COVID-19 or the novel coronavirus, the outbreak of which was declared as a "public health emergency of international concern" by the World Health Organisation on 30 January, 2020 has created a lot of chaos, putting governments all around the globe in muddy waters. In addition to the public health measures that are to be adopted by the concerned governments and health officials in order to contain the spread of the virus, the pandemic has also opened the doors for a plethora of data protection and privacy breach concerns.
One of the major steps that need to be taken to prevent this disease from spreading is to limit human-to-human transmission and to track the same for mapping the route of the virus in cases where a COVID-positive person might have come into contact with other people. It's then also necessary to carry out mapping of such plausible suspects, so as to identify the chain and to prevent them from further spreading the virus by putting them into quarantine centers, or imposing necessary travel restrictions.
In order to trace such persons, the locational data of the particular person/suspect becomes of utmost importance. Similarly, various public and private organisations are collecting travel history details of their employees and also their health/medical status. The collection of personal data such as names, age group, contact number, travel history, locational data etc, and even medical data which comes under 'sensitive personal data' under many jurisdictions — all of this gives rise to major concerns over how the said data is collected and processed and how it will be used by the concerned entities.
China was prompt enough to take steps in order to protect the personal data of their citizens by issuing relevant circulars and notices. The major step taken in this regard was the issuance of the CAC circular (Circular on Ensuring Effective Personal Information Protection and Utilisation of Big Data to Support Joint Efforts for Epidemic Prevention and Control) by the Cyberspace Administration of China. The circular provides elaborate guidelines for protection of personal data in the present scenario. Though China is not the best jurisdiction to emulate, the theoretical framework can be analysed. Among the many points elucidated in the circular, a few of them are worth mentioning.
Firstly, it emphasises on protection of personal data according to the Chinese Laws and Regulations that govern Cyber-security and prevention of Public Health Emergencies. Whenever any personal data is collected and used with regards to the prevention and control of epidemic diseases, organisations will have to comply with the Personal Data Specifications. The basic principles of necessity and minimum collection should be adhered to. This would simply mean that the organisations cannot go on and collect personal data of any or all the members but only those who are tested positive, are suspected to be infected or were in close contact of the persons tested positive.
Secondly, the personal data collected for prevention or treatment of such epidemic diseases will be used strictly for that purpose and nothing else. The information so collected cannot be made public without the consent of the data subjects, unless there is a necessity for preventing the epidemic disease.
Thirdly, provisions for non-compliance have been laid out as subject to administrative sanctions, civil liabilities and even criminal penalties in the event of any severe violation of the Chinese laws and regulations. Thus, even though companies with big data expertise are encouraged by the government itself to control and collect personal data in order to prevent the epidemic disease, they will still be held accountable in the event of any breach or violation. Hence, they will need to introduce stringent measures to prevent a data breach.
Similarly, the ministry of transport also issued an urgent notice on coordinating the work of COVID-19 Prevention and Control and Transport Security, specifically providing that no additional personal information of the passengers will be disclosed to agencies, organizations or individuals other than public health and related authorities.
The European Union, which has a more nuanced law regarding data protection, namely the General Data Protection Regulation (GDPR) has also issued a statement on the processing and collection of personal data amidst the COVID-19 outbreak. The European Data Protection Board under the statement provided for legal grounds under GDPR as to how the companies and public authorities can process the personal data of the data subjects without their consent in the wake of COVID-19 pandemic but are still subject to the rule of proportionality.
Apart from that, the countries have their own privacy laws which are to be complied with. In this regard, the Italian Privacy Authority, the Garante, has asked that the inquiries relating to employee's health information should not be done in a generalised manner by the employers, but rather should be conducted by civic and public health authorities. It also specified that given the sensitive situation, some data protection rights might be suspended to combat the pandemic, but a judicial recourse should be available to the data subject and rule of proportionality will apply.
Similarly, the Data Protection Authority of France, CNIL, also placed the legal obligations under the EU-GDPR as well as the French Public Health Code stressing that the privacy rights cannot be infringed by disclosing medical and health information.
The ePrivacy Directive, which deals with the processing of electronic communication data, states that the location data of an individual can only be used by the relevant service provider with the consent of the individuals. It, however, provides that the member states of EU can also use such data without such consent consent under their emergency legislation. Several affected member states are thus contemplating on enacting emergency legislations.
A similar stance was taken by the US Department of Health and Human Services (HHS) while striking a balance between individual rights and public good. An official bulletin noted that the Health Insurance Portability and Accountability Act- Privacy Rules permitted business entities and associates to disclose the health reports of the individuals without authorisation. However, the bulletin reiterated that the Privacy Rules are not set aside during an emergency, thus stating that a balance must be maintained.
India, whilst dealing with the pandemic, also faces challenges on the privacy forefront specifically because there is no law in place for data protection. The Indian law on the subject matter is restricted to Section 43-A (Compensation for failure to protect data) and Section 72-A (Punishment for disclosure of information in breach of lawful contract) of the Information Technology Act, 2000.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 further defined what comprises sensitive personal data, and extended the law to body corporates (organisations) or persons located in India.
With no specific data protection regulator as opposed to other jurisdictions, there are genuine concerns that there may be tracking of personal data and mass surveillance. Travel history details would fall under personal information, and medical history/records of the infected or suspected persons may be classified as sensitive personal data. Asking for such information is in uncertain legal territory, with no proper privacy policies in place.
The information so collected and processed by the employers depends largely on how seriously they take privacy policies and measures to avoid mishandling of such sensitive personal data. If employers fail to maintain such data properly, they may have to pay hefty amounts later in order to compensate the individuals over privacy breaches.
The Indian government in the current scenario, like other jurisdictions could at least have issued similar guidelines for the public and private entities elucidating some mandates to be taken care of while collecting personal data. Though privacy is now a fundamental right, laxity on the part of the government to ensure proper safeguards can prove to be problematic.
Although public health and welfare would be a bigger priority than individual rights, a proper demarcation should be made to ensure that legal rights of individuals are not overstepped by the government under the garb of public health.
Raghav Pandey is an Assistant Professor of Law at Maharashtra National Law University, Mumbai. Aditi Seetha is a Counsel at AS Law Chambers
Updated Date: Mar 26, 2020 08:00:35 IST