The use of technology serves as one of the most effective tools in combating a pandemic owing to its accessibility and pervasiveness. Several governments have launched smart-phone based applications to trace coronavirus-infected and susceptible persons with a view to containing the spread of the disease. The use of this technology has yielded positive results in several countries, including China, South Korea, Taiwan, and Singapore. However, although these measures deserve recognition for their role in monitoring the pandemic, they pose a grave threat to the right to privacy. This is because most of these applications store users’ data in central servers, making them susceptible to governmental abuse.
The Right to Privacy
The right to privacy is recognised as a fundamental human right under Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights and in many other international and regional treaties. To keep these rights relevant in the internet age the UN expanded the mandate of article 12 to ensure digital privacy via United Nations General Assembly resolution 68/167 which compels states to ‘respect and protect the right to privacy, including in the context of digital communication’ by ‘review[ing] their procedures, practices and legislation regarding the surveillance of communications, their interception and the collection of personal data, including mass surveillance, interception and collection’.
In the United Kingdom, human rights are protected under the Human Rights Act, 1988. The Act upholds the European Convention on Human Rights which, under Article 8, gives recognition to the right to respect of private and family life. In India, the Supreme Court in Justice K. S. Puttaswamy (Retd.) v. Union of India has recognised the right to privacy as an intrinsic part of the right to life and personal liberty under Article 21 of the Constitution.
Contact tracing is a measure that enables the tracing of persons who are confirmed or suspected to have been infected by Covid-19, thereby reducing the transmission of the outbreak. Both India and the UK have deployed contract tracing applications to assist their governments in monitoring public health. In India, a GPS and Bluetooth technology-based application called Aarogya Setu was launched in April and has been in the news for various privacy concerns. The UK’s NHS Covid-19 App, although still in the testing phase, has also garnered criticism for similar reasons.
An important distinction between the two applications is the transparency that the two governments have shown. Although the Indian Government has a policy on the adoption of open source software, Aarogya Setu’s code has not been disclosed. On the other hand, the NHS application is open sourced. Making the source code available enhances transparency and also improves security by enabling the software community to examine the code and fix vulnerabilities, if any.
Both countries store the collected data on a central server. The main risk that a centralised system poses is that by collecting data relating to proximity it enables assimilation of the data to identify sub-groups and social circles. The system developed by Apple and Google, on the other hand, is decentralized and has the data stored on individual devices. It is notable that the UK has also indicated its inclination to shift to a decentralised mechanism of storing data, by adopting this software.
The UK government is introducing the NHS Application in a phased manner by testing it in the Isle of Wight before launching it across the country. There have been reports of bugs, multiple notifications and other technical glitches in the application. Further, only forty percent of population of the island has downloaded it. It has been widely speculated that the government will abandon this version of the application and adopt a decentralised model post the trial. This is contrary to India’s approach, where Aarogya Setu was launched across the country without any trial or any adequate data protection mechanism in place. A cautious approach like the one adopted by the UK would have been more preferable for India as well, considering the large population of the country and the lack of any data protection regime. We have already seen instances of hacking of the application, which have exposed the weakness of the application’s security and risked the data of 90 million Indians.
The UK Parliament passed the Data Protection Act in 2018, which complements the European Union’s General Data Protection Regulations and updates the Data Protection Act of 1998. The Act provides for the processing of personal data and establishes the office of the Information Commissioner to promote transparency by public offices and data privacy for individuals.
This is in direct contrast with the obsolete data protection framework in India. Though the Indian Supreme Court has recognised the right to privacy as a fundamental right, there is no robust data protection infrastructure in India. On the directions of the Supreme Court, the government appointed the Justice Srikrishna Committee which pointed out loopholes in the legal framework governing the data protection in India and recommended the enactment of a new data protection law. However, the Indian Parliament is yet to pass the Personal Data Protection Bill of 2019 and in the absence of such a law, crucial data of citizens remains unprotected and vulnerable to misuse. The currently applicable Information and Technology Act, 2000 and the rules framed under it are inadequate to protect sensitive personal data of users.
Furthermore, as data from Aarogya Setu can be used to restrict the fundamental rights of citizens and their access to basic amenities, it becomes a constitutional requirement under Articles 19 and 21 of the Indian Constitution to have a procedure established by law in this regard. However, no such law has been passed to govern the application. Similarly, in the UK, the Joint Committee on Human Rights has recommended that governmental assurances on the protection of privacy must be placed and that a law governing the application must be passed. It has also suggested putting in place an independent oversight mechanism.
Contact tracing applications serve as a desirable and promising tool for the protection of public health. However, governments must gain the trust of their citizens in order for the system to work efficiently. Citizens must be assured that their personal data will not be stored or used beyond the pandemic in line with international human rights law. Governments must address their concerns by taking proper steps such as enacting primary legislation to govern the application, placing an independent oversight mechanism to ensure transparency, improving the efficacy of the application, and following the principles of data protection such as data minimization and data anonymity.