By: Nitesh Mishra
“To be left alone is the most precious thing one can ask of the modern world.”
– Anthony Burgess
INTRODUCTION
In light of the fact that there does not exist any vaccine for preventing the spread of the coronavirus yet, the WHO has suggested, what the governments across the globe have resorted to, social distancing, as a means to prevent the spreading of the virus. However, in order to implement such orders of social distancing and lockdowns, the governments necessarily need to process location data of its citizens, which has raised serious privacy concerns.
The grimness of the situation is accentuated further, when third parties, like the Big Tech companies, come into the picture, and share the location data of their users, contrary to every promise of privacy made in the past. Reportedly, Facebook Inc. has been sharing location data with academic researchers in the USA, while Google recently released, in the public domain, the ‘Community Mobility Reports’, which reveal the changes in the movement patterns of its users amidst the global pandemic.
While the data has been anonymised by Google, and the location of any individual citizen cannot be known from the reports, the wide array of location data with the Big Techs, which they may use according to their whims, has concerned the privacy advocates. The situation gets even worse in India, where the right to privacy exists only as an abstract concept and there is no data protection law yet, which is a continuous violation of the Supreme Court’s mandate in the case of Justice K.S. Puttaswamy (Retd.) v Union of India.
Further, the attitude of the Indian Government towards the privacy of citizens has been dismal, and the state has seemed to be keen on placing its citizens under constant surveillance, as proposed under the Personal Data Protection Bill, 2019. The privacy nightmare that could emanate from such contributing factors is open to speculation and not ill-founded, and hence, calls for pre-emptive legal analysis.
LIKELY COLOURED ACTIONS OF THE GOVERNMENT
The Supreme Court has held that the doctrine of colourability is based on the principle that the state cannot do indirectly what it cannot do directly. In Ujjam Bai v State of U.P., the Court had extended the application of this doctrine to executive actions. In relation to this pandemic, it is argued that the state is likely to indirectly violate the right to privacy of the citizens by means of private technology-based companies.
The government has launched a series of applications in public-private partnerships in order to effectively track the citizens in real-time irrespective of them being affected by the virus or not. One of the creators of one such application, ‘Aarogya Setu’, has stated that there shall be no breach of privacy by the data collected and processed through the application. Nevertheless, experts have raised concerns since the privacy policy of the application does not clearly lay down the scope of sharing such data within the agencies. Also, it does not provide for any time limit for when the data collected through the application may be stored on the government servers.
However, I argue that despite the huge amount of data being collected by such applications of the government, the spread of coronavirus cannot be prevented by the mere prospective collection of location data as these applications have only been launched recently. Further, the success of these applications largely depends on the number of people downloading them on their mobile phones and feeding reliable data into the applications. The number of people with access to smartphones and internet is abysmally low in India. The prospect of being quarantined if they would have come in contact with an infected individual would further deter people from providing reliable data into such applications.
For these reasons, it has been accepted by people involved in consultations for ‘Aarogya Setu’ that the application cannot be universally adopted in India. This would, in turn, require the government to turn to private technology-based companies, which are in control of a huge amount of location and other data of its users, for effective tracking and monitoring during the pandemic. Such an implication is not ill-founded for the reason that, reportedly, countries across the globe are resorting to similar methods for efficient tracking.
This would open the pandora’s box of privacy violations in light of the fact that there does not exist a data protection law in India. The private companies do not have any specified obligations with respect to the extent of data that they can collect and process. Further, even if the companies were to say that the data provided to the government is anonymised, reportedly, such data in the hands of the government is still dangerous as it might leave certain communities vulnerable.
Hence, while the state itself is directly bound by the right to privacy under Article 21 of the Constitution, it is likely to indirectly violate the fundamental rights of the citizens by means of the private companies. The lack of any data protection laws in India only heightens the scope of violation that is possible.
The actions of the government would not meet the test of proportionality as well, as prescribed in the Puttaswamy judgment, for the reason that the exercise of such powers would be absolute. There lack any pre-existing safeguards in law which prescribe the extent of the collection of data, the manner of its processing and the time period for which it can be stored.
REASONABLE WAY OUT OF THE CONUNDRUM
Recently, a case was filed before the Delhi High Court wherein the petitioner had argued that Twitter Inc. performs an essential public function of disseminating information and news, and hence, ought not to violate the fundamental rights under the Constitution. While the case remains sub judice, the reasoning of the petitioner offers a way out of the current predicament. The public function test has been time and again been resorted to by the courts for upholding the sanctity of the fundamental rights, including in the case of BCCI v Cricket Association of Bihar.
Surveillance and monitoring have traditionally been functions of the state, and hence, are public functions. Section 69 of the Information Technology (Amendment) Act, 2008, provides the government with powers to intercept, monitor or decrypt any data or information stored on any computer resource for the reason of public safety, public order etc.
Hence, if the government were to ask certain private entities for the location data of the citizens for effective monitoring, and thereby, surveil at the behest of the government, it is only prudent for the private entities to be considered to have performed public functions. This would, in turn, put a direct obligation upon the private companies to not violate the right to privacy of the people, and would be a safeguard for the people against the actions of both the government and the private technology-based companies with access to their data.
CONCLUSION
The right to privacy during a global pandemic tends to be overlooked. However, the perils of a potential privacy breach are heightened during such times, thus, leaving the most vulnerable communities at risk. The right to privacy is not absolute. However, the restrictions placed upon the exercise of the right ought to be proportional.
While the location data reports would be needed to effectively protect the community from the coronavirus, the private companies, and in turn, the government, necessarily need to be obligated to not violate the fundamental right to privacy of the people. This might be done by enacting amenable policies by both the government and the companies, with respect to the collection, storage and sharing of data. This would prevent the right to privacy from being completely obliterated. Such a pre-emptive approach and increased scrutiny of the actions of private technology-based companies would prevent our descent into an Orwellian dystopia amidst a global pandemic.
(Nitesh is currently a law undergraduate at National Law University, Delhi. He may be contacted at nitesh.mishra17@nludelhi.ac.in.)
Cite as: Nitesh Mishra, ‘Big Tech and Privacy Concern during the Pandemic: A Ticking Timebomb?’ (The RMLNLU Law Review Blog, 08 May 2020) <https://rmlnlulawreview.wordpress.com/2020/05/08/big-tech-and-privacy-concern-during-the-pandemic-a-ticking-timebomb > date of access.
The RMLNLU Law Review Blog 