The COVID-19 pandemic has caused Governments around the world to make use of contact tracing applications to monitor the spread of the virus. In India, the government has made use of a mobile application, Aarogya Setu, to monitor those who have been in contact with an infected individual. Although contact tracing is an important step in order to curb the spread of the virus, several concerns have been raised about the privacy available to the individuals whose data has been monitored.

The right to privacy was recognized by the Supreme Court as a fundamental right under article 21 in Justice KS Puttaswamy v. Union of India. Questions have been raised regarding the parties that have access to sensitive information, particularly information relating to the health of the individual. This paper seeks to examine whether the privacy of the citizens is adequately preserved and protected by the use of such contact tracing apps.

Introduction
In March 2020, the World Health Organization declared Covid-19 a pandemic. This has caused several countries around the world to implement strict measures to track and monitor the spread of this disease. India has been using the Epidemic Diseases Act, 1897, and the Disaster Management Act, 2005 to tackle this unprecedented situation[1]. Although every country has adopted a different method to control the spread of the virus, some more stringent than others, a common denominator is the use of three non-pharmaceutical methods, viz. social distancing, testing, and contact tracing of those infected.[2]

Governments and health workers around the world have realised the importance of closely observing the affected persons is of paramount importance in order to assess and implement preventive and control measures.[3]

They have been harnessing the power of data to arrive at digital solutions. For an effective front-line response, data concerning the spread of the virus, such as the location and number of new confirmed cases, rates of recoveries and deaths, and the source of new cases (international arrivals or community transmission) has been exceedingly important.

Data is also crucial to check and improve the capacity of health care systems, and to evaluate how efficient policies regarding the movement of individuals in order to ensure the containment of the virus are. Many governments have turned to various digital technologies and have used advanced analytics to collect, analyse and share data for front-line responses, in particular, geolocation data that is derived from mobile records or collected from mobile applications; and biometrics, particularly facial recognition data.[4]

Contact tracing provides authorities with the information required to identify anyone who has been in relatively close contact with an infected individual. Health authorities have been using this instrument to create a list of at-risk individuals who a certain patient has been in contact with.[5]

Data analysis has enabled governments to implement measures that will stop the pandemic at its source and help in preventing deaths, social disruption, burdens on the healthcare system and economic loss. As government authorities are required to control the pandemic not only in their own country, but also understand how the same is evolving in other countries as well, governments all over the world have taken the stance that free flow of information that is updated in real time will allow for the formation of a steady global picture and help in curbing the spread of the pandemic.[6]

Public authorities have put forward digital contact tracing to make the process more efficient and effective. In most cases, a smartphone is required to make efficient use of the system. Currently, there is no universally adopted contract tracing method. The apps developed by different countries have differed in several aspects. The main points of divergence are regarding the use of GPS location or Bluetooth data and the centralized or decentralized storage of data.[7]

However, despite the potential benefits contact tracing and mobile phone assisted surveillance programmes have, several important privacy concerns have arisen. There are significant risks to citizens from the collection of sensitive data, including personal health, location, and contact data. Those whose personal information is being collected may have concerns about who will receive and have access to their data, how those recipients might use the data, how the data might be shared with other entities, and what measures will be taken to safeguard the data from theft or abuse.[8]

The risk of privacy violations can also have an impact on government accountability and public trust. The possibility that one's privacy may be violated by government officials or technology companies may dissuade individuals from getting tested for COVID-19, downloading public health oriented mobile phone apps, or sharing symptom or location data. Moreover real or perceived privacy concerns might discourage citizens from believing government messages or complying with government orders regarding COVID-19.[9]

The Right to Privacy in India

The right to privacy was recognised as a fundamental right under article 21 of the Constitution in 2017, by a nine judge bench of the Supreme Court, in the case of Justice K.S. Puttaswamy v. Union of India.[10] In 2012, Justice K S Puttaswamy, a retired judge of the High Court, filed a writ petition in the Supreme Court challenging the constitutional validity of the Aadhaar scheme introduced by the UPA Government.

On 11th August 2015, a Bench of three judges comprising Justices Chelameswar, Bobde, and C. Nagappan passed an order that a Bench of appropriate strength must examine the correctness of the decisions in M P Sharma v Satish Chandra, District Magistrate, Delhi, 1954 (8 Judge Bench) and Kharak Singh v State of Uttar Pradesh, 1964 (6 Judge Bench). In particular it ordered that the Court must decide whether the citizens have a fundamental right to privacy[11].

This matter was first placed before a 5 Judge Bench headed by the then Chief Justice Khehar. Subsequently, the matter was referred to a 9 Judge Bench on 18th July 2017. The Bench comprised Chief Justice Khehar and Justices Jasti Chelameshwar, S.A. Bobde, DY Chandrachud, Abdul Nazeer, Nariman, R.K. Agarwal, Abhay Manohar Sapre, and Sanjay Kishan Kaul. Arguments began on 19th July 2017 and concluded on 2nd August 2017.[12]

In a historic decision delivered on 24th August 2017, the Bench unanimously recognised a fundamental right to privacy of every individual guaranteed by the Constitution, within Article 21 in particular and Part III on the whole. The decisions in M.P. Sharma and Kharak Singh were overruled.[13]

The Government argued that the Constitution did not grant specific protection for the right to privacy. The Court reasoned that privacy is an incident of fundamental freedom or liberty guaranteed under Article 21 which provides that: “No person shall be deprived of his life or personal liberty except according to procedure established by law”.[14]

Current Legal Framework for Data Protection in India

The Information Technology Act, 2000 (the IT Act) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the SPDI Rules, together with the IT Act Data Protection Laws) contain specific provisions governing the protection of personal data in India. The SPDI Rules classify any information related to the physical, psychological and mental health and wellbeing of a person as sensitive personal data or information (SPDI) and any other information that relates to a natural personal, which is capable of identifying such a person is classified as personal information (PI).[15]

Public-health authorities and corporate firms and companies are able to collect personal information of an individual or employee, such as medical records, data related to their physical and mental health, body temperature, etc. This information is classified as SPDI under the Data Protection Laws and thus may only be collected subject to compliance with certain specific conditions. However, information relating to one's personal and official travel history is categorized as PI.[16]

SPDI is subject to greater protection under the Data Protection Laws. For instance, any data pertaining to such information may only be collected for a lawful purpose connected with a function or activity of the body corporate when such collection is necessary. The person whose data is being collected must be aware that their data is being collected, and must also be informed of those who will receive the data being collected, and the reason for collecting the data.

The provider of the information has the option of not providing the data that is being sought, and any organization or person holding such SPDI shall not retain that information for longer than is required for the purpose for which such information may lawfully be used. An organization collecting SPDI is required to obtain informed consent of the information provider prior to disclosing such information to any third party, except when such information is shared to government agencies in accordance with the Data Protection Laws.[17]

The Supreme Court, in its landmark decision KS Puttaswamy v. Union of India (2017) held that right to privacy is a part of the right to life and personal liberty and is a fundamental right under the Constitution of India. The Supreme Court of India also observed that the right to privacy is not absolute; however, any restriction is required to be within the framework of law.[18]

Contact Tracing in India

India launched the mobile tracing application Aarogya Setu on April 2, 2020 which tracks the location of an infected individual and notifies the application users of their proximity to such individuals.[19] India has been making use of mapping techniques, with the data gathered from contact tracing to create certain zones for COVID-19 clusters and hot spots, along with location tracking techniques to track infected patients.

The various mobile applications and Bluetooth trackers also look at techniques of mapping the spread of the disease through geographic information system (“GIS”), which assist policymakers and authorities during outbreaks. The Indian Government has also tested an application that uses telecom data to send emails and text-message alerts to the authorities if a person has evaded quarantine[20].

Some of the innovative methods being adopted by state authorities include the Karnataka government mandatorily asking for photographs of the infected patients on an hourly basis along with their location tag. The Gujarat government has launched a GIS based mobile application to monitor the movement of those who are under home-quarantine.

Similarly, the Punjab Government is using call detail records and global positioning systems to ensure that people maintain quarantine, while the local police authorities in Tamil Nadu are using facial recognition and geo fencing measures for the same. Municipal corporations in Maharashtra have been generating heat maps with the locations of infected persons to understand the spread of the infection, while in some extreme cases, have also employed drones for surveillance of densely populated regions.

Some states, like Rajasthan, have used cruder methods, such as such as publishing personal details of infected persons, while Delhi has been pasting posters outside the homes of individuals who were suspected to have been infected, declaring that they were under ‘home quarantine'.[21]

The legislations that the government has relied upon to legitimize their actions are the Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005. However, there is still a healthy dose of apprehension regarding the legal usage of the data collected through these methods. While government authorities have declared that the data would be encrypted as a safeguard and no personal data such as name, age, sex, etc., will be released to any party, the methods being used by state authorities seem to belie such assurances.[22]

Any state action that is taken to control the spread of COVID through methods such as contact tracing should be measured against the three tests laid down in the majority judgment in Puttaswamy v. Union of India, authored by Justice DY Chandrachud. Firstly, the legality of the action has to be questioned. Although the central government has relied on residuary powers under Section 6 of the Disaster Management Act, 2005, while state authorities have claimed that they derive their powers from Section 2(1) of the Epidemic Diseases Act, 1897, it may be difficult to assert that these laws actually grant the authorities the power to collate, organize and disseminate the data of the citizens as they have done.[23]

The second test laid down in Justice Chandrachud's judgment is the test of legitimate aim. Although the government may argue that its actions have a basis in law, the test of legitimate aim has to be fulfilled. In the present situation, arguably, the overarching question of public health and safety is more important than the right to privacy. However, as pressing as the need to contain the virus is, it is also necessary to ensure that the right to privacy of the citizens does not get curtailed in the process, which would set a dangerous precedent.[24]

The third prong of the test deals with the proportionality of the legitimate aim with the object sought to be achieved. The objective behind implementing the above measures like contact tracing is simple: to ensure that the spread of the disease is halted, due to a lesser number of infections, which will therefore lead to a lesser number of deaths.

However, in order for State actions to be proportional and not arbitrary, states must only collect minimum data, ensure that the data collected is anonymised, and that this data is used only for the limited purpose of handling the public health situation, and not stored or transferred to any parties not authorised to have access to such data. It must be noted that Section 12 of the Personal Data Protection Bill, 2019, does, in fact, allow processing of personal data without consent during medical emergencies and pandemics. However, the Bill has not been passed till date.[25]

The State Government of Kerala introduced the Sprinklr application, a move which has been criticised on the ground an entity not based in India has access to an individual's sensitive personal information. A petition was filed in the High Court of Kerala, challenging the contract between the Government of Kerala and Sprinklr.

In April 2020, the High Court issued an interim order asking the State Government to anonymise all the data collected with respect to COVID-19 before it is shared with Sprinklr, and to inform all citizens from whom data is collected that such data can be shared with Sprinklr or any third party and obtain their consent.

The High Court of Kerala has also restrained Sprinklr from committing any act that may lead to a breach of confidentiality of the data collected under the auspices of the contract between the state government and Sprinklr, and has also restricted it from exploiting such data directly or indirectly for commercial purposes or advertising or representing to any third party that they have access to data relating to COVID-19 cases. The court also ordered Sprinklr to return all data to the State Government of Kerala once the contractual obligations are over and delete any residual or secondary data in its possession.[26]

Based on the tests laid down by Justice Chandrachud in the Puttaswamy judgment, generation of maps demarcating the COVID-19 hotspots and the usage of geo fencing may not be violative of the right to privacy under article 21, however, measures such as publishing of lists of affected individuals, along with their personal details are definitely unconstitutional. Apart from such lists being released without the consent of the named individuals, thereby violating their reasonable expectation of privacy, it also leads to unnecessary stigma and harassment.[27]

Conclusion
The current circumstances caused by the COVID-19 pandemic have been unprecedented. Health and Government authorities are taking steps to contain the spread of the virus, through various measures such as data tracking, contact tracing, and mass surveillance. However, since the information that is bring collected now will be available for a long time to come, the government must strike a careful balance between the protection of public health and maintaining every citizen's fundamental right to privacy.[28]

The dichotomy between public health preservation and protection of the citizens' fundamental right to privacy, is a serious concern and cannot be ignored. Tracking and surveillance in the present situation does serve a compelling state interest, however, for the purposes of constitutional sanctity, it is imperative to enforce safeguards as well. Public health interest may be a legitimate reason to increase monitoring of individuals, but monitoring by government authorities must be approached with utmost caution. If caution is not exercised in times of urgency, we may be successful in containing the spread of the virus, but may irreparably damage the constitutional fabric.[29]

Bibliography

1. Vikram Jeet Singh, Kalindhi Bhatia, India: Being Privacy Compliant During COVID-19, Mondaq, https://www.mondaq.com/india/data-protection/928466/being-privacy-compliant-during-covid-19
2. Emre Kursat Kaya, Safety And Privacy In The Time Of Covid-19: Contact Tracing Applications, Centre for Economics and Foreign Policy Studies (2020), https://www.jstor.org/stable/resrep26089
3. OECD, Ensuring Data Privacy as we Battle COVID-19, https://www.oecd.org/coronavirus/policy-responses/ensuring-data-privacy-as-we-battle-covid-19-36c2f31e/
4. Benjamin Boudreaux, Matthew DeNardo, Sarah W. Denton, Ricardo Sanchez,Katie Feistel and Hardika Dayalani, STRENGTHENING PRIVACY PROTECTIONS in COVID-19 Mobile Phone-Enhanced Surveillance Programs, RAND Corporation (2020) https://www.jstor.org/stable/resrep25384
5. Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
6. Fundamental Right to Privacy, Supreme Court Observer https://www.scobserver.in/court-case/fundamental-right-to-privacy
7. Puttaswamy v. India, Global Freedom of Expression, Columbia University https://globalfreedomofexpression.columbia.edu/cases/puttaswamy-v-india/
8. Shivaji Bhattacharya, Anindhya Shrivastava, COVID-19: Implications On The Data Protection Framework In India, MONDAQ https://www.mondaq.com/india/data-protection/928998/covid-19-implications-on-the-data-protection-%20%20framework-in-india?signup=true
9. Ankoosh Mehta, Ria Lulla, Sanika Gokhale, Double Trouble in 2020 – Tackling COVID-19 while Protecting the Right to Privacy, Cyril Amarchand Mangaldas Blogs
   https://corporate.cyrilamarchandblogs.com/2020/05/tackling-covid-19-while-protecting-the-right-to-privacy/

End-Notes:

1. Vikram Jeet Singh, Kalindhi Bhatia, India: Being Privacy Compliant During COVID-19, Mondaq, https://www.mondaq.com/india/data-protection/928466/being-privacy-compliant-during-covid-19
2. Emre Kursat Kaya, Safety And Privacy In The Time Of Covid-19: Contact Tracing Applications, Centre for Economics and Foreign Policy Studies (2020), https://www.jstor.org/stable/resrep26089
3. Supra note 1
4. OECD, Ensuring Data Privacy as we Battle COVID-19, https://www.oecd.org/coronavirus/policy-responses/ensuring-data-privacy-as-we-battle-covid-19-36c2f31e/
5. Supra note 2
6. Supra note 1
7. Supra note 2
8. Benjamin Boudreaux, Matthew DeNardo, Sarah W. Denton, Ricardo Sanchez,Katie Feistel and Hardika Dayalani, STRENGTHENING PRIVACY PROTECTIONS in COVID-19 Mobile Phone-Enhanced Surveillance Programs, RAND Corporation (2020) https://www.jstor.org/stable/resrep25384
9. Id.
10. Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
11. Fundamental Right to Privacy, Supreme Court Observer
    https://www.scobserver.in/court-case/fundamental-right-to-privacy
12. id.
13. Id
14. Puttaswamy v. India, Global Freedom of Expression, Columbia University
    https://globalfreedomofexpression.columbia.edu/cases/puttaswamy-v-india/
15. Shivaji Bhattacharya, Anindhya Shrivastava, COVID-19: Implications On The Data Protection Framework In India, MONDAQ
    https://www.mondaq.com/india/data-protection/928998/covid-19-implications-on-the-data-protection-%20%20framework-in-india?signup=true
16. Id.
17. Id.
18. Id.
19. Id
20. Ankoosh Mehta, Ria Lulla, Sanika Gokhale, Double Trouble in 2020 – Tackling COVID-19 while Protecting the Right to Privacy, Cyril Amarchand Mangaldas Blogs
    https://corporate.cyrilamarchandblogs.com/2020/05/tackling-covid-19-while-protecting-the-right-to-privacy/
21. Id
22. Id
23. Id
24. Id
25. Id
26. Supra note 15
27. Supra note 20