The novel coronavirus pandemic is not only causing tens of thousands of deaths worldwide, damaging economies and disrupting normal lifestyles of people, but it is also posing several legal challenges. One such challenge is the right to privacy vs. the right to public health. Aggressive and intrusive contact-tracing mechanisms of governments worldwide during this acute public health emergency are causing certain privacy concerns among civil liberties defenders. It has been argued that we simply can’t defend privacy while public health is tailspinning, but privacy and public health do not have to be incommensurable goals. Assertive containment strategies do not require governments to be completely ignorant of other rights, nor do they require any kind of epidemiological inaction for the sake of informational and associational privacy of individuals.
The collection and sharing of biomedical data is sine qua non for containing the infectious diseases in order to identify point of contact. The pandemic has further escalated the need for collecting and sharing data, as well as for tracking people’s movements. For instance, China’s government used CCTV footage to retrace interactions among disease carriers. Alipay Health Code System in China automatically assigns each user a color-coded infectious threat level. South Korea used credit card transactions as information for the same. The Israeli government disclosed the existence of a large cache of cellphone data to track the movements and social contacts of infected persons. This aggressive digital surveillance has been justified by governments worldwide in the name of public health crises during the pandemic. European countries where data is protected by General Data Protection Regulation have sought to suspend some regulations, taking into account Article 9 (2)(1)of GDPR, which allows for data processing when necessary in public interest, such as serious cross-border health threats.
However, despite such exceptions, strict regulations for data protection should not be blatantly suspended or ignored. There ought to be balance, especially when privacy rights have received spectacular national and international recognition. This becomes even more important when institutionalization of biosurveillance technologies leads to biomedical data, which is sensitive data, being factored into routine government screening and monitoring. Tech companies and certain private players can chase this untapped resource if it is not properly regulated. Also, there is no clue as to what happens to the data and the whole surveillance mechanism once the emergency ends. The way that privacy rights are dealt with will create a lasting impact on the way that privacy is perceived in future. Thus, a robust regime of surveillance is necessary, requiring stringent procedures to keep this information safe and to delete it when no longer in use. A government’s transparency and an engaged society are all very important to fight this pandemic.
A fear of misuse or of a privacy breach is not peculiar to this pandemic. China has been building a digital authoritarian surveillance state from pre-pandemic times. China and the U.S. have been doing so on the international stage, to determine global standards and to shape key network infrastructure, exporting 5G technology and the Orwellian system of facial recognition abroad. Recently, Microsoft too planned to launch 20 data sharing groups by 2022 and give away some of its digital information, including data collected on COVID-19.The Organisation for Economic Co-operation and Development, a group of mostly rich countries, reckons that if data collected through different mediums would be more widely exchanged, many countries could enjoy gains worth between 1% and 2.5% of GDP.
Privacy in India
What is worth noticing in today’s digitally advanced world, with the ever-increasing use of artificial intelligence, is that these problems are not limited to just rich and advanced economies. Multilateralism and globalization resulted in an interconnected world and the further sharing of these modern-age problems. The situation in India is no different regarding privacy concerns and the way the government is handling the recent crisis. Custom apps have been developed to enable tracking and to keep people aware about recent updates. Mobile phone companies are being asked to have subscriber geotracking data. However, many states have no statutes clearly addressing nondisclosure of personally identifiable health information generally held by public health agencies, and no statutes regarding disclosure under exceptional circumstances. Recently, the Division Bench of the Kerala High Court expressed concerns on the data of COVID-19 patients uploaded on the server of Sprinklr, a U.S. based data analytics firm. The Division Bench asked the state government to file a statement regarding data security and the contract between government and the company on data sharing by the law department.
The government finds legitimacy through statutes such as National Disaster Management Act; Section 5(2) of The Indian Telegraph Act (1885), which allows lawful interception of phones and computers; and Section 69 of Information Technology Act (2000), which deals with interception, monitoring and decryption of information. However, in the Puttaswamy Case, where the right to privacy was declared a fundamental right, the Supreme Court laid down a certain proportionality test and identified nine privacy principles pertaining to notice: choice and consent, collection limitation, purpose limitation, access and correction, non-disclosure of information, security of knowledge, openness or proportionality on the size, scope and sensitivity of information collected.
Reasonable restriction in the current situation seems justified. However, once the crisis ends, we need to be extra careful with the collected data and how it is treated later, since the right to privacy embodies the right to be forgotten. Patients can request that their data is deleted after they have been discharged, or after the clinical trial has been concluded. In the Indian scenario, patient information is kept for extended periods of time. This can be subject to unauthorized access and misuse. The deletion of patient information once it has been used for the purpose for which it was collected is thus imperative for the creation of an environment of privacy protection.
Conclusion
Though we see a kind of relaxation on certain privacy clauses worldwide, making space for geofencing, tracking and surveillance to contain the spread of infection, these reserve surveillance forces should be made democratically accountable under legislation that follows a parliamentary discussion on proportionality. Violations in the healthcare sector that stem from policy formulation and implementation gaps include the disclosure of personal health information to third parties without consent; unlimited or unnecessary collection of personal health data; provision of personal health data given for research; and commercial uses without de-identification of data and improper security standards, storage and disposal. It may result in a certain kind of discrimination or stigmatization. Thus, we need sound policies and special data protection legislation for sensitive data protection, especially in a country like India, where privacy is comparatively a newer concept. The authorities responsible for data collection during this pandemic and later should seek to process location data in an anonymous way to prevent individual identification. It also becomes the responsibility of the state to play an active role in collaborative efforts between public and private stakeholders to create a protective framework. This would allow such healthcare measures without completely shattering the existence of privacy rights of the individual, which emanate from the right to life and liberty.
Subhi Pastor is a first-year student pursuing his B.A. LL.B (Hons.) at the Dr. Ram Manohar Lohiya National Law University in Lucknow, India.
Suggested citation: Subhi Pastor, Conflict Between the Right to Privacy and the Right to Public Health: Global Phenomenon and Coronavirus Outbreak, JURIST – Student Commentary, May 7, 2020, https://www.jurist.org/commentary/2020/05/subhi-pastor-privacy-publichealth/.
This article was prepared for publication by Cassandra Maas, Assistant Editor for JURIST Commentary. Please direct any questions or comments to her at commentary@jurist.org