Privacy Policy in times of Pandemic- an analogy of contact tracing apps between India and the UK

The adoption of technology is one of the most practical means of fighting against the global pandemic because of its universality and convenience. The nations are trying to use tracing contact technologies for keeping an eye on the spread of the virus. These Contact tracing technologies are proving to be a success in many parts of the East Asian countries. Although these steps deserve commendable respect for observing the spread of the virus, they are a major threat to the Right to privacy of Individuals. The reasons behind such threats are the storage of the individual’s data in the central server by the android apps. Thus, risking user’s data for the government’s mishandling and abuses. Most of the European countries are already using Decentralized contact-tracing apps for protecting the privacy of individuals. Hence, this article takes a comparative approach between the centralised contact-tracing apps of the UK and India.  Recently, the UK abandoned the centralised NHS contract tracing-app which is similar to the centralised contact-tracing app of India, ‘Aarogya-Setu’. The decision to abandon the NHS contact-tracing app came after several backlashes from the privacy campaigners. But, on the contrary, the Aarogya-Setu is still widely used in India despite having privacy defects and compromising the data-privacy of Individuals. Therefore, it becomes pertinent to analyse the privacy policy of these apps, where one government is abandoning the app and the other one is making it mandatory in certain parts of the country.

 The Right to Privacy

Many Internationals and municipal treaties such as the International Covenant on Civil and Political Rights and Universal Declaration of Human Rights declares the Right to Privacy as the Fundamental Human Rights of the Human Beings. For maintaining the relevancy of these rights in the digital era, The UN widened the ambit of Article 12 for protecting the legal privacy of individuals via resolution 68/167 of the UN General Assembly. It contains provisions for the protection and communication of data.

In India, the Supreme Court recognized the Right to Privacy in the landmark case of Justice K S Puttaswami( Retd.) V Union of India. The Hon’ble Court held that the Right to Privacy is innate to Article 21 of the constitution that provides for Right to life and Personal Liberty. On the other hand, The Human Rights Act, 1988 protects the Human Rights of the Citizens of the UK. It also upholds the Right to Privacy enshrined under Article 8 of the European Convention on Human Rights.

Contact Tracing Technology

It’s a technology that traces the person who is suspected or confirmed to be infected from the coronavirus and thus protects others from the virus transmission. The government of both countries are using contact tracing technology for monitoring and assisting the Public health. The government of India in April launched a GPS and Bluetooth technology-enabled app ‘Aarogya Setu’ that raised the privacy concern of the users. Also, the UK has launched NHS COVID-19, an app that is in its testing phase. But the data privacy issues in these contact tracing app has caused a lot of stir in privacy and Human Rights scholars.

Privacy

India and The UK anonymize the collected data with the help of the Static Ids of the users. The main issue in this system is the single layer of protection which makes it easier to De-anonymize

the collected data. In the UK, it has been reported that the ministers will have the power of the

De-anonymization of data. On the other hand, Aragoya Setu’s privacy policy is silent on such de-anonymization of the collected data. The TaceTogether application app of Singapore uses dynamic ID, thus provides multi-layered protection to the collected data of the users.

The methods of data collection used by these two applications are also different. Unlike Aarogya Setu that collects sensitive data of users such as travel history, name, age, profession, and location which is collected on a central cloud server, NHS application only requires half of the user’s postcode, Bluetooth use, and the phone model. The other concern pertains to the sharing of collected data with others.  The government can share the collected information from Aarogya Setu that “may be shared with such other necessary and relevant persons as may be required to carry out necessary administrative and medical interventions”. Additionally, the terms of use of the app ignore the objective of privacy limitations and give unlimited power to the government for sharing the personal data of users. The Indian government revised the terms of privacy policy without notifying the users. The revised terms may grant unlimited power related to the sharing of collected data to application developers and thus is not in conformity to the General Data Protection Regulation

The Limited Liability Clause gives immunity to the government against any harm due to leaked information or misinformation. Similar concerns are also raised over the NHS application for its vague purpose because it also grants keeping data beyond the pandemic for research work which risks the sharing of data to the private parties by the government.  The data is collected and stored on a central server by both countries. The problem with such a centralized collection of data is the sharing of data in various social groups and private parties in the name of research work. The best alternative can be Apple or Google devices that allow decentralized data storage on the users’ mobile phones which has been finalised in the UK for replacing the NHS COVID-19 app.

Transparency

The most notable difference between the contact-tracing apps of The UK and India is its transparency. The Indian government follows the policy of the adoption of open-source software but the code used in Aarogya Setu’s app hasn’t been disclosed. NHS is also using open-sourced software. Making the use of open-source code improves the transparency builds trust and security among the users. But Aarogya setu users lack giving their informed consent because the terms of Services are available only for those users who have finished the registration process. The compulsory use of this application for a particular class of users also raises many issues of consent. The non-installation of the Aarogya app has been made a punishable-offence in several parts of India. But the UK government has made it clear that the use of NHS will be voluntary and not compulsory.

Legal Policies

The Data Protection Act, 2018 of the UK is based on the EU’s General Data Protection regulations. It contains provisions for processing the Personal Data and aims to bring transparency in the Public offices and user’s data privacy.

This is in complete contradiction to the outdated data protection laws of India. There is no strong data protection framework in India for upholding the Supreme Court’s view on the Right to Privacy as the Fundamental right of Citizens. The government constituted the Srikrishna Committee on the orders of the Supreme Court of India for finding the Lacunas in the data policy framework of India and to enact a new data privacy law.  However, the Government has failed in passing the Data Protection Bill, 2019, and the users’ data to date remains vulnerable to privacy attacks.

Moreover, Aarogya Setu data can restrict the fundamental rights of the citizens but the constitution provides for the procedure established by law under Article 19 and 21 of the constitution. But no law has been passed for governing the Aarogya Setu according to the procedure established by law. Also, the Joint Commission on Human Rights in the UK has recommended that privacy must be protected by governmental assurance and the law governing NHS application must be passed.

The approach of the governments

NHS app was being introduced in a phased manner. The UK government launched it in the Isle of Wight before introducing it in the country.NHS application has been reported for multiple bugs and technical glitches and only Forty-percent of the population is using this application. Contrary to the UK’s approach, Aarogya Setu was launched in India without any trials or any steps for data protection. It would have been better if the Indian Government would have launched Aarogya setu by following the cautious approach of the UK. India is the second-most populous country in the world and there have been cases of hacking and leaking of personal data of 100 million users.

 Conclusion

Contact tracing apps are a ray of hope in these uncertain and most challenging times of contemporary human history. However, it becomes the responsibility of the government to gain the confidence of its citizens for the systematic and effective use of these applications.  Citizens must be given protection for the collected data and should not be used beyond the pandemic following the international Human Rights principles. The government should implement a mechanism for governing the application and thus securing the transparency and following the principles of International Data Privacy principles such as data anonymity and data protection.

_____________________________________________________________________________________

ABOUT THE AUTHOR

Mohit Kumar is a 4th-year law student at Symbiosis Law School, Hyderabad. 

In Content Picture Credit: racolb legal