By Trisha Jalan and Aroon Deep
“What is more important between the privacy of one individual person or the life of a full community?” Biju Janata Dal MP Amar Patnaik asked. If people aren’t revealing information fearing stigma, what can the government do? he asked. “There is a legitimate state interest in collecting information such as a person’s name, their parents’ names, relatives’ names, places they have visited, etc,” Patnaik said. The Odisha government had to divulge the name of a patient because all reasonable methods of contact tracing failed, he said. Issues such as how long the data will be collected for / stored, proportionality, minimum data required, and whether it has to be specified to a patient have to be pondered upon, he added.
“Privacy is central to all these discussions, but it’s by no means the only human right that is being violated,” Malavika Jayaram said. To frame privacy as a trade-off or a balancing act is extremely disingenuous. It’s extremely complicated and you have to deal with issues like accessibility, minorities, freedom, right to food, among others,” she added.
MediaNama held an online event discussing Privacy in the era of COVID-19, on April 29, 2020, with participation of key stakeholders from law and policy. The discussion was supported by the Internet Society, Google, Facebook, and the Centre for Communications Governance at NLU, Delhi. Some of the issues around challenges to privacy, rights, and the global trends around privacy and data protection are summarised here.
What governments grapple with
- The need for actors to respond in “real-time”: “A lot is unknown about this virus and people are trying to develop ideas and strategies in real-time. They have to be allowed to work without everyone badgering them with questions: lawyers, activists, their own bosses, Twitter experts,” said Sunil Bajpai. “Could we consider that they are allowed to make their decisions today, the policymakers, administrators, but that everything should be declassified at a later date where all stakeholders can examine it?”
- “The people making the decisions now will also know that their steps will be open [to scrutiny?] later. You can question and engage for improvements [right now], but all it’s very difficult to demand that all decisions be carefully thought of at this stage, because the numbers are rising everyday, and something needs to be done to save lives,” Bajpai said.In response, Alok Prasanna Kumar said the government may need to respond in real-time, but their response cannot change every two days. “A recent clarification to reopen shops required 4 clarifications for people to understand what it meant,” he said.
- The challenge of iterating quickly: An emergency like this leaves you completely unprepared. The measures that will be taken are rapid measures which require to be iterated. You need to have a system in government, that iterates in a sensible, reasonable manner. If you push something out quickly, you will make mistakes, Rahul Matthan said. The rate at which changes can be iterated into a [tech] product, is not really in the control of many people, he said.
But what about accountability? “In Odisha, we have given the power to the community. Village sarpanch have been given the power to ensure quarantine and isolation of incoming migrants. They are going to collect data on these migrants, but what kind of protection mechanism do we expect at that level? What would happen if there is a leakage?” Patnaik asked. “There are safeguards, when put in place, would make this all more legally palatable,” Narayan argued. “This is not the way democracies are supposed to work. We don’t put a dictator in place and say all they do is right. The quality of decision making improves with accountability.”
Rights in the time of disasters and emergencies
- Is the lockdown even legal? There is no law which permits the government to impose a lockdown, it’s definitely not allowed in the Epidemic Diseases Act, according to Gopal Sankarnarayana. The government has to specify why steps such as social distancing, curbing of rumours, mandatory data collection are being taken and for what purpose, he said. “The government should tell people that these are specific measures for which information is being collected, this is what it will be used for, and these are the safeguards,” he added.
- Existing laws allow for “sort of” emergency: The Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005, allow for a “kind of” emergency, explained Alok Prasanna Kumar. The Constitution provides for three different kinds of emergencies, but there are also other laws and provisions allowing for a “state of exception”. “Both laws allow authorities to exercise unusual powers, but both are inadequate to come up with a proper privacy regime, or even to deal with this pandemic,” he said.
- Constitutionality of emergency powers: “In the Indian constitution’s emergency provisions, there is a clear insistence that there needs to be a proclamation of emergency, ratification by the parliament, and a definite end date for an emergency,” Bhatia said. “The emergency begins, and then it ends. And then we go back into pre-emergency times. That ensures that the legal regimes are separate. The problem with the handling of the current pandemic is that both the National Disaster Management Act and the Epidemic Diseases Act are not formally emergency legislations. All central and state governments need to do is simply invoke them. These laws have umbrella clauses that give the government exceedingly broad powers to manage the pandemic without parliamentary oversight.”
- Keeping peacetime law and emergency law separate: “The way the law normally operates in the legal framework is you have the legal landscape for normal times, which is the default; and then you have exceptions,” Bhatia pointed out. That is premised on the shared belief that in cases of crisis like this one, you need to suspend some principles operating in normal times. “The reason it’s important to keep these clearly separate is that there will be a possibility that the state of exception will bleed into the state of normalcy,” he said.
- Legitimate suspension of rights for emergencies: “There are certain kinds of rights that need to be suspended or temporarily infringed during a pandemic,” Gautam Bhatia argued. “Transporting people during a cyclone [during Cyclone Hudhud in Odisha] is a good example. You can argue that freedom of movement is being violated by forcing an evacuation, but everyone understands that to deal with a cyclone you need to temporarily suspend that right only to deal with this situation.”
- Some rights remain sacrosanct even in emergency situations: “There are other rights that cannot be suspended even during a pandemic,” Bhatia said. “ For example on data collection and use, as long as you have principles like purpose limitation and data minimisation for what data is being collected — these anyway applying in a normal time — that is fine. But you don’t need to go beyond those principles and cite a pandemic to justify that. You don’t have an added benefit in tackling the pandemic if you give a go-by to these principles. The question of which principles remain sacrosanct during a pandemic and which can be given short shrift, is important. And that is a democratic decision that should be taken after due deliberation.”
- Power at local levels can be ruthless: “There is the role of Google and Apple in designing the instruments they use to assist during the pandemic,” Aniruddh Nigam said. “But then there are some private bodies being roped in for enforcement. There are reports of suraksha samitis and volunteer groups being granted police-like powers in Madhya Pradesh or Delhi, with residential welfare associations taking on the responsibility of ensuring that lockdowns and social distancing are followed. There is a question about the competence of these bodies to do these things. Power does operate more ruthlessly at local levels, and there are questionable motives these individuals might have.”
- Is resisting contact tracing a legitimate form of resistance? “There is some chatter on not installing Aarogya Setu as a sign of resistance,” Nigam said. “I think there needs to be a discussion on what would be legitimate resistance in this situation. Because my sense is that a response that refuses to opt in to contact tracing might be dangerous as well.”
- Can’t have law-like regulations: “We need to focus on institutional framework. A law needs to exist for a broad violation for rights,” Rahul Narayan said. “This is not an emergency constitutionally so the courts cannot say this or that is not important. Everyone needs to act in accordance with the law as it stands. In terms of the NDMA and Epidemics Act, it is not justifiable to allow massive amounts of legislation in the guise of regulations and rules. It’d be better to have a broad legislative framework to permit this. In the House of Commons, for a money bill that cannot be scrutinised by the House of Lords, the speaker has to consult backbenchers from both parties.”
- Existing laws were not made keeping future epidemics in mind: “Both laws were reactive and never framed to deal with future epidemics. The Epidemic Diseases Act, 1897 was framed after the plague outbreak, which largely affected rural areas. The National Disaster Management Act came in the context of the Indian Ocean tsunami, and was designed for multi-state disasters, but was never intended for nationwide implementation from Delhi. There is a difference between dynamism and complete chaos,” explained Kumar.
- Do we need a separate disease surveillance law? “In India it is assumed that the information collected by the government will be used only for the purpose of fighting the pandemic. But what happens if there’s a leak? If we have higher numbers, then people will have to go to private hospitals, then the same data could potentially be leaked to people outside. So what is the kind of control we must have? To cover all this, is it necessary to have a separate disease surveillance act,” Patnaik said.
- What the PDP Bill allows: Section 12 of the Personal Data Protection Bill allows for non-consensual processing of data, including during epidemics, said Vrinda Bhandari. To invoke Section 35 — which exempts government agencies from large parts of the bill — the government would have to clearly say that this is a national security issue. That may be an impediment for the government, because to make the case that a health emergency might be a public order emergency is a harder case to make, she added.
Internet access and the pandemic
4G restrictions in the time of COVID-19: Jammu & Kashmir has spent most of the lockdown with access to only 2G internet. This is is harmful to health, education of children, access to justice, right to be able to work, especially given that the communications shutdown had been in place for nine months. In Anuradha v. Union of India, the court was clear that this should not be a permanent state, she said.
“We are in a state of emergency one way or another. There, proportionality becomes important. In proportionality analysis, the balancing test is important. What we are trying to argue is that during COVID-19, the balancing test is changed. The disproportionate effect on a majority of the people has happened: doctors can’t download guidelines and advisories, students can’t access online learning services, people can’t work from home.” said Vrinda Bhandari.
Challenges faced in protecting privacy
- Will the courts interfere? “Our courts are unlikely to interfere in this scenario and are willing to postpone any discussion on things which they think are rights of luxury, such as privacy,” Gopal Sankaranarayana said. “Even when it came to the right to food and health of migrant labourers, they refused to step in and deferred to the wisdom of the government,” he added.
- Contact tracing apps are only as good as the uptake: The TraceTogether app has been downloaded by only 17% of people in Singapore, a country where there is immense trust in the government. “It doesn’t address the behavioral aspects of how people function, with issues like battery draining. Social distancing won’t work when you have 20 men in a small room sharing a common bathroom. If you don’t look at the context in which even legal and legitimate measures are enforced, you are missing the woods for the trees.”
- Existing disease surveillance programs do not address privacy: The Integrated Disease Surveillance Program and other similar programs in India do not address data protection and privacy issues, explained Smitha Krishna Prasad. “Our health laws also focus on doctor-confidentially and similar issues, rather than go into a more detailed explanation of privacy and data protection,” she said.
- How much anonymisation is possible? “Data anonymisation is not needed if someone is doing research, and you can argue that the medical fraternity is actually doing continuous research to fight the pandemic. So how much anonymisation can we do so that it still remains useful,” Patnaik asked. However he did acknowledge that anonymised data is useful for determining containment zones, and resource allocation to hospitals, etc.
Global trends in privacy incursions amidst the pandemic
- Governments are taking the approach of “never waste a crisis”: The government is using the pandemic to push emergency powers, cut down on civil society movement, gag media and especially independent media, said Malavika Jayaram. “There is a sense that people are asleep at the wheel, and the government can push through things which would be egregious and unconstitutional in normal circumstances,” she said.
- Increasing partnerships across public and private powers: Public-private partnerships and even private-private partnerships, such as the Apple-Google collaboration, have been accelerated, Jayaram added. “We have to worry about consolidation and antitrust experts have said this dwarfs every competition issue out there,” she said.
- Active, rather than passive, surveillance: Governments are aggressively going after telecom, tech companies, and healthcare companies, and anybody who else actively collects data – they are being pursued, so that governments can actively pull data, Jayaram observed.
- The emergence of traffic light and other binary systems; their concerns: Immunity passports, and traffic light systems in China and other countries, as well as other binary systems — which allow or disallow some actions or movements — have extremely long-term implications, Jayaram said. They are extremely hard to dismantle after the crisis is over, and will only enhance systems of oppression and structures that have amplified inequality,” she said.
Observations from post-lockdown China
- Health codes in China: The health code or passports in China has become a new form of identity, explained Dev Lewis, who has been based in Shanghai since January. The system records “everybody’s entry and exit into cities, domestic travel, public spaces, gyms, malls, and who is allowed to go back to work in factories and white-collar workplaces”, he said. The implementation is not uniform and is decentralised. 200 cities have created their own version of the health code that governs what people can and can’t do, he explained.
- China’s real-time ID system: Everybody’s phone is linked to a real-name ID, it has an existing system where every app you downloaded, and what you posted online was linked to this. On top of that, the health code was built by Tencent and Alibaba who were able to insert the code into WeChat and Alipay. Tencent had 900 million users within two weeks. Tencent claims that the app has been used 9 billion times. None of this is comparable with India’s infrastructure.
There are increasingly more similarities between China and India’s internet space, Lewis observed. “Aarogya Setu also has a traffic light system now. It’s difficult to see how India can look at the Chinese health code as a model, since the code sits on a techno-legal infrastructure which China has been building for the last few years. This is just not comparable with India.”
Response of civil society
- Civil society is also responding: Measures are being adopted to put in checks and balances, such as Professor Lillian Edwards’ bill on safeguards against COVID-19. Lillian Edwards’ safeguards bill prescribes minimum safeguards with regard to immunity certificates. It talks about the digitally excluded and ensuring confidence that data will not be misused, talks about consent. It warns against digital divides such as discrimination for not having a phone, failing to charge it, or leaving the house without it, imposing sharing status messages, etc. It also talks about Data Protection Impact Assessments.
- Civil society with technical capability are pushing for contact tracing apps to be open-source, auditable, and to put them up for other people to vet them. The Trace Together app was touted as open-source, but only the protocol is open-source not the entire source code.
“We need to resist norm changes in terms of what is happening. After 9/11 in the US and 26/11 in India, you have changes in the way surveillance is perceived and national security is perceived,”Divij Joshi said. “We are seeing operating system level or platform level changes, which Google and Apple have been proposing. Saying that this is a good time to breach end to end encryption. We need to make sure that technical design by design is limited to a specific time.”
Consent and power asymmetry
- Consent cannot be freely given if most don’t have a choice: Shweta Reddy points out, “Especially in the case of the pandemic, consent cannot be freely given. Central government employees have been told to download Aarogya Setu, so consent is gone there. If you move away from consent to the lawful ground under the Personal Data Protection Bill of ensuring that the state government is processing data based on the law, there is at least one additional step of deliberation to make sure the law is being followed.
- Even without consent, trust and accountability are key: Accountability without consent: Section 12 of the Personal Data Protection Bill follows has provisions where even if you don’t have consent, you have to demonstrate compliance with data minimisation. Trust is core to a public health response strategy, even if your response strategy is evolving over time. If you’re able to show that at one point you don’t need information collected in the past, that’s fine as long as you have taken privacy into account by doing the risk assessment and need analysis for data.
- Workers’ rights and contact tracing: “It’s not a fair choice to make between livelihood and privacy,” Shweta Reddy said of companies like Zomato requiring workers to have the Aarogya Setu app installed. “An employer in certain cases can process personal employee data under the PDP Bill without consent, but only in the context of contract termination or background checks. Zomato is not legally doing anything wrong, since there is no data protection bill yet, so there is no framework to guide their reaction. Till there is an overarching law, acts of organisations cannot be held accountable.”
Norms for private companies
Can private companies’ tech solve a problem they didn’t design their products for? “The use of big data has driven disasters in the past, or at least sought to sideline equitable access to public health,” Divij Joshi said. “In Sierra Leone, big tech companies tried to use technology to counter the Ebola crisis. But because of lack of widespread technology adoption, and the fact that call data recording and GPS were not appropriate for that epidemic, it eventually sidelined the actual goal and led to decisions on resource allocation which affected people who are most unlikely to be able to challenge these systems.
“We need to challenge the assumption that technology and data will be helpful. The systems we are trying to put in place to solve a humanitarian crisis were never created to solve humanitarian crises. They were made for surveillance or profit. You can’t repurpose them. We need to be critical in how far data and surveillance will go, and see if they will detract from universal access to health.” he added.