As we grapple with a global pandemic, governments across the world increasingly rely on information technology to advance their fight against the virus. From contact tracing to quarantining selfies, smartphone applications have started determining the course of public health actions. Naturally, debates on the use (and misuse) of surveillance data have re-emerged in the public sphere. Unlike normal times, where the concerns of data privacy conflict with individual convenience (of using a credit card or Facebook), times of crisis bring pressing issues like national security to the fore. The present controversies relating to the collection and processing of health data to fight coronavirus takes this issue to a different level. It represents a tension between two fundamental rights: the right to life and right to privacy.
Though we may engage in political debates on this conundrum, a trade-off between the two is pointless in terms of the law. As the Supreme Court of India held in the Puttaswamy verdict, the right to privacy is a fundamental right enshrined under Art 21 of the Constitution which guarantees the right to life and personal liberty. Further, in the absence of a defined hierarchy among the two, political arguments championing the protection of life at the expense of individual privacy is problematic. Though governments hold the considerable public authority to keep certain rights (such as freedom of movement) under control during an emergency, keeping a basic human right such as privacy at bay is questionable. The real danger is the ‘emergency’ track record of our institutions of last resort. Yes, it is challenging to rely on a deferential judiciary to protect a seemingly weaker right at a time of crisis. Sadly, justices of the ilk of H.R Khanna is in short supply these days.
Is a balancing act possible?
For bringing the right balance, the apparent conflict for supremacy among the two rights needs analysis through the prism of political philosophy. More specifically, a re-look at the theory of social contract – that describes the relationship between society (state) and its members (individuals) – and the reasons why individuals consent to forgo some of their freedoms as a trade-off for living in societies will help us to analyse the debate in a structured manner. The claim is not that a theory in itself will settle the conundrum; rather, the right-duty equilibrium that the social contract envisages will help us to resolve it.
Two general aspects of the data protection laws reflect this right-duty framework of a social contract. First, notwithstanding the consent requirement – that data processing is prohibited unless the individual gives a free and informed consent – governments have a leeway to collect data in an extraordinary situation. While Europe’s General Data Protection Regulation uses the idea of ‘public interest’ to do away with individual consent requirement, India’s forthcoming law on data protection is more germane to the present context. According to the Personal Data Protection Bill, when State undertakes legally prescribed functions “to respond to any medical emergency” or “to provide health services during an epidemic,” the consent is not required. This power, however, is not absolute. There is a corresponding duty imposed on the State, which is the second tenet of the social contract.
A fiduciary duty – the higher standard of care set by law – binds the State here. This obligation is manifested in the Personal Data Protection Bill when it defines the ‘entity (including the State) that determines the purpose and means’ of the processing of data pertinently as “data fiduciary”. Thus, a government’s right to impose restrictive measures and obtain health data, and the corresponding duty of the individual to comply, stems from a trust that individuals place on the government. However, quite unfortunately, we lack the necessary legal framework to ensure this trust.
In search of an ideal framework
Despite all the security measures that governments put in place, privacy can still be said to be breached if a database is put to inappropriate use. For instance, a deviation from the original intent of data collection is a breach of privacy, as the mandate of Aadhar Card as a citizen identity digressed from its primary purpose. If the recorded history of such deviations, known as “function creeps”, is to be believed, a presumption that the present COVID-related health data analysis will end with the pandemic is absurd. As evidence shows, the circumstances of function creep could be so disingenuous, even the courts of law may find it uninterpretable. Again, the lack of a robust data protection law makes the scenario even worse.
We need a well-balanced strategy, which can help us create an ‘anti-virus’ nation and at the same time prevent it from becoming a ‘Big Brother’. Such a strategy must envisage data-driven public policies are capable of ensuring both healthcare and data privacy. For that, we require, not just scientists but data scientists, particularly cyber forensic experts, to ensure that the data is not mishandled or disseminated against the purpose for which it is collected. A data science-based framework will not only strengthen the healthcare system but also enable the governments to set the seal on the privacy of health data. It is the knowledge and skill of policymakers in using and decoding the data scientifically that is going to play a vital role in that framework. Thus, instead of prioritizing between health and privacy, we should be able to reinforce the public health system by building the capacity of policymakers in understanding data science and engaging more data scientists in the policy space.
[The writer is Assistant Professor of Law at the Cochin University of Science and Technology and Honorary Research Fellow at the Centre for Public Policy Research, Kochi. Email: email@example.com. Views are personal.]