by Jasleen Virk
Histories of Human Civilization have been distraught with numerous pandemics, yet the all-consuming COVID-19 epidemic is unprecedented due to the massive number of fatalities worldwide. Countries, all over, are valiantly battling against the virus on the front of the public health sector as well as the economic sector. India, a country with myriad problems of its own, is now facing a fundamental rights crisis aggravated due to the Covid-19 situation. The questions on the place afforded to fundamental rights in a democratic country like India are looming large in the wake of the Covid-19 pandemic. The publication of quarantine lists on public domains displaying suspected and infected Covid-19 patients’ personal information is a direct infringement on people’s right to privacy.
The challenging circumstances seem to deploy the understanding, rather the misunderstanding, that right to privacy can be overlooked in the name of public interest. Whether this is an apt understanding or not, is a question that needs extensive analysis and examination. The novel coronavirus outbreak has disturbed everyday life worldwide, and its long-lasting effects will pose difficulty in returning to normalcy. The challenge of maintaining data privacy is a key issue that has cropped up in the escalating pandemic and has affected the lives of millions of people around the world.
Amidst the burgeoning pandemic, the onus of balancing data privacy and public interest rests as much on the government as on the employers and corporate entities. India’s government took several measures to contain the spread of the pandemic, starting from a nation-wide lockdown to free testing and treatment of Covid-19 patients. However, in a bid to eradicate coronavirus, the state governments published personal details of suspected coronavirus patients on publicly accessible websites. It is no surprise that these quarantine lists were circulated on popular social networking sites such as WhatsApp and Telegram in a matter of hours. Indeed, the outcome of the government strategy backfired as they previously claimed that the reason for releasing the lists was social pressure and containment of further transmission of the virus. The government aimed to curb Covid-19 by deterring people from going out and cooperating with the government officials and assisting them with information of known or suspected Covid-19 patients. However, with the threat of their name showing up in the quarantine lists, the people are hesitant to report cases in and around their homes which has made the job of public health administrators even more arduous. Publication of these lists has deterred people from coming forward and reporting cases of Covid-19 due to the fear of ostracisation and harassment. Since the quarantine lists contained personal information such as name, phone number, residential address, etc. anonymous callers harassed many suspected victims and patients. Such an attack of privacy is disrespectful to human dignity. This proves that the stigma of Covid-19 penetrates deep into Indian society, similar to vices like untouchability.
The data collected from passengers on international flights was used to curate the quarantine lists. Incoming passengers were made to sign self-declaration forms which contained all personal information under the Ministry of Health and Family Welfare. Surprisingly, the ministry did not disclose the purpose of these self-declaration forms apart from mentioning the mandatory requirement of a 14-day quarantine. The dissemination of this information as quarantine lists has raised concerns regarding breach of privacy and trust. To determine a violation of privacy, we need to assess the doctrine of ‘reasonable expectation of privacy’ established by the Indian courts in Justice K.S. Puttaswamy ‘s landmark judgment. Puttaswamy v. UOI  brings to light the principle of infringement of the right to privacy when there is a reasonable expectation of privacy.
In the Puttaswamy judgment, the Apex court noted that the right to privacy included full control over one’s personal information considering the huge impact of data in today’s day and age. According to the data protection rules prevalent in India, all health-related data such as medical records, psychological condition, temperature, etc. come under the ambit of Sensitive Personal Data or Information (“SPDI”), and this personal data can only be used after obtaining the consent of the individual concerned. Therefore, the information present in the quarantine lists was strictly personal and had the reasonable expectation that such information would remain private. Moreover, any individual would expect that information disclosed to the government authorities will be kept confidential. Any passenger would be stunned when he realises that his form, which is a private communication between him and the State, was disclosed to the public at large without this knowledge and consent. This has triggered anxiety and fear in the minds of people who found their name on the list. The right to privacy was interfered with, but the question remains whether this act of publishing personal data can be justified.
The Puttaswamy judgement established a three-prong test to justify state action against the fundamental right to privacy. First, it needs to be proved that the action was sanctioned by law. Second, the action taken must be necessary for a legitimate state purpose. Lastly, the action must be proportionate for the achievement for that purpose. As observed in the Puttaswamy case, there is no statutory basis that can justify publication of personal information on publicly accessible portals. Neither the Disaster Management Act, 2005 nor the Epidemic Diseases Act, 1897 expresses any provision which allows the government to publish personal data even in the time of an epidemic. Thus, the entire exercise of collection, collation and publication of personal information is not sanctioned by law.
To analyse whether the state government’s aim was legitimate, one needs to look at the manifest arbitrariness test. The govt. stated that the reason for the dissemination of personal information was social pressure, deterrence and public health. Social pressure as an aim does not qualify to be regarded as legitimate because the rule of law expects the elected representatives to make decisions that are in the nation’s best interest and not succumb to public pressure and demands, which may be unreasonable at times. Furthermore, when fundamental rights get impacted, the scrutiny of government orders increases manifold.
The government relied on a legitimate state purpose to publish personal data on official websites to preserve public health and safety, and given the current circumstances, this purpose can be regarded as legitimate. The Universal Declaration of Human Rights under Article 29 provides that the right to privacy can be restricted for meeting general welfare requirements. The State can justify their decision to publish quarantine lists since there exists a legitimate state purpose. However, the state action must be necessary and proportionate to the state’s legitimate aim.
As far as the claim of necessity is concerned, it is argued that the government resorted to a knee-jerk reaction by reasoning that public disclosure of data is essential to fight the ongoing health crisis. However, the crux of the matter is that the nation’s priority is to curb the spread of the virus and not deter people from cooperating, which is exactly what has happened due to the stigma associated with the publication of quarantine lists.
Furthermore, a more proportional and less restrictive measure would have been to resort to “anonymity” to protect an individual’s privacy. Preserving anonymity could still very well serve the legitimate state aim of preserving public health. Without disclosing personal information, the state could have adopted measures which did not infringe the public’s right to privacy. Some states in India used apps that depicted the percentage of covid infected patients in their vicinity in a graphical presentation instead of displaying a list with all the personal details. The bigger problem at hand is the effect of quarantine lists in a post-covid world since now all private information has already been made available and stored in online databases, it effectively risks and jeopardises an individual’s right to privacy even when coronavirus ends.
It can be argued that incorporating a ‘Right to Forget’ or a ‘Right to Erasure’ would yield better results in a post-covid world. However, the fact of the matter is that India has not yet proposed such a right in the pending Personal Data Protection (“PDP”) Bill before the Parliament and doing so would only prove to be futile. The right to forget means that all of his information files should be erased from the databases upon the withdrawal of consent by a data subject. Although the presence of such a right would not prove to be effective since deleting all the information is almost impossible as the information gets converted into another form, which may be harder to discern from the previous version, but remains alive and can be accessed by the public. The obstacle posed by this technical flaw further solidifies the threat to data privacy in a post-corona world order and emphasises the need for robust data protection laws.
Further, the registered subjects’ data is uploaded to and used by the government anonymously. The app strictly refuses disclosure of the name and mobile number of registered citizens to the public at large under any circumstances. At the outset, the app was made mandatory for all citizens; however, when concerns about privacy maintenance came about, the government retracted the ‘mandatory’ clause.
Although quite successful in restricting the transmission of coronavirus, the Kerala government effectively risked the privacy of the people. The launch of the US-made Sprinklr app in Kerala was made mandatory for contact tracing, but the information collected was being communicated to private companies without the individuals’ consent. A petition was filed in the Kerala HC, which ruled that the citizens must be informed and consent to disseminate information when shared with third parties. Additionally, the app is not to be advertised as mandatory since its threats outweigh its benefits. The rules under the sensitive personal data index need to be followed strictly to protect people’s privacy. In the fight to eradicate covid-19, the government has to take necessary measures, but it does not mean complete suspension of fundamental rights.
Countries around the world have come up with innovative technology-driven measures to combat Covid-19. Nevertheless, whether a country like India where the data protection laws are in a nascent stage should implement technology-driven measures that include mass surveillance, thermal screening, contact tracing, tracking locations and analysing data. An understanding of the data protection laws existing in India will help us navigate better to answer this question.
The Information Technology Act governs disputes involving data privacy in India, 2000 (IT Act) read with Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter “Privacy Rules”). The Personal Data Protection Bill (“PDP”) is pending before the Indian Parliament for approval. The Privacy Rules collect, process and store personal data procured from corporate entities, including sensitive personal information to comply with prescribed procedures. Rule 3 of the Privacy Rules identifies personal information as sensitive personal data or information (“SPDI”) which includes financial information such as bank account or credit card, physical and mental health records, medical history, sexual orientation, passwords, biometrics and any information provided or received by the body corporate for providing services or storing data under a lawful contract or otherwise.
All corporate entities control or operate SPDI under section 43-A of the IT Act that they possess or manage. Companies are liable for civil liabilities if they are negligent in maintaining “reasonable security practices and procedures” concerning SPDI resulting in wrongful loss or gain to any person. Section 43-A and the Privacy Rules impose an onerous burden on the companies which collect and process personal data to review their contractual agreements to ensure that data security rules are followed in alignment with those stipulated above. Apart from section 43-A, punishment for disclosing personal information by a service provider without the consent of the data subject is also specified under section 72-A of the IT Act. One of the Privacy Rules requirements specifies the incorporation of “reasonable security practices and procedures” by corporate entities to secure SPDI with the IS/ISO/IEC 27001 standard on “Information Technology – Security Techniques – Information Security Management System – Requirements.” Any other standard if being followed, needs to be approved and notified by the Government of India.
The Privacy Rules specify that prior consent must be obtained in writing by the concerned corporate entity or person acting on its behalf from the information provider regarding the purpose and usage of SPDI. According to Rule 5 (2) of the Privacy Rules, the corporate body has to ensure that the information provider is notified at the time of collection of SPDI or other personal information regarding the following namely, collection of information, the purpose of collecting such information, the intended recipients and name and address of the agency collecting the information which is only to be collected for a lawful purpose under Rule 5(2). Consent needs to be obtained again by the information provider, i.e. employee if the corporate entity transfers the SPDI collected to any other corporate in India or any other country keeping in mind that the same level of data protection is adhered to as observed by the data collector under the Privacy Rules. Consequently, the transfer is not allowed to another entity that does not promise to maintain the same level of data protection as required by the IT Act and Privacy Rules. The corporate body is responsible for ensuring that SPDI is used only for the purpose collected and is not retained longer than the required purpose.
Since the government has neither issued any special dispensation nor provided any exemption on privacy practices during exigencies, the current Indian Privacy Laws need to be employed. Indian courts have recognised that the identity of sexual assault victims, persons with diseases, etc. must be kept confidential. Similarly, it can be deduced that the identity of persons afflicted with or suspected to suffer from Covid-19 must be kept private. As observed in the case of the Kerala Sprinkler app, information transferred to the third party without prior consent from the data subject, and lack of reasonable security procedures is liable for the breach. Hence, there is a possibility that courts will punish wrongful or negligent disclosure of personal records in the name of Covid-19.
As SPDI includes the medical history of the employee, thus, collection of SPDI is not permitted on the ground of legitimate concern alone since additional consent is a prerequisite in cases where prior consent is not obtained under the original terms of the contract. While employees have the right to refuse consent, in the current prevailing pandemic, their right to refuse is compromised as the IT Act is not clear whether employees can deny such information during the Covid-19 health pandemic.  Nevertheless, the United Nations released guidelines to ensure confidentiality of Covid-19 infected UN personnel and dependents.
As WHO declared Covid-19 a global pandemic, therefore, measures taken internationally regarding data privacy come under surveillance in pursuit of finding the most appropriate method to balance public interest while at the same time upholding individual privacy, Europe has a more developed and nuanced legal framework on data protection laws vis-à-vis India, where the data protection framework is still in the stage of infancy. The EU General Data Protection Regulation (EUGDPR) allows collection of information on the grounds of legitimate interests or for compliance with the legal obligations in place.
The Italian Data Protection Authorities in March 2020 specifically instructed the employers not to collect health information or details regarding contact with suspected symptomatic persons from employees since the public health administration should conduct such inquiries. France has taken a strict stand under EUGDPR and clarified that the Covid-19 action plan does not require disclosure of medical information beyond the management of suspected exposure as this would violate the privacy rights of their employees and visitors. Emphasis was laid on public health authorities’ testing as testing of employee’s body temperature and daily check-ups is not legally permissible in professional working facilities due to privacy concerns.
The data protection authority of Belgium issued guidelines relating to data collection for employers in March 2020. The guidelines stipulated that employers should not conduct systematic and generalised checks on employees as such checks should be performed by a physician. Moreover, to conduct these tests, there must be some justifiable reason and a positive presumption that the employee being tested displayed signs or symptoms of Covid-19. The guidelines recommended that employees should willingly disclose symptoms or travel details and, as per the Belgium Guidelines, they should be encouraged to do so. Much like the UK, the Belgium guidelines suggest preserving the identity of an employee infected with Covid-19 to maintain secrecy and such information should only be shared if required on a no-name basis, thus, maintaining anonymity. Furthermore, Article 5 of the General Data Protection Regulation (GDPR) which is associated with the lawful processing of personal data should be referred by employers while dealing with covid-19 cases as this rule is in synchronisation with guidelines issued by the European Economic Area Regulators which include France, Germany, Hungary and the Czech Republic.
United Kingdom took a more practical approach insofar as the UK’s Information Commissioner’s Office (ICO) ensured that employers are cognizant in these unprecedented times. The UK government is strict about its no-name policy wherein employers can reasonably collect and share data of a covid infected patient provided the name is not disclosed. It may come as a surprise that privacy rights are competing rights in the UK yet, they are duly protected even under the challenging circumstances. Right to privacy in India, on the other hand, is a fundamental right which means it is a substantive right of the citizens yet, flagrant discrimination and triviality are associated to it under the garb of the pandemic by the government.
Even international legal instruments stress protecting the essence of fundamental rights and freedoms during the alarming exigencies period. The Convention 108+ comprises parameters for protecting personal data that are compatible with fundamental rights and public interests. While maintaining the view that data privacy cannot hinder saving lives and curbing Covid-19, it is crucial to respect and ensure data privacy of individuals. The principles enumerated under Convention 108+ reiterate the rule of lawfulness and return to normalcy once the period of exigency expires, which means the obliteration of information earlier collected when it fulfils its purpose. Article 11 of the Convention 108+ entails that exceptions shall be “provided for by law, respect the essence of the fundamental rights and freedoms and constitutes a necessary and proportionate measure in a democratic society”.The recommendation CM/Rec(2019)2 explicates guidelines on health-related data and in pursuance of the same provides that publication of sensitive personal data should be refrained from in the process of communicating to the public by the government and health authorities as they are responsible for informing and protecting the people.
Certainly, even the European countries with well-developed privacy frameworks struggle to find a balance between public interest and individuals’ privacy. However, they are firm that privacy rights cannot go unnoticed in the name of the Covid-19 emergency. On the other hand, India is facing interpretational challenges since no proper or conclusive data protection law could be employed in the current health crisis. Where the EUGDPR provides for the collection of information only on legitimate grounds such as prevention of public health emergency or compliance with applicable laws; sadly, India, at present, does not envisage such a law. As far as SPDI is concerned, Indian data privacy laws are only restricted to a consent-based approach. This has exposed many employers to legal risks for requesting constant disclosure of information.
At the moment the government can justify the infringement on citizen’s privacy rights by arguing that it was necessary to release the names, addresses and phone numbers of infected covid patients to accomplish legitimate state interest. However, the imminent threat to data privacy in a post-Covid-19 world raises concern about the value attached to India’s right to privacy. Even though ‘right to privacy’ has been declared a Fundamental Right under Article 21 of the Indian Constitution, yet the nonchalance with which the government views it, as observed in the current circumstances of the pandemic, gives a glimpse into the grim future of the right to privacy bestowed upon the citizens. The PDP Bill pending before the Parliament further supports my claim for, the contested bill provides provisions that only increase the government’s scope to invade people’s privacy legitimately. The Bill has come under huge scrutiny for its invasive nature and for not incorporating safeguards against data privacy violation.
‘Data privacy’ is an integral part of the right to privacy enshrined under Part III of the Indian constitution. Understandably, data plays a pivotal role in containing the transmission of Covid-19, nonetheless, it is equally important to remember that collection of certain data may be necessary to enable state functions; but the collection of every data cannot be justified on account of public interest. The tussle between the right to privacy and public interest drives us to seek answers to important questions such as the position of fundamental rights during a pandemic. The novel coronavirus has led us to question our governments’ efficiency and intent and synthesise improved solutions in extraordinarily tumultuous times. It has enabled us to understand that the legal jurisprudence on privacy needs to be revisited. Beyond that, the dichotomy between public interest and the fundamental right to privacy needs to be resolved since interference with fundamental rights is an unconstitutional practice. It is imperative to safeguard data privacy of individuals to protect human dignity and constitutional sanctity.
 Rachna Khaira, ‘Coronavirus: Outrage As Personal Details Of Those Under Quarantine Uploaded By Punjab District Administration’ (Huffpost, 21 March 2020) https://www.huffingtonpost.in/entry/coronavirus-outrage-as-personal-details-of-those-under-quarantine-uploaded-by-punjab-district- administration_; Pooja B. Jaiswal, ‘Privacy of COVID-19 suspects violated; names, addresses made public’ (The Week, 22 March 2020)https://www.theweek.in/news/india/2020/03/22/privacy-of-covid-19-suspects-violated-names-addresses-made-public.html
 Sanya Kumar, Shrutanjaya Bhardwaj, ‘The publication of COVID-19 quarantine lists violates the right to privacy’ (The Caravan, 5 April 2020) https://caravanmagazine.in/commentary/covid-19-pandemic-quarantine-lists-right-to-privacy;
 Ashutosh Senger, ‘Privacy challenges during Covid-19’ (The Hindu Business Line, 20 April 2020) https://www.thehindubusinessline.com/opinion/privacy-challenges-during-covid-19/article31382552.ece#
 Supra p 3
 Justice K. S. Puttaswamy v. Union of India AIR (2017) SC 4161
 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Ministry Of Commc’n. & Info. Tech., Gov’t Of India, http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
 Sneha P, ‘Do India’s COVID-19 Patients Have a Right to Privacy?’ (The Wire, 23 July 2020) https://science.thewire.in/health/do-indias-covid-19-patients-have-a-right-to-privacy/
 Universal Declaration of Human Rights (adopted 10 December 1948 UNGA Res 217 A(III) (UDHR) art 29
 Vijayashankar Na, ‘We should forget the “Right to Forget” in Indian Data Protection Act’ (Naavi.org, 15 December 2017) https://www.naavi.org/wp/we-should-forget-the-right-to-forget-in-indian-data-protection-act/
 Probir R. Chowdhury, Yajas Setlur, Kavya K. Thayil, ‘Why data privacy must be safeguarded, even in times of COVID-19’ (Financial Express, 19 May 2020) https://www.financialexpress.com/money/why-data-privacy-must-be-safeguarded-even-in-times-of-covid-19/1963579/
 Anna J. Kallivayalil, ‘Is data privacy taking a backseat during COVID-19?’ (The Leaflet, 9 May 2020) https://theleaflet.in/is-data-privacy-taking-a-backseat-during-covid-19/
 Supra 7
 Supra 7, Rule 8 (1)
 Supra 7, Rule 8 (2)
 Supra 7, Rule 8 (3)
 Supra 7, Rule 5(1)
 Supra 7, Rule 7
 Supra 7, Rule 5 (4)
 Vikram J. Singh, Kalindhi Bhatia, ‘India: Being Privacy Compliant During COVID-19’ (Mondaq, 06 May 2020) https://www.mondaq.com/india/data-protection/928466/being-privacy-compliant-during-covid-
 Supra 15, Rule 3 (29)
 Shivaji Bhattacharya, Anindhya Shrivastava, ‘India: COVID-19: Implications On The Data Protection Framework In India’ (Mondaq, 6 May 2020)
 United Nations Medical Directors, ‘Preserving the privacy and confidentiality of COVID- 19 infected UN personnel and dependents’ (2 April 2020) https://www.un.org/sites/un2.un.org/files/preserving_the_confidentiality_of_covid_19_infected_un_personnel_2_april_2020.pdf
 European Union, “Regulation (Eu) 2016/ 679 Of The European Parliament And Of The Council – of 27 April 2016 – on the Protection of Natural Persons with Regard to the Processing of Personal Data and the Free Movement of Such Data, and Repealing Directive 95/ 46/ EC (General Data Protection Regulation)” https://gdpr-info.eu/
 ‘Coronavirus: Privacy Guarantor, no to “do it yourself” initiatives in data collection’ (Press Release by Italy Data Protection Authority, 2 March 2020) https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9282117#1
 ‘Coronavirus (COVID-19): reminders from the CNIL on the collection of personal data by employers’ (Press Release by CNIL, 7 May 2020) https://www.cnil.fr/fr/coronavirus-covid-19-les-rappels-de-la-cnil-sur-la-collecte-de-donnees-personnelles-par-les
 Anu Monga, Rahul Goel, Parumita Pal, ‘India: Unleash the Fight Against COVID-19: Is It Possible To Balance Right To Privacy And Public Interest?’ (Mondaq, 15 April 2020) https://www.mondaq.com/india/data-protection/915778/unleash-the-fight-against-covid-19-is-it-possible-to-balance-right-to-privacy-and-public-interest?signup=true
 128th Session of the Committee of Ministers, Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data, Denmark, 17-18 May 2018 https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf#globalcontainer
 Alessandra Pierucci, Jean-Philippe Walter, ‘Joint Statement on the right to data protection in the context of the COVID-19 pandemic’ Council of Europe, 30 March 2020 https://www.coe.int/en/web/data-protection/statement-by-alessandra-pierucci-and-jean-philippe-walter
 Supra p 31, art 11 (1)
 Recommendation CM/Rec(2019)2 of the Committee of Ministers to member States on the protection of health-related data, Adopted by the Committee of Ministers on 27 March 2019 https://search.coe.int/cm/Pages/result_details.aspx?ObjectId=090000168093b26e
About the Author
Jasleen Virk is pursuing BA.LLB degree from Jindal Global Law School. She is also an in-house Research Associate at The Digital Future.