“The Blind Men and the Elephant” an old Indian tale that ought to be returned to in these unprecedented times. following is an exposition of the parable:
“An elephant goes to a town and a social occasion of visually impaired men creates interest concerning its structure and appearance. They choose to feel the elephant exclusively to unravel how it might be in fact. One visually impaired man feels the elephant’s ear and announces, ‘an elephant resembles a major fan,’ another visually impaired man feels the elephant’s leg and says, ‘an elephant resembles a tree trunk’ and the others thought of similarly crazy yet pertinent analogies. At that point, a wise man passing them proposes that the visually impaired men should feel the various parts of the elephant. On doing as such, the visually impaired men understand that the elephant is made out of numerous parts, and before the wise man’s suggestion, they had a restricted comprehension of the elephant’s physicality.”
Information protection amid the pandemic seems like the elephant. If we focus exclusively on individual opportunities and rights, at that point we risk bargaining the bigger public interest of both life and vocation and the other way around. Along these lines, it is basic to analyze the technological interventions deployed to combat COVID-19 against the benchmark of a balance between civil liberties and public interest.
As we wrestle with a global pandemic, governments over the world progressively depend on data innovation to propel their battle against the virus. From contact following to quarantining selfies, cell phone applications have begun deciding the course of general wellbeing activities. The current controversies relating to identifying with the assortment and preparing of health data to battle COVID takes this issue to a different level. It speaks to a pressure between two fundamental rights: the right to life and the right to privacy.
Data and Public Health
Comprehensively, technology has been summoned at three levels. To begin with, in making a rundown of people suspected to be infected with COVID-19; second, in conveying geo-fencing and drone imagery to monitor consistency by quarantined citizens; and third, using contact-tracing cell phone applications, for example, AarogyaSetu. Every one of these measures has initiated a miasma of distress. The government has relied on ancillary laws to legitimize the arrangements proposed for taking up arms against the COVID.
The Epidemic Diseases Act, 1897 has been referred to as the reason for freely uncovering individual data of quarantined people in Rajasthan, Karnataka, and different states. Arrangements under the Disaster Management Act, 2005; the Aircraft Act, 1934; and the Telegraph Act, 1885 are being reconsidered to legitimize the authenticity of sending drones/geo-fencing advances and authorizing the utilization of contact following applications. Utilizing conventional laws to weaken the right to privacy is in itself indefensible.
In the search for the right to privacy
Privacy right is a multidimensional thought. In today’s time, the right to privacy is seen in the eyes of the law as well as in the common jargon. Article 21 (fundamental element of the right to life and personal liberty) of the Indian Constitution secures the right to privacy and advances the dignity of the individual.
Granted that no fundamental right is absolute and that during this pandemic, the privilege of protection can be diluted. In any case, the issue emerging out of the work of these components pales when contrasted with the quandary of a missing lawful mechanical assembly to check these systems. There is no legal backing such dilution.
Justice Chandrachud held the right to privacy to be encompassing of the right to informational self-determination, which gives every individual the fundamental right to determine the extent of his personal information being disseminated. An individual has the option to control the scattering of any data individual to her/him/them, yet this privilege has been abused dichotomously, first by the government and subsequently by news broadcasters and social media.
Analysis of the Constitutional Touchstone
Considering the upsetting turns of events, the touchstone of the 2017 Supreme Court judgment Justice K.S. Puttaswamy v. Association of India becomes imperative. It prompted the acknowledgment of the right to privacy as a fundamental right, says that during epidemics, personal data could be shared but in an anonymized way. Aside from commanding the secrecy of information, the judgment additionally takes note that limitations on the privilege of protection must be legal, proportionate, and vital. These limitations can mean:
- Restricting the utilization of the data collected for business or law authorization purposes.
- Restricting admittance to this information to just explicit entities.
- Gathering and unveiling only the necessary data.
Notwithstanding, information partaking in India during the COVID-19 pandemic has neglected to comply with these. Even the innovative applications that are used for gathering health information have overlooked the requirement for these shields.
Legal norms remain Aspirational
A sweep of the regulatory scene in India uncovers an overall nonappearance of standards to deliver concerns identified with the utilization and sharing of health data during COVID-19, and those on other information regularly gathered by the legislature. Here’s how:
1. The Information Technology (IT) Act, 2000, which contains general information security laws, doesn’t have any significant bearing to the Government.
2. Laws explicit to the medical care division, for example, the Medical Council of India’s coupling Code of Ethics, are silent on the treatment of health data once it is disclosed to the government. Besides, there is no particular arrangement in the rules for the anonymization of data.
3. The Electronic Health Record (EHR) Standards, that determines voluntary security and protection guidelines for electronic health and clinical records, accommodate anonymization of individual data in cases that require information exposures, for example, during ‘national priorities’ which incorporates transmittable diseases. They further specify keeping up audit logs and access limitations. Notwithstanding, even they neglect to address the responsibility of government elements as the material law under the Standards remains the IT Act structure.
4. At whatever point passed, the Personal Data Protection (PDP) Bill 2019 may give some refreshed standards to the overall data insurance biological system. It was required to subsume the draft Digital Information Security in Healthcare Act, which had tried to outline somewhat more refreshed standards for health data sharing, however even those needed lucidity and adequate protections. Yet, even while the PDP Bill groups health information as ‘sensitive personal data’, it gives the administration wide powers to exclude any office from for all intents and purposes each arrangement of the Act.
Sections 2 and 2A of the Epidemic Diseases Act, 1897 permits the Union and state governments to take measures in furtherence of forestalling the spread of disease through temperoray guidelines. Notwithstanding, no such guidelines have been given by either government managing such data assortment and dispersal.
Section 6(2)(i) of the Disaster Management Act approves the Center to “take such different measures for the prevention of disaster or the mitigation, or preparedness and capacity building for dealing with the threatening disaster situation or disaster as it may consider necessary.”
In arguendo, regardless of whether this arrangement is depended on, it actually needs to finish the proportionality assessment. For a measure to breeze through this assessment, it needs to satisfy the accompanying rules 1. Valid Purpose; 2. Reasonable association with the object tried to be accomplished; 3. No other alternatives; and 4. The discernable connection between the significance of the point looked to be accomplished and the social significance of forcing a restriction on a constitutional right.
The doctrine of Colourability
The Supreme Court has held that the precept of colourability depends on the rule that the state cannot do indirectly what it can’t do directly. In Ujjam Bai v State of U.P., the Court had expanded the use of this regulation to executive action. Comparable to this pandemic, it is contended that the state is probably going to in a roundabout way to violate the right to privacy by methods for private technological based companies.
The government has launched a series of apps in public-private partnerships so as to keep a track on the residents regardless of them being influenced by the virus or not. One of the makers of one such application, ‘Aarogya Setu’, has expressed that there will be no penetrate of protection by the data gathered and prepared through the application. The specialists have raised worries since the security strategy of the application doesn’t set out the extent of sharing such information inside the organizations. Additionally, it doesn’t accommodate any time limit for when the information gathered through the application might be put away on the administration workers.
Nonetheless, the author contends that despite the gigantic measure of information being gathered by such utilizations of the legislature, the spread of COVID can’t be forestalled by the simple forthcoming assortment of area information as these applications have just been dispatched as of late. Further, the achievement of these applications generally relies upon the number of individuals downloading them on their cell phones and taking care of dependable information into the applications. The quantity of individuals with admittance to cell phones and the web is wretchedly low in India. The possibility of being isolated on the off chance that they would have interacted with a tainted individual would additionally stop individuals from giving vital information into such applications.
An example of the right to privacy in a health crisis can be found in the EU General Data Protection Regulations (EUGDPR).The EUGDPR commands that even in extraordinary occasions of a scourge, the information regulator and processor must guarantee the assurance of the personal data of the individuals.
As of late, the European Data Protection Board (EDPB), the legal authority under the EUGDPR, issued guidelines with rules on the preparation of personal data with regards to the COVID-19 flare-up. The announcement emphasizes that a crisis is a lawful condition that may legitimize the limitations of opportunities, given these limitations are proportionate and restricted to the crisis time frame. The EDPB, in a letter sent to the Directorate-General for Communications Networks, Content and Technology, has illustrated that the information gathered by cell phones of clients to follow the spread of the virus should likewise be agreeable with the standards of EUGDPR and must be suitably anonymized.
Also, the Health Insurance Portability and Accountability Act (HIPAA) of the United States secures separately recognizable health data of patients in the medical care framework. Under the Act, utilization of such private data of patients may just be considered may only be allowed for the purpose of prevention or control of a disease, injury, or disability, for public health surveillance, public health investigations, and public health interventions. Any such utilize must be as per law taking into account such capacities and not something else.
A Step Towards Privacy Taken by The Government
To shield classified health data gathered from individuals under the National Digital Health Mission (NDHM), the legislature has proposed a system and a lot of least norms for information security assurance to be followed in all cases in consistence with material laws and guidelines.
The NDHM was reported by Prime Minister Narendra Modi on the event of 74th Independence Day. The National Health Authority (NHA), the central agency liable for the usage of Ayushman Bharat Pradhan Mantri Jan Arogya Yojana, which has been commanded to plan an out NDHM in the nation, has delivered the draft ‘Health Data Management Policy’ in the public domain.
The draft policy mostly looks to set out a system for “secure preparing off individual and delicate individual information of people” who are an aspect of the public computerized healthcare environment. Information gathered over the National Digital Health Ecosystem (NDHE) will be put away in at the focal level, the state or Union Territory level and health facility level, by adopting the principle of minimality at each point, according to the document. This National Digital Health Blueprint is an expansion of the National Health Policy of 2017 (NHP 2017) that was detailed to give all inclusive medical care to all residents of India dependent on digital technologies for accomplishing higher productivity and adequacy. In 2018, the NITI Aayog presented the National Health Stack (NHS), which is an advanced game plan pointed toward building up a more clear and sturdier medical coverage framework.This is just a draft proposed by the government. Nothing can be assured until it is passed, enforced and place us in a secure position.
A question mark stays regarding what will befall the information once the pandemic is over. There are serious worries that without administrative oversight, the data can be misused to manufacture a complex observation instrument that will screen residents without their assent. Notwithstanding government confirmations, residents and civil liberty organizations dread that the absence of a robust data protection law is a shortcoming that can be misused to utilize individual information for unintended purposes.
The quirk of the circumstance in India is with the end goal that there is no knowledge concerning what personal data is being collected, the power gathering and liable for it, and the fate of that data after the pandemic. The inquiries are many, however there is no one to answer.
I rehash that India desperately needs a robust and devoted law to manage pestilences of the magnitude of coronavirus. In adjusting general wellbeing and security, the right to privacy cannot be infringed. The one way out can be, instituting amenable policies by both the government and the companies, as for the collection, storage, and sharing of data. This move would indeed prevent the right to privacy from being pulverized. Such a pre-emptive methodology and expanded scrutiny of the activities of private companies would forestall our plummet into an Orwellian dystopia world during a global pandemic.
Author Details: Siddhi Mehta (Pravin Gandhi College of Law, Mumbai)