By: Aditi Jaiswal & Anubhav Das, 4th Year students of NUALS Kochi, RMLNLU Lucknow
In the wake of COVID-19, where the collection of data is an essential tool to search and track the individuals infected, an issue might arise in the near future when this pandemic is over. The data collected now by the state can be used for its intended purpose, but it can also be used to the detriment of an individual. As a result of this data collection, the right to privacy, which has been declared a fundamental right by the Supreme Court, may be infringed.
Among the data collected to track individuals infected—or potentially infected—with COVID-19 is location data and biographical data. This data is personal and can be used to understand an individual and make predictions about that individual which can be then be used against them. For an example, look at the app recently launched by the Indian government, the Aarogya Setu App. This app predicts the chances of an individual having COVID-19 by tracking the location of an individual. Using the individual’s location, the app then checks if that individual has come into proximity with an infected person. This location data can be used to predict the number of family members present, which grocery store they shop at, and more. Just as Target predicted the pregnancy of a woman by analysing her shopping list, algorithms can be used to process the data collected, ostensibly for COVID-19 tracking, to learn things that one might never wish to reveal. The location tracking could even be used to predict something as personal as an extramarital affair.
The principle of purpose limitation under the data protection law is this: the data collected must be used for the purpose specified and when that specified purpose is accomplished, the data must later be deleted. It is essential that this principle is adhered to with the data collected by the state to track COVID-19 cases. This is the only way to ensure the data can never be used later for any other purpose.
In the Puttuswamy case, the Supreme Court acknowledged the need for separate legislation for data protection in India. As a result, after much deliberation, the Personal Data Protection Bill, 2019 (the “PDP Bill”) was introduced in parliament on December, 11 2019. The bill is currently being analysed by a Joint Parliamentary Committee and it includes important provisions which could be used to combat the problem of data collection by the state in the times of COVID-19.
Section 9(1) of the PDP Bill states that the “data fiduciary” shall not retain personal data once the purpose of collecting that data is fulfilled. An important aspect of this provision is that the rule governs not just any “body corporate,” but rather any “data fiduciary.” Section 3 (13) of the PDP Bill defines “data fiduciary” to include the state. This means that if this Bill was law right now, the data collected by the state would be required to be deleted once the pandemic is over or once that data has been used for its purpose. Moreover, if the state does not comply with this provision then it “shall be liable to a penalty which may extend to fifteen crore rupees or four percent of its total worldwide turnover of the preceding financial year, whichever is higher.” However, the PDP Bill is not law right now and there is no a chance of it being enacted soon. This might give the state an active chance to evade liability, even if they violate the privacy of an individual.
As mentioned above, the PDP Bill is still being considered by a Joint Parliamentary Committee. It has not even seen the floor of discussion in the parliament. No one knows when or if this Bill will pass and become law. Moreover, considering the current situation of the COVID-19 pandemic, such discussions or deliberations will only take place once the pandemic is over. Thus, even if the Bill becomes an Act, the important thing to consider now is the retrospective applicability of it.
The state will only be liable for misuse of the data collected now if, when the PDP Bill becomes law, the law has retrospective application. The Bill, in its current form, is silent regarding retrospective application. As per the BN Srikrishna Committee report, which presented the draft Personal Data Protection Bill 2018, the PDP Bill will have no retrospective application. The rationale given by the committee is that retrospective application of the law will not give the data fiduciary enough time to come into compliance. Thus, the state can evade all liability for misuse of personal data and the data collected now can be misused without legal repercussion until the PDP Bill becomes law. This will ultimately hamper the privacy of individuals.
Data protection legislation in India is needed now. This legislation will help prevent data misuse in the future and will help to maintain the privacy of an individual. The issue of data collection in the times of COVID-19 can also be remedied by amending the IT Act’s definition of “body corporate” to include the state or by enacting the PDP Bill along with a provision for its retrospective application. The retrospective application of the Bill will be an essential step towards curbing the potential misuse of data being done now by the state. This in turn will preserve and protect the informational privacy of individuals.
 See Kashmir Hill, How Target Figured Out A Teen Girl Was Pregnant Before Her Father Did, FORBES (Feb. 16, 2012, 11:02am), https://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/#69f563446668.
 See S.S. Rana & Co, Advocates, India: Information Technology (Reasonable Security Practices And Procedures And Sensitive Personal Data Or Information) Rules, 2011, Mondaq (Sept. 5, 2017), https://www.mondaq.com/india/data-protection/626190/information-technology-reasonable-security-practices-and-procedures-and-sensitive-personal-data-or-information-rules-2011.
 See Elonnai Hickok, Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, Centre for internet & society (Aug. 11, 2015), https://cis-india.org/internet-governance/blog/big-data-and-information-technology-rules-2011.
 See K. S. Puttaswamy v. Union of India, Writ Petition (Civil) No . 494 of 2012 (Sup. Ct. India Aug. 24, 2017).
 See The Personal Data Protection Bill, 2019, PRS Legislative Research, https://www.prsindia.org/billtrack/personal-data-protection-bill-2019.
 Committee of Experts Under the Chairmanship of Justice B.N Srikrishna, A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, Ministry of Electronics & Info. Technology, July 2018, https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf.