By: Aditi Jaiswal & Anubhav Das, 4th Year students of NUALS Kochi, RMLNLU Lucknow
Introduction
In the wake of COVID-19, where the collection of data is an essential tool to search and track the individuals infected, an issue might arise in the near future when this pandemic is over. The data collected now by the state can be used for its intended purpose, but it can also be used to the detriment of an individual. As a result of this data collection, the right to privacy, which has been declared a fundamental right by the Supreme Court, may be infringed.
Among the data collected to track individuals infected—or potentially infected—with COVID-19 is location data and biographical data. This data is personal and can be used to understand an individual and make predictions about that individual which can be then be used against them. For an example, look at the app recently launched by the Indian government, the Aarogya Setu App. This app predicts the chances of an individual having COVID-19 by tracking the location of an individual. Using the individual’s location, the app then checks if that individual has come into proximity with an infected person. This location data can be used to predict the number of family members present, which grocery store they shop at, and more. Just as Target[1] predicted the pregnancy of a woman by analysing her shopping list, algorithms can be used to process the data collected, ostensibly for COVID-19 tracking, to learn things that one might never wish to reveal. The location tracking could even be used to predict something as personal as an extramarital affair.
Although the privacy policy[2] of the app mentions that the data collected, will be deleted after a certain period of time, do we have any legislation which could be used to make the state liable should they fail to do so? This article will deal with a very basic concept in data protection law: purpose limitation. This article will analyse the existing law in India and whether or not it can combat such issues, before further analysing the Data Protection Bill of 2019 and its importance in the current case.
The Present:
The principle of purpose limitation under the data protection law is this: the data collected must be used for the purpose specified and when that specified purpose is accomplished, the data must later be deleted. It is essential that this principle is adhered to with the data collected by the state to track COVID-19 cases. This is the only way to ensure the data can never be used later for any other purpose.
Currently, the IT (Reasonable Security Practices And Procedures And Sensitive Personal Data or Information) Rules, 2011 (“IT Act”) governs the collection of data.[3] The IT Act recognizes the need for a privacy policy, information collection requirements, information disclosure requirements and more. Rule 5 (4) of the IT Act deals with purpose limitation. Rule 5 states that the “body corporate” cannot retain the data collected after the purpose for which it was collected has been accomplished. This means the “body corporate” are mandated to delete the data once the purpose is accomplished. Had this rule been written more broadly, it could have effectively dealt with the issue of data collection by the state. The problem lies in the definition of “body corporate” under the rule. Rule 5(4) only defines “body corporate” to be “any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities”.[4] Thus, this rule does not apply to the state and the data collection done by the state to track cases of COVID-19. This oversight in the IT Act can be dealt with, either through an amendment to the IT Act or with new data protection legislation.
The Future:
In the Puttuswamy case,[5] the Supreme Court acknowledged the need for separate legislation for data protection in India. As a result, after much deliberation, the Personal Data Protection Bill, 2019 (the “PDP Bill”) was introduced in parliament on December, 11 2019. The bill is currently being analysed by a Joint Parliamentary Committee and it includes important provisions which could be used to combat the problem of data collection by the state in the times of COVID-19.
Section 9(1) of the PDP Bill states that the “data fiduciary” shall not retain personal data once the purpose of collecting that data is fulfilled.[6] An important aspect of this provision is that the rule governs not just any “body corporate,” but rather any “data fiduciary.” Section 3 (13) of the PDP Bill defines “data fiduciary” to include the state. This means that if this Bill was law right now, the data collected by the state would be required to be deleted once the pandemic is over or once that data has been used for its purpose. Moreover, if the state does not comply with this provision then it “shall be liable to a penalty which may extend to fifteen crore rupees or four percent of its total worldwide turnover of the preceding financial year, whichever is higher.” However, the PDP Bill is not law right now and there is no a chance of it being enacted soon. This might give the state an active chance to evade liability, even if they violate the privacy of an individual.
The Reality:
As mentioned above, the PDP Bill is still being considered by a Joint Parliamentary Committee. It has not even seen the floor of discussion in the parliament. No one knows when or if this Bill will pass and become law. Moreover, considering the current situation of the COVID-19 pandemic, such discussions or deliberations will only take place once the pandemic is over. Thus, even if the Bill becomes an Act, the important thing to consider now is the retrospective applicability of it.
The state will only be liable for misuse of the data collected now if, when the PDP Bill becomes law, the law has retrospective application. The Bill, in its current form, is silent regarding retrospective application. As per the BN Srikrishna Committee report,[7] which presented the draft Personal Data Protection Bill 2018, the PDP Bill will have no retrospective application. The rationale given by the committee is that retrospective application of the law will not give the data fiduciary enough time to come into compliance. Thus, the state can evade all liability for misuse of personal data and the data collected now can be misused without legal repercussion until the PDP Bill becomes law. This will ultimately hamper the privacy of individuals.
Conclusion:
Data protection legislation in India is needed now. This legislation will help prevent data misuse in the future and will help to maintain the privacy of an individual. The issue of data collection in the times of COVID-19 can also be remedied by amending the IT Act’s definition of “body corporate” to include the state or by enacting the PDP Bill along with a provision for its retrospective application. The retrospective application of the Bill will be an essential step towards curbing the potential misuse of data being done now by the state. This in turn will preserve and protect the informational privacy of individuals.
[1] See Kashmir Hill, How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, FORBES (Feb. 16, 2012, 11:02am), https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#69f563446668.
[2] See Rohit Chatterjee, Arogya Setu App Gets Revised Privacy Policy, ANALYTICSINDIAMAG (Apr. 2020), https://analyticsindiamag.com/arogya-setu-app-gets-revised-privacy-policy/.
[3] See S.S. Rana & Co, Advocates, India: Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011, Mondaq (Sept. 5, 2017), https://www.mondaq.com/india/data-protection/626190/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.
[4] See Elonnai Hickok, Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Centre for internet & society (Aug. 11, 2015), https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011.
[5] See K. S. Puttaswamy v. Union of India, Writ Petition (Civil) No . 494 of 2012 (Sup. Ct. India Aug. 24, 2017).
[6] See The Personal Data Protection Bill, 2019, PRS Legislative Research, https://www.prsindia.org/billtrack/personal-data-protection-bill-2019.
[7] Committee of Experts Under the Chairmanship of Justice B.N Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Ministry of Electronics & Info. Technology, July 2018, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.