that no one will be harmed if they don’t have access to a technology. No one shall be denied access to food shelters or night shelters if they haven’t downloaded the Aarogya Setu app, and implementing immunity passports, which is happening in India through the e-pass program.”
- Privacy by design: factor privacy in your assessment of risks and that includes transparency, Sreenidhi Srinivasan said.
- Oversight – preferably judicial oversight – and accountability: It is important to know who is getting the data, defining who is the exact data fiduciary in that case, Shweta Reddy from CIS said. “Only if you know who the data fiduciary is, that you know whom to approach. Oversight, and accountability of the organisation that is collecting data, is very important.” Vrinda Bhandari highlighted the fact that in case of the Aarogya Setu app, ” the government is not liable for any misuse. The question is who is accountable? You need an ombudsman to whom someone can go and say that there has been a violation. Asking people to file writ petitions in court is not a sustainable solution.” Gautam Bhatia pointed towards judicial oversight regarding privacy violations currently in place in South Africa, saying that South Africa, has designated a former constitutional court judge – Kate O’Regan, among the most respected from across the political aisle in the court’s history – oversee the government applications for surveillance during the lockdown. “There are ways to ensure that you set up institutional frameworks that create the kind of oversight mechanism without interfering with the government’s response and their ability to manage it dynamically”, he added.
- Reviews of surveillance mechanisms: There should be a periodic review of the disease related surveillance mechanisms in place, to check for necessity, proportionality and efficacy of the steps being taken, with periodic decisions being taken to extend or sunset certain surveillance. Review may also be from a region-by-region perspective.
- Apps should be open sourced: “In the interest of transparency and building trust, and addressing defects based on feedback from the community”, apps such as Aarogya Setu should be open sourced, Rahul Matthan added.
- Data protection impact assessment: While implementing a high-risk tool, that involves large scale adoption, or systematic monitoring, do a data protection impact assessment, to mitigate risks, Sreenidhi Srinivasan said.
- Data Retention and deletion: Data should not be retained beyond its stated purpose being met. Rahul Narayan said that the data should be deleted. Rahul Matthan added that “On the Aarogya Setu app, [data] is deleted on a 30 day cycle. On the cloud it is deleted after 45 days. If you are infected, it is deleted 60 days after you are cured.”
- Sunset clause: Many speakers supported the idea that a sunset clause needs to be in place. Note that the Aarogya Setu contact tracing app doesn’t have a sunset clause. Amar Patnaik, Member of Parliament (Rajya Sabha), earlier in the discussion had that setting a sunset period on surveillance is difficult: “No one knows for how long surveillance measures would be necessary,” Patnaik said. There is “no guarantee that if somebody has already recovered after contracting the infection, then they will not be infected again. People say the virus changes with temperature, so it might come up again in October, so you don’t really know when people’s data should be erased,” he said.”
Governance framework for privacy in a pandemic
“The government has to collect information and do contact tracing to control epidemics, but it has to do it in a manner which wins the people’s trust, Alok Prasanna Kumar, from Vidhi Centre for Legal Policy said. “It will be interesting to see how states deal with the Tablighi Jamaat challenge and how many states were successful in asking those people to come forward. Tamil Nadu was successful, but Karnataka failed. Certain states had to take coercive measures to do so.”
“The question to ask then is: did people not trust the state governments to treat their data respectfully? Did they not trust that they will be taken care of? When we design a law that handles an epidemic, it will have to include privacy protections. “It is not a binary of privacy vs. health, but on a spectrum of what measures can a state take without losing the trust of the people,” Kumar said.
Some considerations regarding governance frameworks from our participants:
- Have a Privacy Law: “You cannot predict when an emergency comes, and when an emergency comes, if you don’t have guidelines as to how to function in an emergency, you start doing things by the seat of your pants”, Matthan said. “The first thing is to have a privacy law that articulates the principles you need to follow.”
- A separate law for infectious diseases to address privacy and data protection: While Section 12 of the Personal Data Protection Bill says that the data can be processed without consent in scenarios related to disease outbreaks, Smitha Krishna Prasad, said that it doesn’t solve for all of the other problems, in terms of guiding how privacy considerations need to be taken care of. “We do have plans in place for disease surveillance, epidemics and for health related issues. Those laws are not updated to account for privacy or the use of technology and data at scale. These plans have been evolving for at least 20 years in the context of disease surveillance. In the past 4-5 years, they have been developing a platform for use this this context, but the laws have not evolved. We need a privacy law and to update our regulatory frameworks, she added.
- “South Korea’s Infectious Diseases Control and Prevention Law, was amended in 2015 after the MERS outbreak, to account for the fact that more personal data will be collected, and generally to address the use of technology during outbreaks/epidemics”, she said. “The law specifies data retention limits, notification requirements, and requires that all the data and its processing will be subject to general data protection and privacy laws. It’s a graded response, and everything does not kick in immediately but there is some thought to figuring out how data protection fits into disease surveillance. This was also accepted by the civil society and privacy rights experts in South Korea.”
- Consider a temporary legislation: “I don’t think the PDP bill is going to be forthcoming within this time,” Divij Joshi said, adding that he doesn’t think it is intended to be used in emergency scenarios. “It is impossible to predict what kind of information or safeguards you might require in an emergency. The temporary legislation needs to be carefully constructed and give inputs as to what that temporality means because as the SC has held in Krishna Kumar vs State of Bihar, temporary legislations are construed from case to case and it is possible that the effects can carry forward even after the legislation.” Note that some countries, including Singapore, have a temporary legislation in place. Joshi said that we would look at a temporary legislation for this situation, “probably an ordinance with temporary provisions and sunset clauses.”
- Emergency Provisions need to be added to the Privacy Bill: Gopal Sankaranarayan was of the opinion that emergency provisions need to be added to the Privacy Bill: “If the Privacy Bill is supposed to take care of privacy concerns, it needs to contemplate every possible situation they can conceive of.”
- The need for a regulatory body, even if it’s a temporary commission for privacy: “You can’t have prescriptive solutions for an emergency,” Rahul Matthan said, adding that it would have helped to have a data protection authority. “A regulator can translate principles into prescriptive guidance for that specific emergency, such as what care should be taken while collecting data”, he added. Smitha Krishna Prasad, of the Centre for Communications Governance at NLU Delhi, pointed out that the Data Protection Authorities in Canada came out with explanations on what exceptions can be made to the government for data collection during an epidemic. Malavika Raghavan, head of the Future of Finance Initiative at Dvara Research, pointed towards the The Privacy and Civil Liberties Oversight Board in the US. “This is even for people whose personal data is being accessed for law enforcement. Can you have a body that is set up, which could later be the privacy commissioner or the Data Protection Authority, which signs off when there is a large information handling program? Information handling is just one part of this pandemic. The people who are thinking about it haven’t been trained in data protection issues. But the point is, who in government has the accountability? We can come up with a commission right now, with a standing committee in Parliament that is actually has the accountability right now, and shift that to the DPA later?”
- Other measures to build trust, like emergency standards: “It’s important to make sure that you don’t just rely on privacy law to protect you [or build trust]”, Malavika Jayaram, Executive Director of Digital Asia Hub said. “There are other measures that you can take. Gig workers in Singapore have ensured that they keep what they’re delivering six feet away from the door, for their protection as well as yours. There are so many extra-legal ways to build trust,” she said.
“The countries that have fared really well, whether it is Hong Kong, South Korea, Taiwan or Singapore, they all had a history of explore to SARS or MERS. They have all implemented alert levels, and emergency preparedness techniques. When the Singapore government said that we moved to DORSCON Level orange, everybody knew what that meant. You had interoperability of vocabulary, standards that people understood. You understand what work-from-home, quarantine, stay-at-home meant. Those were standard terms that everybody was socialised to. There is a lot of work around education and preparedness that goes into this. There are measures that you can take, without privacy being your main attack surface” – Malavika Jayaram, Executive Director, Digital Asia Hub.
6. “Declaration or continuation of the emergency should be parliamentary, and it should not be executive”, Rahul Narayan added. “The executive can make decisions, but what is important to consider here is that the normal procedure of federalism is gone. For that, there needs to be constant Parliamentary oversight.”
7. Involve the opposition: “Have a team of rivals, so to speak”, Rahul Narayan said. “In World War 2, Churchill had also Clement Attlee as a part of his cabinet. If for example, the decision making authority is going to decide everything in this country, is comprised of people of different political views, and people of different states and the union, it might increase the national purpose behind it.”
8. Involve civil society: “Informed people in society need to bubble up issues that are critical and need to be pushed through,” Rahul Matthan said. “Government needs to have a mechanism for receiving inputs and communicating with civil society. If changes cant be implemented quickly, there needs to be a mechanism to communicate back with civil society. Opacity and lack of communication can be a concern.”