Tracking the virus

Individual data should not be used for any other purpose

One worrying aspect in the fight against the pandemic is the violation of individual privacy. While contact tracing may be necessary at the moment, it should not be normalised. The state should not routinely continue to conduct surveillance upon citizens in the post-Covid-19 era, and must restrict the release of personal information into the public domain. This is especially worrying since India doesn’t have personal data protection laws, and the proposed Act lacks any protection against government snooping.

Contact tracing is a standard procedure in tackling an epidemic. Hence, collecting travel history details is necessary. In addition, continuous location data is all-important in maintaining quarantine and self-isolation. These details are tied to the medical history of the individuals concerned. Hence, sensitive personal data like names, age, contact numbers, travel history, locational data, and medical records, are being collected and collated on vast scales at this instant.

While consent is required for the private sector to collect such data in most jurisdictions, the proposed personal data protection law offers blanket permissions to the government. There have been embarrassing incidents, where lists of quarantined persons have been released into the public domain and disseminated on social media. This has resulted in ostracism and landlords forcing tenants to vacate their homes. Affected individuals have also been stigmatised by coverage in electronic media where they are clearly recognisable. Some states have indulged in the practice of stamping quarantine notices with indelible ink on the arms of individuals. It has even been proposed that quarantined persons should be ordered to send selfies on an hourly basis. Again, this would be extremely intrusive (and also easy to fake).

The government is now pushing the Aarogya App, which is designed to help with contact tracing. This new app works by continually recording the location of the handset. It uses Bluetooth to check if that handset is in close proximity with any handset used by any infected individual. It is clever use of technology designed to red-flag situations where an infected person is within two metres of someone. However, it also means that the exact location of every user of the app is known, 24x7. The app is said to keep the data encrypted on the device, until and unless the user tests positive for the disease, or is required to take a test due to being in close contact with an infected person. However, even if this encryption is taken on faith, major questions remain about how long such data would be stored, and how this data would be secured. As mentioned above, the lack of safeguards with regard to data protection makes this disturbing.

Many other nations such as China, Singapore, Italy, Germany, France and Israel have released similar tracking tools. The Singapore app is open-source and, therefore, open to easy review. The European Union’s citizens are protected by the stringent provisions of the GDPR (General Data Protection Regulation). The European Data Protection Board has also issued special guidelines as to how public authorities can process personal data. Europeans can also take advantage of the “Right to Forget” provisions in the GDPR to ensure their personal data is erased once the crisis is over.

Proportionality is key in this situation. The basic principle is that the minimum data necessary should be collected, and that data should not be used for any other purpose apart from fighting the pandemic. Moreover, the data should not be made public without consent unless there is an absolute necessity. Once the crisis is over, the data should be erased and these apps withdrawn. Given the lack of a specific data protection law and the absence of a data protection regulator, Indian citizens are extremely vulnerable to the misuse of the masses of data being collected at the moment. Citizens should be assured that this data will not be misused now, and that it will be erased and anonymised once the crisis is over. The pandemic should not be used as an excuse for India becoming a surveillance state.