Privacy And Public Health: A Line To Be Defined In Between

Should it be Life or privacy first?
What if I am dying, my PRIVACY comes first!!!!

“Privacy” is a dynamic concept that has been attempted to be explained but has still not been defined exhaustively. With the change in time and advanced technology, the concept of privacy has seen severe metamorphic phases. Considering the Indian scenario, said concept has not been expressly mentioned as a fundamental right. This issue was raised before the Hon’ble Supreme Court (SC) in several cases and has been considered in an important case of K. S. Puttaswamy (Retd.) v Union of India wherein ‘Aadhaar Card Scheme’ was challenged on the basis that the collecting and compiling the demographic and biometric data of the residents of the country to be used for various purposes is in breach of the fundamental right to privacy embodied in Article 21 of the Indian Constitution. In this matter, the court agreed that the right to privacy is an inherent right of an individual. Further, the SC held that the Unique Identity Authority of India (UIDAI) cannot transfer any biometric data without the consent of the person. Through several judgments, several rights have been covered under the umbrella of the right to privacy, including telephone tapping, personal intimacies of the home, marriage, family, motherhood, etc. With such pronouncements, the awareness, and consciousness among citizens and the public have increased which often creates a conflict leading to a hindrance in the smooth functioning.

In the present times there is an outbreak of the infectious disease caused by the coronavirus (CoV), viz., COVID-19 (SARS Cov-2) which is also declared a pandemic by the World Health Organization (WHO). In the era of globalization, it is impossible to bind even the infectious diseases within any of the nation’s boundaries, and so is in the case of CoV. Currently, the only effective measure to combat the virus is to adopt social distancing. In this context, as a preventive measure, the use of surveillance mechanisms to keep track of infected individuals and potential patients present in the surrounding seems to be an effective approach. In order to transmit such information, various mobile and web applications have been developed to detect infections in the nearby area of an individual that also render alerts as a precautionary measure. Different countries have devised different technologies such as using AI-based thermal cameras identifying in a crowd those suffering from fever to reviewing CCTV footages of the infected person. China, South Korea, and Taiwan have developed applications to track the movement of the person detected positive. Similarly, Israel has allowed its intelligence agencies the use of its citizen’s location data for a period of 30 days. These models might be helpful in fighting against the virus, but the same is being widely disputed to be encroaching upon the right to privacy and the data protection laws.

In this regard, the Government of India (GOI) also launched a tracking application named “Aarogya Setu” which has now been downloaded by more than 90 million people. It requires the user to provide certain data including age, travel history, health condition, etc. and the same is stored and can be later used when a person switches on bluetooth and location services. Once the user contacts with another such user, and in case of one of them being positive, the application alerts the concerned agency and the user as well.

Since right to privacy is only a derived right from the right to life and personal liberty, so it is comparatively difficult to judge whether data collection is a violation of fundamental rights. The information maintains anonymity using unique digital IDs for each user and, the data shared between the two users are not accessible by the users themselves but are only stored on the server. Despite all these, it is important to know the legality of this measure and whether this data collection is a violation of our rights or is justifiable. For instance, in a case where a person was found to be HIV positive, informing his fiancé of the same was not found to be a violation of the right to privacy. Further, regarding HIV the courts have also held that identification of the infected person is necessary in order to prevent the spread of disease and so any action taken in this regard will be considered unconstitutional. Looking together at the present situation and above instances, it can be said that the health risk posed to mankind by COVID 19 is a way fiercer than that posed by HIV/AIDS. Therefore, the right to privacy may be superseded by the obligation of protecting and improving public health as states are obligated to keep public health as among its primary duties (Article 47 of the Constitution of India). Ignoring or setting aside public health the public may be exposed to the risk of life may get devoid of their direct (not even derived) right to life (Article 21 of the Constitution of India) .

But there must be some accountability on the part of the government when sharing citizen’s data for the sake of public interest at large.

Recently, the government has also clarified that the application as updated has a provision of purging data in 30 days for a person not found to be positive while the duration is 60 days for purging data of a person found to be positive. However, the above position of the government is negated by the fact that at clause 6 of the “Terms of Service” of the Aarogya Setu app is related to Limited Liability where it has been clearly stated that-
You agree and acknowledge that the Government of India will not be liable for any claims in relation to the use of the App, including but not limited to (a) your inability to access or use the App or the Services ; (b) the failure of App or the Services to accurately identify persons in your proximity who have tested positive to COVID-19; (c) the accuracy of information provided by the App or the Services as to whether the persons you have come in contact within the fact has been affected by COVID-19; (d) any unauthorised access to your information or modification thereof.

The clarification provided by government seems a mere statement and to build confidence among users there is a need for detail on information handling. One of the possible measures that could be taken regarding health-related privacy can be explicitly instructed to delete the collected personal data of people, once the purpose for which the data was collected has been served. However, there is still a question, and probably the most important one, which needs to be addressed, is a possible misuse of the data even if the data is getting purged after a specified period. For this, a platform having transparency is required to be built with the applicability of the provisions specified under the Information Technology Act, 2000. Though, the Act provides certain provisions such as punishment for breach of secrecy and confidentiality under Section 72 and Section 72A prescribing punishment for disclosure of information in breach of lawful contract. These provisions undoubtedly strengthen the data protection, but for their applicability in the present scenario, clarity regarding various factors is needed, for example, the aptness of the applicability of the doctrine of the lifting of the corporate veil. In summary, it is the need of the hour to advocate for change in policies that would be helpful for the more appropriate balance between data protection, privacy issues, and the protection of public health.

Article by Vartika Srivastava and Vidushi Bhardwaj, first published on Lexology