A Deal Violating Privacy Rights In The COVID Veil

Introduction

The past decade has seen an unprecedented growth of information technology, computational power, and cellular network. This growth has to be contextualized and seen from the spectrum of an increased collection in the generation and dissemination of data, to the extent that experts have termed data as the new Oil.

Collection, storage of personal data has become a matter of concern for citizens across the world. Regulators, baffled with this exponential growth have tried to address this issue with either patchwork legislation or new laws tailor-made to modern times. The exploitation of an individual’s personal data for commercial, non-commercial and crimes et al is a serious threat to their privacy and a violation of their rights as envisaged by the Constitution of India. Recently the Government of Kerala entered into an agreement with the United States based Information Technology firm Sprinklr to share the personal information of the patients of the Covid-19 pandemic. The potentialities of these data to be exploited and used as an espionage tool for other unintended purposes was at high risk hence was strongly opposed.

In its defense the Kerala Government contended that the entities controlled by them i.e. C-DIT & Info Kerala Mission were not technically equipped to manage large volumes of data. The contract was executed to overcome the worst-case projections by enriching the identified vulnerable population and establishing an effective communication channel among them. Since the company was seen to have experience and technology to process large volumes of data the state sought to work in collaboration with the Company to defeat the pandemic.

The Kerala High Court in (Balu Gopalakrishnan v. State of Kerala & Ors) passed an order directing the Government of Kerala to anonymize all the data that has been collected from its citizens and to inform them that such data is likely to be accessed by Sprinklr. Anonymization in technical parlance means a method where under data is processed to an extent that it cannot be attributed, connected or linked back to a particular individual, thus making it difficult for a third person to comprehend its origin.

Contract with Sprinklr a threat to Right to Privacy

As explained earlier, data concerning a person has assumed a commercially important position for businesses and a strategic value for the government. While the government intends to use this data for the overall societal good and proper administration, the collection of data has raised many concerns amongst privacy experts. This includes the Aadhaar program implemented by the Unique Identification Authority of India. The government initially introduced Aadhaar as a mandatory document for all governmental services. However, apprehending that the data collected could lead to invasion of the privacy of the citizen, even by the Government, The Hon. Supreme Court in the landmark judgment of (Justice K. S. Puttaswamy (Retd.) and Anr. vs Union of India And Ors.)[i], held that right to privacy is a fundamental right and even the government cannot be allowed to make Aadhar compulsory.

In the present factual matrix, the personal data of thousands of covid-19 patients and those under observation, in the event of the covid-19 pandemic persisting, is a valuable property that if shared can later be manipulated. According to Point 2.2 of the Code of Medical Ethics Regulation, 2002 a Healthy body is the very foundation of all human activities and in a welfare state, it is the obligation of the state to enforce creation and sustenance of conditions of good health. Confidences concerning individual or domestic life entrusted by patients to a physician and defects in the disposition or character of patients observed during medical attendance should never be revealed.

In the absence of any law or regulatory mechanism to deal with data protection, the government is taking undue advantage of the position. To fill this gap in law, the Personal Data Protection Bill, 2019 had been introduced in the parliament. The said bill makes the procurement, storage, transfer and application of data punishable if it is in a manner contrary to law. The state government was fully aware of the commercial value of personal data and could have been more conscious before enforcing an agreement that was in conflict with law. The Kerala Government collected the data keeping the patients in complete darkness of the decision of passing on the information to a foreign private company. The government’s approach of siphoning off valuable personal medical information without the informed consent of the patients is a violation of the right to life of the patients.  The right to privacy is implicit in the right to life and liberty guaranteed to the citizens of the country under Article 21 of the Constitution of India.[ii]

The legal paradigm of consent in medical treatment

Consent is a representation of legal and ethical expression of a patient. This consent shall in all respects be informed and made by a competent individual. The law thus presumes capacity, rationality, autonomy, and freedom if a person consents to be treated. The whole contemplation of law is that no treatment should begin without a prior consent to be treated. This principle of autonomy or consent comes under the ambit of Article 21 of the Constitution of India. In India, the entire gamut of laws on consent turns into complex propositions if an emergency medical situation arises. The outbreak of COVID-19 is a medical emergency but it cannot be taken as a plea while violating the rights of the individuals. Under Article 21, it is a paramount duty of any welfare state to safeguard the rights of its people. In the present case, Kerala Government collected the data of the patients diagnosed with covid-19 and passed them to a foreign company without their consent; this is a huge violation of the rights of these patients.

The procedural problem while entering contract by the IT Department

The Information Technology Act of 2000 which, in all probability, is the only law enacted by the Parliament to deal with issues related to the collection of personal information is grossly inadequate to deal with the dangers of such data collected and stored being put to wrongful use or allowed to be commercially exploited, even by governmental agencies. The contract entered into by the Government of Kerala and the Sprinklr is in clear violation of the rules envisaged under Information Technology Rules, 2011. Rule 6 of the said rules classify data related to the medical records or history of a patient as a sensitive personal data which cannot be obtained, stored, transferred or sold, except with the permission of the citizens concerned, and that too for larger public interest.

The contract was entered into by the IT Secretary with Sprinklr incorporation on the premise that the data collection and storage is required as part of the State’s preparedness to fight against the diabolic corona pandemic. It was argued by the government that the decision of using a SaaS (Software as a Service) application developed and deployed by Sprinklr was a reasonable decision. Such a step was taken after consultation with the department of the state with representatives of the health department, local self-government department and state disaster management authority (SDMA). If that be so, it is primarily a matter of concern of the Department of Health. It is for the department of Health to initiate the proposal and for the Hon’ble Minister for health to approve it, then to forward the same for the consideration and approval of the departments of General Administration, Finance, Information Technology and Law. These are the rules for the conduct of the business of the government, from which no deviation should ordinarily be made. The file thereafter ought to receive the approval of the Chief Minister and since it concerns an agreement with a company situated abroad, the approval of the Cabinet too, would have to be obtained. In the present case neither of the above mentioned authorities was taken into confidence.

Position of Contract Post Order of Anonymization by the High Court

Following directions from the Kerala High Court, the state recently issued guidelines under which the state mandated the consent of the individuals for collecting their personal data for COVID- related activities was made mandatory. Furthermore the guideline ensures the anonymization of data before it is shared with any third-party. The said guideline will apply retroactively to all COVID-19 related data already collected.

Conclusion

The incident above mentioned has rekindled the debate in the public domain about the total lack of regulatory mechanism concerning inter alia, the collection of personal information by government and non-governmental agencies to ensure that the personal data collected is protected and is not allowed to be sold or exploited for commercial considerations and otherwise abused, thereby putting in jeopardy the valuable rights and liberties of the citizen.

The recent outbreak of Covid-19 has brought the whole world to a standstill. This rising toll across the globe has disturbed the sinusoid of the world order in every domain. India lacks the sufficient laws in the field of data protection, it’s still floating on uncertain waters and the interim order passed by the Kerala High Court indicates the urgency of recognizing the data protection laws. We cannot afford the COVID epidemic to be substituted with the data epidemic.