Updated: May 28
The Covid-19 pandemic has become the new normal now. The sudden global outbreak has brought in tremendous changes and challenges in an individual’s life. Governments all around the world in lieu to contain and mitigate the spread are taking several steps; collection of an individual’s data through Contact Tracing Surveillance technologies is one of the many methods. This must bring our attention to the threat these measures impose on an individual’s human right to privacy. Although these are challenging times for the economy as well but institutions must draw a line while collecting the personal data, between safety measures benefitting the public health and protruding an individual’s privacy for a trade-off. But the bigger question here is can these apps outweigh the importance of privacy in the name of public health benefit?
Privacy as a Basic Human Right
The notion of Privacy is not new, it has been an integral part of human rights from the very beginning. It can be traced as back as 1361, from the time when Justices of the Peace Act in England envisaged the arrest of “eavesdroppers” and “peeping toms” . Supreme Court of India in the landmark case of K.S. Puttuswamy V. Union of India recognised the right to privacy as an implicit and integral component of Article 21 of the constitution (Right to Life) and gave this right the status of a Fundamental Right. The court’s view was that the term ‘life’ has a colossal meaning, the term ‘life’ for a man includes each and every aspect which makes his life meaningful, complete and worth living. Privacy is one of the many components which makes a man’s life more meaningful. Various international covenants as well accorded privacy the status of a basic human right, The International Covenant on Civil and Political Rights (ICCPR), the UN Convention on Migrant Workers, the UN Convention on Protection of the Child, to name a few.
Working of Contact Tracing apps and How they Impact Privacy?
Governments all around the globe are ardently developing applications with the intent of collecting data to mitigate the spread. India being the frontrunner developed a plethora of applications authorised by central as well as state authorities. For instance, the Aarogya Setu app launched by the Government of India. The app is basically a type of neighbourhood watch arrangement which monitors the movement of a particular individual and alerts others about the proximity of other users. The intent behind the development of this app can be easily made out as bona fide, as the app’s major function is to essentially make people follow the governmental norms of social distancing. But there’s more to it than what we understand and what has been advertised. As per a report of a Paris based cyber security consultancy Defensive Lab Agency, the Aargoya Setu app besides its user tracking and contact tracing function, can use its built-in sensors to turn on the microphone of particular mobile phone and can also access phone’s data and contacts. Currently the app has been downloaded by over 10 million users. The aftermaths of this can be disastrous. Similar to Aarogya Setu, there are certain apps which are developed for either a particular state or any particular profession. For instance, the National Centre for Disease Control through its Integrated Disease Surveillance Program (IDSP) launched its own IDSP-IHIP application specifically for health care workers. The app’s function is to capture geolocation during an in-person visit by a healthcare worker and the healthcare worker then later on inserts all the information regarding the patient like his gender, age, D.O.B, etc. Which then later will be tied with geo-location.
The surveillance done by contact tracing apps can be regarded as an extension of lateral surveillance. Lateral Surveillance is based on the notion of ‘watching-over’. Which differentiates itself from a typical surveillance wherein there is a power dynamic present between the one who is watching (Governmental or private entity) and the one who is being watched (citizen). But in the case of lateral surveillance this power dynamic does not exist as the one watching (citizen) and the one being watched (citizen) are on the same pedestal without the involvement of any organisational entity. Which can also be regarded as a neighbourhood watch scheme. Contact tracing apps in particular can be regarded as an extension of lateral surveillance because herein the role of a higher authority is of a facilitator which can access the data but does not involve a process of surveillance, the use of the application is in the hands of the citizen himself.
Every application has its own way of working. The Aarogya Setu app as mentioned before tracks the location of an individual through GPS and Bluetooth. It keeps record of all the other users that it detected previously. These records as claimed by the government are kept till the time any user tests positive or declares symptoms of the virus. But there are speculations with regards to its data storage and sharing facilities. Similarly, the SwissCovid app of Switzerland uses the GAEN (Google/Apple Exposure Notification) system which uses Bluetooth signal to detect when two people are close and notifies the other the status of that other person. Although the functioning of both, the Aarogya Setu app and the SwissCovid app are same but there is a huge difference with regards to privacy provided by both the applications. The swiss app uses the GAEN system which essentially prevents the authorities to gather personal information of its users. But this system is not used by the Aarogya Setu application. Which showcases that the app does not cater the privacy concern efficiently.
The prime example of overreach of contact tracing applications ultimately hampering privacy is the Singapore’s TraceTogether app, the data collected by this application can be accessed and used by the police for criminal investigation. That’s the point here, there is no surety for how long the data set collected can be stored and for what all purposes it can be used.
However daunting contact tracing apps may be for a person’s privacy, they are useful to some extent in mitigating the spread. Hence arises a conflict of interest whether mitigation of the spread ultimately promoting health is pertinent or privacy? This problem can be solved easily by careful use of collected data. This can be ensured by enacting certain legislations with regards to the same but In India data collection by the use of technology even for public health reasons raises concerns over privacy due to lack of a full-fledged privacy law. But this might not be a problem in the U.S. as there are rules and regulations controlling the use of the data collected, for instance the US Congress passed the Health Insurance Portability and Accountability Act in 1996 HIPAA; 42 USC §201 et seq and promulgated HIPAA's Privacy Rule in 2003, aspart ofan effort to strike a balance between protecting the confidentiality of personal health information and legitimate use of the collected data. In these circumstances wherein there are laws to protect the citizen’s privacy, contact tracing apps can prevail and may have a promising impact. Hence to settle the conflict, contact tracing apps have shown certain promising results in mitigating the virus to a certain extent in some limited circumstances only. But it must be kept in mind that a particular right cannot be completely overlapped by the other in this scenario. If it is necessary to collect public data at large there must be some regulating force overseeing that there is no overreach.
Countries like Italy issued varied guidelines to balance privacy and data protection and to achieve that they authorized public health authorities to collect data and denied private entities to interfere. But the situation worsened. Hence the government had to render these guidelines as inefficient and had to go towards a traditional model wherein they authorised respective organizations to collect only relevant data about medical conditions of their members/employees and nothing else. A Similar approach was followed by Belgium wherein employers were allowed to collect data of their employees with a need to adhere to privacy regulations.
Conclusion: A Road Ahead
During a pandemic, it is to be expected that fundamental rights will have to be balanced against each other. The question is whether the outcome of the balancing exercise between the right to health and the right to privacy needs to be a limitation of the latter and if so, whether this limitation is necessary, proportionate and restricted in time . Privacy in these challenging times is equally pertinent. Regulations with regards to data protection are important as the data collected in the name of mitigation once stored can be used post-Covid as well. Contact tracing applications can fulfil both the requirements but it all boils down to the government’s intent. We need to ensure that the data collected for health must be utilized for the same only. Let alone India which does not have a full-fledged privacy law, countries which do are also facing the similar obstacles in balancing health and privacy. So, its time for us to be creative to tackle this or go back to the old models of data collection just like Italy and Belgium did.
Image Source : FPJ
This article has been authored by Yashovardhan Agrawal. He is a second year student at HNLU Raipur.