Privacy in the age of Pandemic

SYNOPSIS

The members of LAWyersClubIndia had a great opportunity to be able to organize and attend a webinar session with special speakers:

1. Arnab Kumar (the programme director for Frontier Technologies at NITI Ayog and core team developer behind the Aarogya Setu App);
2.  Mira Swaminathan (policy researcher, who has worked for projects related to free speech, privacy, consent & surveillance, with a recent article on 'tech-policy term for snitching');
3. Vrinda Bhandari (independent legal practitioner, working on additional rights and privacy issues and has written explicitly on implications of Puttaswamy judgement on state surveillance);
4.  Antaraa Vasudev (founder of CIVIS, a non-profit organisation that enables individuals to co-create the laws that impact them with the government before they're finalised) and;
5.  Aman (policy officer at CIS, working on cyber-security and data governance and has been working to know the impact of Aarogya Setu).

The webinar dealt with the topic of "Privacy in the Age of Pandemic". The speakers being from different arenas presented views which made the overall webinar very interesting and vibrant.

INTRODUCTION

All the speakers are experts in their respective fields and have presented a wide spectrum of views making the webinar interdisciplinary in nature.

Akshit starts by introducing the topics of discussion which includes discussion on the AAROGYA SETU and contact tracing apps. Because the contact tracing apps have been contested and litigated around the world and in INDIA, there is a need to understand why and how they become relevant in a developing nation where a large majority of the population is unaware about nuances like the right to privacy and the dangers to surveillance. The discussion becomes more relevant as there is a lack of stakeholder involvement especially in the field of tech-policy initiatives.

Shweta then briefly talks about how even after a fundamental right to privacy, India lacks a specific data protection framework except for the SPDI rules.

The major lines of discussion remained:

1. Risks of mass-state surveillance
2. Defining contours of privacy using participatory governance
3. finding the right balance between privacy and healthcare data

One of the major references remained the Puttaswamy judgement on the right to privacy.

Puttaswamy judgment overview

On 24 August 2017, a nine-judge bench of the Supreme Court of India handed down its decision in the important constitutional case of Puttaswamy v Union of India. It is held that privacy is a constitutionally protected right which emerges, primarily, from Article 21 of the Constitution.  This is not an absolute right but an interference must meet the threefold requirement of (i) Legality; (ii) the need for a legitimate aim and (iii) proportionality. It is also noted that, as informational privacy is a facet of the right to privacy the Government will need to put in place a robust regime for data protection.

Background

The case came out as a challenge to the Indian project- Aadhaar, a 12-digit individual verification code through which a database of personal identity and biometric information is covered using eye scans and fingerprints. Registration became mandatory for filing tax returns, opening bank accounts, securing loans, buying and selling property or even making purchases of 50,000 rupees (£610) and above.

In 2012, Justice K.S. Puttaswamy (Retired) filed a petition in the Supreme Court challenging the constitutionality of Aadhaar on the grounds that it violates the right to privacy.

Q. Shweta to Vrinda- What does the current data protection framework in the country look like and what are the fundamental rights of the individuals in a Post Puttaswamy world in accordance with the pre-PDP bill?

Vrinda mentions that India has a statutory framework under the IT Act which has section 43A and the SPDI rules.

SPDI Rules

The SPDI Rules specify that apart from the information sought by governmental agencies or under applicable legal provisions, a body corporate is required to obtain permission from the information provider, prior to disclosure of such information to a third party, unless such disclosure has been agreed to in an agreement between the parties. The SPDI Rules further mandate that a body corporate handling SPDI shall provide a comprehensive privacy policy containing details such as the type of information collected, the purpose for collection of information, the disclosure policy, the security practices, and procedures followed etc. The privacy policy is required to be clearly published on the website of the body corporate and made readily available to the information providers.

Section 43A, IT Act

Section 43A of the IT Act explicitly provides that whenever a corporate body possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.

She mentions that although there exists a law for sensitive data there is no statutory regulation for personal data. The problem with the IT Act remains that its implementation has almost been negligible also the Cyber Appellate Tribunal- the appeals body to which the complaints under the IT Act are to be filed seemed very callous in terms of reappointing a Chairman for a very long period and also the significance of the Grievance Redressal Officer (appointed under the IT Act) seems to be lost. The Act also charges a civil penalty and not a criminal one in case of failure inadequate privacy policy measures.

The current position is of a Post Puttuswamy world and that of a pre-PDP Bill. So even if a person was to file a complaint, they would most likely use the judicial authority of the Puttaswamy act rather than the IT Act as it doesn't apply against the government or non-profits and is meant for corporates, although most of the privacy invasions are by the government. And a challenge against the government can only be filed under the Puttaswamy framework.

But the challenge to  Aarogya Setu (a government healthcare app) premised on the Puttaswamy framework of being violative of the right to privacy has worked in helping the corporate sector realise about the privacy policy measures and a need to review it.

The CHAAYOS Case

An example of such was when a famous Tea brand Chaayos was largely criticised for introducing a facial recognition system which was seen as a breach of privacy leading to increased surveillance. This case highlighted that the people had become more aware of their right to privacy, especially after the Puttaswamy judgement.

Vrinda then mentions that Justice AP Shah's Committee report of 2012 gained prominence when cited in the Puttaswamy judgement. In 2012, the Planning Commission and the Group of Experts on Privacy Issues held meetings on the question of the Right to Privacy. The meetings were chaired by Justice (retd.) AP Shah.

The Justice AP Shah Committee report outlined nine principles that were central to and defined the Right to Privacy. The 9 principles were:

1. Notice
2. Choice & Consent
3. Collection Limitation
4. Purpose Limitation
5. Access and Correction
6. Security
7. Transparency
8. Openness
9. Accountability

These principals have laid the bedrock for the judgement.

Q. Shweta to Mira: You've worked on the A.P.Shah's principals before at CIS, so would you like to expand on what these principals really mean?

Mira starts by examining a question of  how much data is really required?

She states that what is happening with the contact tracing apps is that whenever the data is collected, we don't know how much of the data is really necessary.

For eg. Bangalore develops a contact tracing app called the Quarantine Watch which is collecting selfie per hour, if directly connected to the AP Shah’s 9 principals, the first question would arise that is that data necessary in the first place which is a short term question but important questions like till when it is retained, or do the people have consented to give in their data or how good is the privacy policy measure are raised but aren't being followed in practice in the short term.

Suggestions

Mira mentions that India does not have proper data protection measures in place. So, before raising any question on it there is a need to check if the policy measures are implemented in their best form.

She gives an example that when the AAROGYA SETU app was launched in April, its policy protection was made better two weeks later and within three weeks it was made mandatory.

So in cases where policy protection is not in place, it is important for the government and corporations to practice best principals from the very beginning itself.

Q. Akshit to Arnab: Having led policy initiatives from the front and being a part of the team who’s developed the Aarogya Setu app, what according to you are some practical considerations around implementing privacy principles in the absence of data protection legislation and did you consider some best practices while developing the app?

Arnab jokes about not being from a law background and being a tech person found the legal chat Greek and Latin. He then goes on to explain the development of the Aarogya Setu app. He said that privacy concerns can be addressed through multiple lenses, some things can be taken care of through technology, some through policies and some through precedents, legislation, bills, etc. but the spirit of the app has always remained intact even in its Beta version. Talking about the app he mentions a few key aspects that were kept in mind while designing the app:

• The app was designed in a manner which earned the trust of the people and made them feel comfortable in sharing the information to work towards tackling the pandemic.
• The privacy concern was well addressed as the information provided by the users is supposed to remain on their phone and was not being pushed on the servers and this can be verified by individuals as the app has open access.
• On the lines of the Privacy policy, a lot of thought was put into the process so as not to infringe any privacy policy and the terms were made very clear and individuals' concerns were also addressed and the app is an evolving one.
• Core tenets of the app remain- privacy, transparency and security of information and have been written in a way that is available through technology.

Q. Akshit to Aman: How can we narrow down the privacy principles with respect to health and how do principals related to purpose limitation and data minimisation work especially during a pandemic?

According to Aman, in a situation of a pandemic it is nearly impossible to answer the question as there is uncertainty around the fact of data minimisation and function creep. As the government may say that it needs to collect certain amounts of data which other countries may not require which is a reasonable argument but as a citizen you expect safeguards in place which prevents them from using the data that violates your rights, thus clearing the air around data minimisation.

He then says that although different countries have been collecting different kinds of data. For eg. some wanting Bluetooth data, some wanting the location data and Aarogya Setu is looking for both but there should be a clear mention as to when the data would be collated and when would it be deleted, which is mentioned in the Aarogya Setu’s initial protocol on till what time the data can be retained but there are still questions regarding how well will it be implemented.

With function creep the definition becomes difficult to stick to as there are reasonable arguments for the usage of such an app especially when there is so much of uncertainty around the pandemic and the continuity of an app like this.

Q. Akshit to Antaraa- Do you think that the privacy principles in general and the accompanying practices address the issues around the lack of literacy around privacy in the country?

Antaraa begins by sharing her observations while being engaged with the public feedback on the Data Protection Bill. She observed that there is a concern among people about their personally identifiable data which strikes the conscience but there are very few points of feedback that are raised on the point of surveillance, or about machine-based data manipulation, these concerns seem to be very secondary to large masses.

According to her there is also very limited awareness even among urban data users about the extent to which the data is being exchanged as well as what percentage of it is actually being used.

A critical point that she raises is the fact that the situation is worse among the new adopter of the internet or smartphones, it becomes very important to disseminate knowledge to them regarding what data is being collected and what are its implications.

Way forward for enhancing digital literacy in India about concerns of privacy, surveillance and lateral surveillance

Antaraa mentions that various foundations have been doing incredible work including CIS, Digital Empowerment Foundation and Internet Freedom Foundation in this field. Although India has a very strong culture of disseminating information at the ground level and taking up issues on data security and privacy as compared to other nations, still there is a  requirement for a larger mandate for companies who’re using and benefiting from the data to share and educate the public

For eg- An all-pervasive app like Whatsapp can play a very important role in spreading awareness on data and privacy. An amalgamation of civil societies and such corporations can lead to success in achieving this goal.

Q. Shweta to Arnab- Can the relation between health and privacy be seen as black and white or is it much more complicated than what it seems?

Arnab said that he didn’t  believe in Binaries and this concept can be seen within a large spectrum. The app is evolving and the privacy policy also has to take care of that and evolve with the needs of the time and the healthcare system needs to have a balanced approach.

Coming back to the app he mentions that the app has been designed in a manner such that consent is very important. The app is totally consent-based and it hasn’t been made mandatory so as to ensure that it's not forced upon people. Also, it is ensured that minimum information is asked out of the users and is minimally used, until and unless there is an urgent healthcare issue that needs to be addressed. A very important thing that he mentions is the app is evolving and is made better at every step.

Q. Shweta to Vrinda- Do you think that consent really works in a pandemic like situation?

Vrinda says that internationally there has been an agreement to the fact that the state can collect personal information in exceptional situations like a pandemic or a disaster but the State has to follow the rest of the obligations like purpose limitation, collection limitation, security, etc. But in India’s case, the consent debate differs from the voluntary and mandatory debate.

For eg. in the Aarogya Setu or Aadhaar case, there was no legislation beforehand in place and thus the whole idea of consent is to be looked at with a different perspective.

Q. Shweta to Mira- Would you like to expand on your argument that ‘There are long term implications of the short term measures which are more complex and have societal implications as well?

Mira started by giving examples-1) In April a PDF was released on the official Twitter handle stating the names and numbers of all the people home quarantined in Bangalore and later on was brought down.

2) An organisation named PARIHARA released names, numbers and addresses of people who were home quarantined and then the Kannada government had come out with a clarification saying that there was a glitch and the information was brought down.

3) Citizen Quarantine Spots- Citizens within the community are appointed to keep a check on those who have been home quarantined and who are not, the short term measure is to keep a check that these people who’ve been quarantined should not move out.

The larger problem here becomes that their information was revealed whether for two hours or two days. The mere fact that it was out, means that their privacy has been heavily compromised. So for a short term measure, there are long term implications although the motive stated is to surveil the home quarantined people.

Q. Akshit to Arnab- What are your views on privacy in the light of what Mira said on long term implications of lateral surveillance and government’s failure in protecting the privacy of the citizens, and the fact that Aarogya Setu is proposed as a short term solution for a short term problem?

Arnab clarifies the fact that the app was never mandatory except for a particular set of employees and that mandate was removed within a week.

And he reinforced the fact that the information that’s been asked of the users is very minimised and this is in accordance with the 9 principles that were discussed. There is also a specific 6 months or 180-days clause of the useful life of the product in aspects of contact tracing assuming that the pandemic goes away within that period.

Q. Akshit to Vrinda- What are your concerns with Aarogya Setu and what is the basis of the ongoing litigation against the app?

Vrinda explains that the initial litigation was against the mandatory nature of the app i.e. when the MHA guidelines made it mandatory to install the app for the employers and everyone in containment zones to ensure 100% coverage but when the government brought down the mandate, there was interim relief to the litigation.

But then she goes on to state other issues:

-The PUBLIC MESSAGING or the way it is put forward which makes it appear that it is almost mandatory to download the app, it changes the perception of the people and they tend to install it thinking that it is mandated.

-In Karnataka HC there is a petition filed against the App being compulsory for airline travel and filling of forms in lieu of the same which tends to reduce clarity about the nature of the app.

So, a legislative framework that would lay out the privacy concerns and its terms should be in place and any policy or measures rolled out should be consistent with the fundamental rights of an individual.

The larger question then becomes that (in terms of Aarogya Setu and Aadhaar) why is the government rolling out such notifications without having any legislative framework in place and why can’t it use the ordinance route as a temporary measure which is again happening in various nations especially during the COVID when the parliaments are not in session.

Responding to a question on usefulness of the disaster management guidelines in building contact tracing apps, she says that the Section that is relevant Section 10(2)(l) of the DMA which empowers the Government to give guidelines to ministries, departments and state governments to take measures in response to a threatening disastrous situation. But being so broad and wide in nature, it cannot be seen as the underlying principle to empower the government to initiate any type of a pandemic measure under the garb of such a wide guideline especially like the Aarogya Setu.

Q. Akshit to Arnab- What is your take on the E-pass feature that was shown on the app and do you think that this expansion clashes with the privacy principles?

Arnab clarifies that the E-pass was not issued by the app; instead, any pass issued by the government was showcased on the person’s Aarogya Setu profile. Instead of seeing it as function creep, he said that it was a tool to ease the hassle for people who could move easily in case of work during the lockdown without carrying a number of documents.

E-pass: It is an online pass issued by the government which any individual or group can avail by filling in details regarding their health status and other information for movement during the lockdown.

He also comments on what Vrinda mentioned about the mandatory nature of the app that it was mandated only for some employers and employees when there were very few people moving out for work and the mandate was removed within a short period of time.

The other thing that he clarifies is that from the very beginning the messaging or the promotion of the app was done in a manner which requested the public to help the government so, in turn, they could help them and the people around and it was never made compulsory or the tone never directed to that.

He then said that the app should be viewed with the perspective of what it intends to serve and Aarogya Setu is specifically made with the purpose of contact tracing although various other aspects were explored and the team stuck to the original purpose.

And contact tracing in the COVID perspective, when it helps save people’s lives especially a spread from asymptomatic cases, that is from where the app should be evaluated.

The speakers went on to discuss the Comparisons with Singapore and the UK. The speakers then concluded with the following remarks:

Arnab mentioned that the State should strive to build solutions according to the change in technology and should seek guidance from people like that on the panel to discuss and give feedback on such measures and ensure that the policies are followed in both principle and practice.

Vrinda stated that conversations like these can definitely help in moving the debate forward allowing one to engage with people from different backgrounds given the raft of laws passed and the potential challenges.

Aman while agreeing with Vrinda’s views said that although privacy and accountability sound theoretical but they have a strong impact on people who’re less fortunate and it is necessary to engage in conversations with the users of such applications and those who’ve faced consequences.

Mira stated that although India might lack a solid framework like that of other nations, it should work to be able to reach that point especially in terms of privacy policies and ethical considerations and standards.

You can check out the webinar on the link below!
Click Here