Pic Credits- https://nakedsecurity.sophos.com/
The COVID-19 pandemic has posed great challenges to humanity and also impacted many aspects of law in India. With the current state of evolving data protection law, it is imperative to assess the legality of many precautionary measures taken by private establishments and Central/State Governments in light of existing and forthcoming law.
The judgment of the Supreme Court in Justice (Retd.) K. S. Puttaswamy v. Union of India [(2015) 8 SCC 735] includes a three-fold test including existence of law, legitimate aim and proportionality to determine if an act invading privacy is legally permissible. In addition to the above, key principles such as purpose, storage limitation, legal basis for processing etc. have been recognized. An important case in point, may also be the judgment in Mr. X v. Hospital Z, where the court held that disclosure of a communicable life-threatening disease may not be violative of the right to privacy in view of the right to lead a healthy life.
The Personal Data Protection Bill, 2019 (“PDP Bill”) fortifies the foundations laid down in Puttaswamy. While the Central Government is empowered to exempt any agency from application of the PDP Bill, the PDP Bill, undoubtedly, presents a comprehensive data protection framework for India.
The PDP Bill also provides exemptions for processing of personal data necessary for responding to medical emergencies involving threat of life or severe threat of health to the data principal and measures necessary for provision of medical treatment and health services to individuals during an epidemic, outbreak of disease or other threat to public health. Undoubtedly, a lot is yet to fructify with the codes of practice and regulations issued by the proposed Data Protection Authority.
Guidance by other countries
Many member states in the European Union and other countries, have issued consolidated guidance on data protection aspects in light of the pandemic, including notably:
a) The statement of the European Data Protection Board (“EDPB”) outlines the lawful basis for processing (both by the Government/agencies and employers), processing of sensitive data, locational data provides clarity on exemptions available, both under the General Data Protection Regulation (“GDPR”) and as may be available under national laws.
b) Another piece of notable guidance is the EDPB’s guidance on use of location data and contact tracing tools dated April 21, 2020. The guidance, inter alia, recommends privacy by design and default, legal clarity by member states and the use of anonymized data, proximity data (rather than location data), pseudonymous identifiers and state-of-the-art cryptographic techniques for securing data storage and exchanges.
c) The Department of Health & Human Services, U.S. (“HHS”) has issued guidance on enforcement discretion for empowering medical providers to serve using video/audio-based telehealth. It provides guidance on partnering with technology vendors which are compliant with Health Information Portability and Accountability Act, 1996 (“HIPAA”) [and rules thereunder] and enter into business associate agreements (“BAAs”) as opposed to use of public-facing platforms (including social networks). It also lists out some of the HIPAA-compliant platforms. Further, the guidance indicates that the Office of Civil Rights (“OCR”) would extend enforcement discretion to not impose penalties for non-compliance with regulatory requirements under HIPAA against health care providers in connection with good faith provision of telehealth during the COVID-19 pandemic.
d) The Office of the Privacy Commissioner, Canada (“OPC”) has provided guidance, inter alia, around application of the Personal Information Protection and Electronic Documents Act (“PIPEDA”) in relation to consent, disclosure pursuant to legal requirement, authority requests, emergencies that threaten life and health and security of individual. In addition, PIPEDA, the guidance also provides purposes for which personal information may be disclosed by Government institutions without consent.
e) The Personal Data Protection Commission, Singapore has issued guidance around collection of personal data for contact tracing. Notably, the guidance permits organizations to collect identification numbers (including passports etc.) for the purpose of contact tracing, however, in compliance with the Personal Data Protection Act, 2012. The PDPC also recommends use of digital applications for contact tracing.
Part A: Directions & Guidelines by the Government
The Government has passed many orders/guidelines/directions for management of the COVID-19 pandemic. One such instance is the Order of the Ministry of Home Affairs dated May 1, 2020 (“Order 1”) and the National Directives for COVID-19 Management (“Directives”) which had required heads of organizations to ensure 100% coverage of the Aarogya Setu application (“App”) amongst all employees. In addition to the above, other guidelines were issued by the Central/State Governments under the Disaster Management Act, 2005 and the Epidemic Diseases Act, 1897.
Given that the SPDI Rules are inapplicable to the Government (and the PDP Bill allows Government to exempt its agencies), the ground for challenge remained under Puttaswamy.
The Ministry of Electronics and Information Technology has released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 (“Protocol”) on May 11, 2020 which deals with principles for collection, processing and sharing of response data collected through the app. The Protocol provides for guidance around sharing such data at three levels viz. sharing with the Government and health agencies, sharing with other agencies of the Government and sharing with third parties. The first level of sharing, within health departments and other departments of the Central/State Government directly engaging in control measures, includes personal information. The second level, with other departments of Central/State Government, providing assistance in control measures, is sharing of de-identified data. However, no indication of identifiers is provided. The third level involves sharing of ‘hard-anonymized’ information with universities, research institutes and other entities. The notable deviation is that the hard anonymization standard is a substantial dilution from the standard under the PDP Bill and reflects a GDPR-like standard based on reasonable efforts, likely to be assessed based on time, efforts and cost basis.
A petition challenging the Order 1 and Directives was filed in the Kerala High Court. Pending disposal of the matter, the Ministry of Home Affairs, vide its order dated May 17, 2020 (“Order 2”) diluted the mandatory requirements and instead required employers to ensure download by employees having ‘compatible phones’ on a ‘best-effort basis’.
While the mandatory requirement has been diluted, a case may be made to adopt precautionary measures in usage of the App including enhancing data security, affording data principal rights, use of proximity data (as opposed to location data) etc. may be adopted by the Government in line with the accepted international standards.
Part B: Private Entities and Legal Basis
In light of the above, the Government (and MEITY) may consider providing clarity on application of the SPDI Rules in times of COVID-19. It may be impractical to require entities to obtain and comply with, particularly, the ISO 27001 requirement, prior to collecting temperature readings as a precautionary measure (arguendo the absence of a legal basis).
While many other measures to support industry and business have been adopted (including relaxation of the work-from-home requirements applicable to Other Service Providers etc.), the Government may also consider implementing other digital-friendly measures such as easing higher standards around secure electronic signatures which are extremely relevant for digital execution of contracts.
(This post has been authored by Sameer Avasarala and Shreya Mukherjee. Sameer is an associate working with Cyril Amarchand Mangaldas and a member of TCLF Board of Advisors. Shreya is a third year law student at Symbiosis Law School, Pune.)