The following article addresses the privacy problems that India faces in the wake of this corona pandemic. Several countries such as China, Singapore, and also the USA are facing, or have faced, concerns about privacy. Besides, during this pandemic, India is among these countries, where citizens' rights in matters of privacy are violated. Under Article 21 of the Indian Constitution of 1950, the right to privacy is guaranteed. The breach with respect to such matters was found when the government created and made it mandatory to download an app Aarogya Setu for the safety of its people during these emergencies.

The app is developed by the National Informatics Centre (NIC) for which there is no law passed by the Parliament to allow the app to be created and to make it compulsory for each citizen to download it in violation of the laws of the Information Technology Act, 2000. Several other issues were also observed and it was, therefore, necessary to approach the court and provide different guidelines for the citizens to use and impose such an app.

History of Right To Privacy

Before 2017, the right to privacy was not at all a fundamental right within the country. In 1976 Supreme Court of India held in ADM Jabalpur v. Shivkant shukla[i], which is popularly referred to as the Habeas Corpus case, where a five-judge-bench decided that under the emergency provisions nobody could seek the assistance of any Court within the country to try & save his liberty, life, limb threatened to be taken away by the State. But recently in 2017, the Supreme Court of India overruled its own previous decision.

The Court consisting of a nine-judge constitutional bench of K .S Puttaswamy v. Union of India[ii] (Puttaswamy I), recognized the right to privacy is an integral component of fundamental right under the right of life and personal liberty. The Puttaswamy judgment lays down a three-part test to examine whether an action of State alleged of breaching a citizen's privacy is valid.

These are as follows:
First, it has to be an action sanctioned by law.
Second, it has to be an action that is necessary for a legitimate aim.
Third, it's to be an action which is proportionate for the achievement of that aim. So, the technical methods adopted by the govt should qualify the three-part test before being enforced.

Meanwhile, a five-judge bench of the Supreme Court deciding the constitutionality of Aadhar (Puttaswamy II)[iii], further reiterated the principles of informational privacy and recognized personal data protection as a component of the right to privacy. Also, The Lok Sabha, through the Personal Data Protection Bill introduced in December 2019, sought to establish a regulatory framework for the collection and use of personal data. Section 3(21) of the Bill defines “health data as data relating to the physical or mental health of the data principal, i.e. the owner of the data[iv].

How Government Is Breaching Right To Privacy?

During this pandemic, it was observed that individuals' right to privacy has violated widely in various forms. Karnataka was among India's primary states to publish lists of COVID-19 patients and individuals who self-quarantined in late March. The state government, in line with media reports, released the data on its website which included the names and addresses of the individuals staying indoors. Some people also posted the lists on social media that could spot and quarantine people through [v].

A plea was filed before the High Court in Kerala alleging that the personal details of Covid-19 patients were leaked by hospitals that treated these patients to private companies. Hospitals sell their patient's details to other private entities and so those private players use this information for their benefit. People from different states have lodged lawsuits about these kinds of issues. One of the petitioners stated in his plea that after giving his contact number to a government hospital, he was contacted by a private entity. Because of this incontrovertible evidence, he charged in his petition that hospitals treating Covid-19 patients were revealing details of those patients to private companies, breaching their privacy rights[vi].

The Epidemic Diseases Act of 1897 and also the National Disaster Management Act of 2005 show that no provision in these Acts permits or legitimizes the publication of personal data of the persons in a public database. As such, the executive's action to upload private information of quarantined individuals within the public domain is prima facie infringement of the fundamental right to privacy. The Govt executives' justification for such public disclosure is that harmonized data sharing has become an essential instrument in the ongoing fight against coronavirus.

The release of data about people to the general public does not serve any useful purpose. Also, the central government took a huge hit and launched an Aarogya Setu app without any legislation passed by the parliament allowing the creation and the government made the app mandatory for people working in public and private offices, for all train travelers and for people living in areas considered high-risk for the spread of the virus. MHA guidelines also indicated that the authorities will ensure that everyone in Containment Zones uses the Aarogya Setu app.

There is even a threat of fines and prison terms for people who refuse to install the app that makes this application mandatory, which contravenes the Information Technology Act, 2000. Also, the privacy policy does not clarify how secure your data is. No mention is made of any cybersecurity parameters and it does not explain how it complies with IT Act 2000 and IT Rules 2011. The app still doesn't tell us who, in terms of government departments, will all access my records.

A clause in the official policy says exempts the govt from liability in the event of 'any unauthorized access to the user's information or modification thereof[vii]. This means there is no liability for the govt, whether the users ' personal information is leaked or not. It also raised concerns about how much data the app collects. It asks its users to share their name, phone number, age, gender, profession, and country details that have been visited in the last 30 days. Leader of Congress Rahul Gandhi alleged that the mobile application of Aarogya Setu was a sophisticated surveillance system outsourced to a private operator without institutional supervision[viii].

But a representative of the government rejected the allegations that the Aarogya Setu app is outsourced to the private sector. Another interesting thing happened on twitter, an ethical hacker claimed that 90 million Indians' privacy is at stake because of security issues with the Indian app and tagged Rahul Gandhi, saying you were right[ix]. Once again, the Centre Government gave the same answer that there was no data or security breach and that this ethical hacker has proved that no personal information of any user is in danger. Is that center government response satisfactory for those whose privacy is at risk?

Do Drastic times imply drastic measures?
Using those methods can raise legitimate concerns about the invasion of people's privacy. Some arguments would be that it is necessary to take these steps during this condition even if it breaches any citizen's rights and the government has the right to try and do so because it is an emergency. Everyone should know it's not an emergency it's a pandemic and emergency provisions and emergencies did not match this situation unless the central government applied an emergency under Article 352 of the Indian Constitution, 1950, and even in an emergency, the government could not violate the fundamental rights of Indian citizens.

The right to privacy is therefore a fundamental right, and this right cannot be violated by anyone. The right to privacy must not be sacrificed to the full for the benefit of public health. Even in health emergencies, governments need to ensure that their citizens' privacy rights are not infringed disproportionately. They must also be sure of other fundamental rights such as the right to free movement, which the government has restricted. The govt should be allowed to behave in the best interests of its citizens, even if it means a short-lived suspension of privacy rights.

A pandemic doesn't need to mean a complete reform of human rights. The State must make every effort to retain as much of the rights of its people as it can. Collecting information isn't an issue for anyone but removing that data in public without their consent is a problem. Every citizen should support the government at this pandemic time, but the government should also understand what steps they take and it does not infringe any citizen's fundamental rights. They have to take these things together to achieve a free Corona India.

End-Notes:

1. ADM Jabalpur v. Shivkant shukla, (1976) 2 SCC 521
2. K .S Puttaswamy v. Union of India, (2017) 10 SCC 1
3. K .S Puttaswamy v. Union of India ,2018 SCC Online SC 1642
4. https://www.prsindia.org/billtrack/personal-data-protection-bill-2019
5. https://www.thehindubusinessline.com/opinion/privacy-challenges-during-covid-19/article31382552.ece#
6. https://www.barandbench.com/news/litigation/plea-in-kerala-hc-raises-concern-that-details-of-covid-19-patients-are-being-leaked-by-hospitals-to-private-players-govt-to-file-statement
7. https://economictimes.indiatimes.com/tech/software/legal-experts-point-out-liability-concerns-with-the-aarogya-setu-app/articleshow/75561944.cms?from=mdr
8. https://economictimes.indiatimes.com/news/politics-and-nation/rahul-gandhi-raises-security-privacy-concerns-over-arogya-setu-app/articleshow/75508771.cms?from=mdr
9. https://www.thehindu.com/news/national/ethical-hacker-robert-baptiste-elliot-alderson-sees-security-flaws-in-aarogya-setu/article31515292.ece

The author is a student of Symbiosis Law School, Pune