The covid-19 outbreak and the resulting lockdown has dramatically changed the working conditions of the people worldwide, almost overnight.Organisations have been compelled to adopt newer working policies and engage a more flexible regime under the “work from home” model.
The covid-19 outbreak and the resulting lockdown has dramatically changed the working conditions of the people worldwide, almost overnight. Organisations have been compelled to adopt newer working policies and engage a more flexible regime under the “work from home” model.
This was only made possible due to technology that has allowed us to stay connected with everyone while maintaining social distancing to contain the pandemic spread. This same technology opens a pandora’s box of cyber security threats. Through this article the authors shed light on the threats to data privacy and the risks of hasty adoption of technology.
However, the contact tracing applications employed by the governments to contain the spread of the virus and ensure the safety of the working class are also not immune, albeit to threats of cyber security and data privacy. The authors also make a comparative analysis of the technologies adopted and the legal framework governing them.
The alarming rise in the number of cases has compelled the government to take significant actions regarding the same.
Authorities in the US and the UK are coordinating with private companies to retrieve location and whereabouts of its citizens. Singapore, Iran, Russia and Israel are using applications to track and trace patients and predict the next hotspot. These applications track the users, compare their location with the location history of confirmed cases and inform the users to take necessary actions if they come in contact with covid-19 cases. China has expanded mass surveillance with the help of telecom operators to help them track people’s movements and by using drones with facial recognition technology.
The European Union has implemented a technique, which adheres to the General Data Protection Regulation (GDPR) of the European Union with due regards to right to privacy as a fundamental right.
India is using an application called “Aarogya Setu” developed by the National Informatics Centre under the Ministry of Electronics and Information Technology (MeitY) to connect essential health services with the people of India in our combined fight against covid-19. The App is aimed at augmenting the initiatives of the Government of India, particularly the Department of Health, in proactively reaching out to and informing the users of the app regarding risks, best practices and relevant advisories pertaining to the containment of covid-19.
The state of Karnataka, Rajasthan and the Mohali district administration have made names and personal addresses of covid-19 suspects public through local newspapers and official websites.
The state of Kerala has used telephone call records, CCTV footage and GPS to trace the covid-19 suspects. They have also published the date and time maps showing the movement of people who have tested positive. The Kerala government had entered into an agreement with the US-based tech firm Sprinklr for collection and management of health data of Covid-19 patients and those quarantined in the state.
Concerns were raised and a case “Bali Gopalkrishnan and ors V/s State of Kerala and ors” was filed in Kerala High Court that entrusting health data with an American company puts the privacy at risk. In regards to this case, Kerala High Court mentioned that , “We do not want the COVID epidemic to be substituted by a data epidemic.”
Court issued an interim order to anonymise all the data that have been collected and collated from the respective citizens, then access to be allowed to Sprinklr. Citizens must be informed that their data has been collected and is likely to be accessed by any other third party and their specific consent must be taken. The court also prohibited Sprinklr from breaching confidentiality and ordered that it entrust all data to the Kerala government as soon as their contractual obligation is over. Because of these issues government decided to cancel the agreement.
Thus proving, Right to Privacy is dominant.
The Aarogya Setu app works only after allowing it to use Bluetooth and GPS which is sent among Inter Governmental agencies. This according to many people, seemed to be the violation of their fundamental right – Right to Privacy.
As elucidated by the ruling of nine judges in the matter of Justice K.S. Puttuswamy and Another v. Union of India [ (2017) 10 SCC 1 ] which recognizes right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. It also recognised data protection as an essential part of informational privacy of an individual and observed that India lacks a comprehensive legal framework for personal data protection.
Hackers frequently look at crisis as an opportunity, and COVID-19 is no different. A French ethical hacker under the alias Elliot Alderson who first flagged the privacy concerns in the coronavirus contact tracing app Aarogya Setu explained the security flaws in a blog. He explained that the Aarogya Setu app is not supposed to disclose a corona patient’s location but merely tell the user that there are cases around him. The two main concerns he points out is that anyone can access the internal database and that anyone can see who is sick anywhere in India, which violates privacy. While the government has touted Aarogya Setu to be absolutely safe, the fact that it reportedly got hacked by the hackers, raises concerns that if not the government, hackers can get into the app and leak user data.
In order to maintain data privacy, the government introduced the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha, largely incorporating the principles of personal data protection.
Section 12 of the PDP Bill, 2019, does allow processing of personal data without consent during medical emergencies and pandemics. However, the Bill has not been passed till date. Hence, there is an absence of governing legislation.
“Technology can help keep us safe; but fear must not be leveraged to track citizens without their consent.” -Rahul Gandhi (Congress leader)
The conflict between public health preservation and protection of fundamental rights of the citizens is a serious concern and cannot be disregarded. And in order to preserve personal data of the citizens, it is important to enforce safeguards as well.
Public health interest can be considered as a sole reason to increase monitoring of individuals but government authority has to monitor by taking necessary precautions. If such precautions are not exercised in times of urgency, we may be successful in preventing the spread of virus, but may vandalize the citizen’s rights.