Today, as the number of COVID patients rises globally, and India touches a new high daily, governments – both abroad and at home have scrambled to deploy their surveillance tech at their citizens. The Kerala government also attempted to create a data powered scalable Information Technology system to be used in the worst-case scenarios, like a sudden spike in cases of COVID-19 in the state.
“1.a. When you register on the App, the following information is collected from you and stored securely on a server operated and managed by the Government of India…”
While the policy mentions that the information is stored securely on the GoI server, it does not specify the level of encryption used and other safeguards in place, if any. Further, under clause 3 (b), while dealing with retention of user data, the policy does not clearly state that when will the data of an individual, in case he has tested positive for COVID-19, be purged from the device.
3.a. All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
Clearly, the policy provides for the deletion of an individual’s data from the phone when one hasn’t tested positive; and the data on the server – irrespective of the person being tested positive or negative. However, the wording of the clause omits the retention directive for data from the device of a COVID patient.
The residual data on an individual’s cellular device, coupled with the fact that the encryption or other security protocols employed to keep the “response data” secure aren’t known makes the device ripe for any targeted surveillance effort. This might be a high cybersecurity hazard keeping in mind that the response data also includes the person’s location activity at an interval of 15 minutes, along with other sensitive information.
The recent judgment by the Kerala HC, in what came to be known as the Sprinklr case, is monumental because of multiple reasons. Delivering the judgment, Devan Ramachandran, J. observed that the bench was impelled by the singular intent to ensure that there is no data epidemic after the COVID-19 pandemic was controlled. The court ordered the state government to anonymize all data that has been collected or collated and only anonymized data be shared with any third party, including Sprinklr Inc. The bench also directed the state government to inform every citizen (data principal) that his/her data has been shared with Sprinklr (data fiduciary) and is likely to be accessed by Sprinklr or any other third party service providers and that their specific consent shall be obtained.
The direction to anonymize collected data is in consonance with the right to anonymity as guaranteed to citizens in some jurisdictions globally. It has been well established that choosing to remain anonymous is essential to maintain freedom of expression and the right to privacy in the digital world. Right to anonymity isn’t explicitly mentioned in the Indian data protection jurisprudence but is rather assumed as an integral part of the freedom of speech and expression as guaranteed by the Indian Constitution.
In the absence of a robust data protection regime, the Sprinklr judgment comes as a relief. In this piece, I discuss the need of data anonymization, particularly health data, in light of Hon’ble Court’s mandate to anonymize any data “that has been collected and collated from the citizens of the State concerning the COVID-19 epidemic, as also with respect to all data to be collected in the future” – this applies to data before being shared with Sprinklr or any other third party and stored in any data centre. I have chosen to focus on this because of two primary reasons – firstly, even the proposed data protection bill, 2019 – currently under scrutiny by the Joint Parliamentary Committee – does not provide for anonymization of data; and secondly, most of the regulations on mining, processing, and sharing of personal data do not apply to anonymized big data.
In the Puttaswamy (Privacy) judgment, Justice Chandrachud explicitly recognized public health issues as an exception when it comes to anonymity:
“…the state may assert a legitimate interest in analysing data borne from hospital records to understand and deal with a public health epidemic such as malaria or dengue to obviate a serious impact on the population.”
“If the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it.”
However, he maintains that any such restrictions must still be strictly necessary and proportionate. Further, chapter 2 of the Code of Medical Ethics Regulation, 2002 by the Indian Medical Council elaborates upon the duties of the physician to a patient on matters of secrecy:
2.2: “…Confidences concerning individual or domestic life entrusted by patients to a physician and defects in the disposition or character of patients observed during medical attendance should never be revealed unless their revelation is required by the laws of the State…”