The past months have truly tested our global healthcare systems with over 5,240,000 confirmed cases of the novel coronavirus (COVID-19). Many countries are at the stage of ‘community outbreak’ with entire regions placed under lockdown. As governments and healthcare agencies rush to control the pandemic, concern for the privacy of citizens, in particular, of patients and their families, has taken a backseat.
Article 12 of UDHR protects all persons from “arbitrary interference with privacy, family, home or correspondence” and “attacks upon honour and reputation.” Prior to COVID-19, several jurisdictions, including the USA, UK, and Singapore, had legislated to protect the right to privacy. Similarly, in Indian there is constitutional protection of the fundamental right to privacy, an evolving privacy jurisprudence and a Data Protection Bill in the pipeline. However, the disaster management legislations had yet not accounted for these developments, the brunt of which is now being borne by the Indian public.
Violations of Right to Privacy in India
India’s Epidemic Diseases Act, 1897 (EDA) is a remnant of the colonial-era granting the State widespread powers “to take special measures and prescribe regulations” for containing epidemics. It also shields persons acting or intending to act in good faith under the Act from penal action. Insofar as it legalizes unbridled state excesses, it has been widely criticized for legislative over-delegation and a lack of a suitable framework for responding to the outbreak.
The EDA facilitates a particular risk of ‘technosolutionism’ regarding the privacy rights of diagnosed patients, their families, and those under mandatory quarantine. Many states, including Delhi, Karnataka, and Orissa, have published lists of names, phone numbers, and addresses of patients and quarantined people to create public awareness. Such disclosure of personal information may result in harassment, hate speech, character assassinations, identity theft etc. and is thus problematic. For instance, the circulation of patients’ religious identities in the media has led to blaming specific communities for the outbreak and incited communal discord. Moreover, the broadly worded provisions of the EDA seem to foreclose any legal recourse against privacy violations by the authorities.
Are Such Violations Legally Justifiable?
The personal information leaked by quarantine lists of the authorities is classified as ‘sensitive’ under the Data Protection Bill and can be processed only after informing the individual of its purpose and taking their informed consent. Although Section 12 of the Bill makes an allowance for public health and epidemics, releasing of sensitive data into the public domain would still have to qualify the test of legality, legitimacy, and necessity and proportionality under KS Puttaswamy v Union of India.
Lawyers have noted that the actions undertaken have no legal basis and are not found in the EDA or the Disaster Management Act, 2005 (DMA). Rather, the privacy principles of the Justice Shah Committee Report have been violated as those under quarantine were not given proper notice of the data collected, its purpose, or the intent of disclosure made to third parties. Second, as data fiduciaries are responsible for the purpose and means of processing, the authorities must justify that the dissemination of sensitive data into the public domain was necessary and proportional for awareness and epidemic control. They must show that maintaining anonymity would be averse to achieving the objectives of public health. Lastly, the action suffers from manifest arbitrariness, in so far as it has led to fear, social ostracization, shame and hostility among neighbours. By being manifestly arbitrary, it also fails to qualify as a legitimate action under Puttaswamy.
How to Strike a Balance?
Firstly, access to sensitive data like the age, name and address of individuals should be limited to well-defined objectives towards epidemic management and prevention. Data collectors should follow the privacy principles, particularly that of collection limitation (to only collect information that is necessary for the purposes of such collection and has been notified to the individual) and purpose limitation (to take information only for the notified purpose and to destroy it after identified purposes are met). Secondly, sensitive information revealing the ethnicity, gender, sexuality, religion etc. of individuals should not be disclosed to the public or media. Rather, an unidentifiable database should be created for tracking and control. Where mobile apps are used for surveillance, privacy safeguards against unauthorized access or breach by third parties should be in place.
While the State’s legitimate role in managing the pandemic cannot be understated, compromising data protection is not the solution. Violations of privacy can cause lasting damage to civil life. The Indian State must integrate its epidemic management system with the existing privacy jurisprudence to preserve individual dignity and human rights.