- Shweta Reddy*
An assortment of digital measures have been deployed across the world to deal with the COVID-19 pandemic. These measures have amplified conversations around what qualifies as an additional safeguard to protect the privacy of the individual in the face of a public health emergency. Despite the exemptions in data protection legislations for personal data processing during such emergencies, agencies are still required to comply with core privacy principles. The requirement to provide accurate and transparent details of the processing to the individual disclosing the data is one such principle. Most of the technological measures that have been launched to combat the spread of the virus require active and truthful disclosures from the individual. The significance of compliance with the transparency principle has been heightened due to the accelerated pace at which these applications are being developed and deployed. Such compliance is needed to instill trust in the individual to promote such active disclosures. One way to accentuate the trust building process, in addition to updating privacy policies and releasing the source code of the application, is to have strong oversight mechanisms over the data that is being processed, and to publicly disclose the existence of such mechanisms. Providing clarity around the oversight and enforcement mechanisms adopted to reasonably restrict privacy is one of the measures that can aid in transparent processing. This essay will examine the oversight mechanisms for contact tracing applications implemented in other countries (Australia, Singapore, and South Africa) to identify key activities that the Ministry of Electronics and Information Technology (‘MEITY’), or any other independent authority, can specifically be tasked with.
Considering the nature of digital measures to combat the pandemic, the oversight mechanisms should ideally be found in the data protection legislations of the countries. Most of these legislations establish an independent authority that is tasked with the duty of enforcing the obligations mandated under the legislation. In order to enforce these obligations, the Authority is granted certain investigative and corrective powers. Since most of the measures have been launched by States, the first step in evaluating the efficacy of the oversight mechanisms is to examine if the application of the legislation is extended to the government and its agencies. In the absence of such application, the existence of specific rules regarding the government processing of data needs to be examined.
I. Singapore
Singapore was one of the first countries that launched a contact tracing application, TraceTogether. [1] The Personal Data Protection Act, 2012 (‘PDPA’) governs the collection, use, and disclosure of personal data by private organisations only. It doesn’t extend to the personal data processing that is undertaken by the government or its agencies. Public sector agencies are bound by the Public Sector (Governance Act), 2018 (‘PSGA’), and internal government instruction manuals where the latter are not publicly available. [2] The final report of the Public Sector Data Review Committee, which was set up to examine the standards of data protection for data collected by public sector agencies, suggested that the standards were as stringent as the ones imposed on the private sector. [3] The data protection requirements in the PSGA are limited to authorized disclosures of data and penalties for noncompliance. The Personal Data Protection Commission is the independent data protection authority established under the PDPA. However, this authority doesn’t enforce data protection obligations on the public sector agencies. The specific authority responsible for the enforcement of the PSGA, or the internal government guidelines on data protection, is unclear. It has been argued that the lack of transparency around the government processing of data from TraceTogether is one of the reasons [4] for its low adoption rate among the citizens of Singapore.
II. Australia
In Australia, the application of the provisions of the Privacy Act of 1988 does extend to the government and its agencies, with the Information Commissioner responsible for monitoring the enforcement of the Act. The release of the COVIDSafe App [5] by the federal government was followed by a determination under the Biosecurity Act, 2015 [6] to address the privacy concerns around the usage of the application. The determination laid down the rules for the valid purposes for processing data, the location for storing data, and retention periods, in addition to reaffirming the rules laid down in the privacy policy. The Privacy Amendment (Public Health Contact Information) Act 2020 repealed the earlier determination and amended the Privacy Act, 1988. It expanded the role of the Office of Australian Information Commissioner (‘OAIC’) in providing oversight over the COVID Safe data. The Commissioner has the power [7] to conduct assessments of the relevant authorities processing data from the application in relation to their obligations under the Amendment, and can conduct investigations to determine if a COVID data offence has been committed. The Commissioner is also required to be informed about the final deletion of data post the retention period.
In countries with no data protection legislations, a clear indication of the authority supervising the personal data processing by the government may not be present. Sectoral regulations or rules under their disaster management regulations need to be examined.
III. South Africa
In South Africa, the Regulations issued under the Disaster Management Act, 2002 require the National Department of Health to maintain a COVID-19 tracing database. [8] South Africa passed its data protection law, Protection of Personal Information Act, in 2013. However, not all the provisions in the legislation were made operational. The Information Regulator, which was set up in 2016, has issued a guidance note [9] on the lawful processing of personal data for containing COVID-19. There is an emphasis on requiring the government to adhere to the principles laid down in the guidance note. The exact nature of the enforcement power of the Regulator with respect to the COVID data is unclear as the Act finally became operational [10] on July 1, 2020, around a month after the setting up of the electronic database. However, the regulations mandating the setting up of the electronic tracking database have sections [11] on oversight of the data being processed. The Director General of Health (DG) is required to provide weekly reports on the data being included in the database to a designated COVID-19 judge. Based on the details collected, the judge has the power to recommend changes in the regulation. Post the pandemic, the DG is required to submit a report to the judge providing details of the de-identification and destruction of the database. The judge has the power to recommend any further steps for protecting the privacy of the individual.
Despite having relatively stringent data protection legislations, Australia and Singapore approach the personal data processing by the public sector differently. Assurances of the adequate level of standards of protection might not inspire confidence in the absence of clarity around enforcement of those obligations. Prior to the pandemic, the government of Singapore laid emphasis [12] on their duties to deliver integrated services as a justification for a separate legislation for the public sector. However, the need for transparency in the current scenario should have prompted further clarifications on the oversight and enforcement provisions. Australia’s Amendment, on the other hand, apart from providing more details around the personal data processing than the initial Determination, also expands the functions and powers of the Information Commissioner with respect to the COVIDSafe data. Even in the absence of an enforceable data protection framework at the time of deploying the electronic tracking data base in South Africa, there has been an attempt at providing some degree of oversight over the COVID data. This has been undertaken through the responsibilities of the Director-General of Health and the designated COVID-19 judge, through the Regulations under the Disaster Management Act.
IV. The Current Scenario in India
In India, the launch of the Aarogya Setu application was met with staunch criticism [13] regarding the opacity in its operations. Based on the feedback, privacy policies and terms of service were updated [14] multiple times. Apart from clarity in the privacy policy, the importance of releasing the source code of the application to effectively ensure transparency has also been repeatedly highlighted. [15] The lack of trust of the individual is also exacerbated by the absence of a specific legal framework [16] that mandates lawful, fair, and transparent processing of the personal data collected for dealing with the pandemic. This is accompanied with the lack of a general data protection framework that applies to the government agencies in the country.
On the issue of oversight, the Aarogya Setu Data Access and Knowledge Sharing Protocol (‘the Protocol’) merely states that the MEITY is responsible for the implementation of the protocol. Details regarding the nature of duties and powers that the MEITY can exercise to further the implementation of the Protocol are absent. The Protocol also provides for penalties under the Disaster Management Act, 2005 and other legal provisions, in case of any violations of the directions provided. Neither the Act nor the Protocol provide details of the specific offences that will be applicable to the entities that are currently part of the ecosystem, or of the authority responsible for prosecuting these offences. The requirement of conducting an audit is provided for only in relation to the third parties with whom ‘response data’ has been shared, and not for the primary data fiduciary itself. The lack of clear accountability mechanisms in the protocol does not reassure the public of the intentions of the personal data processing. Purely relying on the number of downloads as a metric of trust is ill-advised due to the societal pressures in downloading the application in certain situations[17].
Since most of the countries with established data protection frameworks have independent authorities overseeing the personal data processing, the accountability mechanisms are much clearer. However, opting for closed-door accountability as was done in Singapore, due to the difference in treatment of public sector and private sector data processing, will be counterintuitive to the process of establishing trust. In India, the absence of a data protection framework diminishes the right to privacy of the individual. Hence, additional precautions should have been taken to provide clear oversight and enforcement mechanisms at the time of deployment of the application. Since the project is being driven by the central government, assigning the task of providing oversight to another agency of the central government raises questions regarding the agency’s independence. The MEITY’s ability to provide independent and effective oversight should be reconsidered. In the absence of sufficient evidence of independence, an oversight board [18] that is not Executive-dominant should be constituted at the earliest. The investigative and corrective powers of such a Board in the event of a data breach or a violation of the measures governing the processing should be clearly laid down. The Board should have the power to periodically review the privacy and security safeguards of the application, and disclose the results of the review to the public. The Board should also have enforcement powers over the potential function creep issues regarding the application., Further, it should provide for transparent mechanisms to ensure the deletion of data after the application ceases to exist (after the modification of the sunset clause [19] in the Protocol).
Arguments opting for dealing with the pandemic first and privacy later dilute the essence of the fundamental right to privacy of the individual. It is imperative to focus on the non-binary nature of the privacy and health trade-off, and implement the necessary safeguards. A clear indication of the authority responsible for ensuring compliance with the framework that governs the management of personal data collected, including the specific powers that exist with the authority to ensure such compliance, will indicate the government’s intention to uphold the privacy of the individual despite the challenging circumstances.
*Shweta Reddy is currently a Programme Officer at the Centre for Internet and Society.
[1] Smart Nation Singapore, ‘Launch of a new app for contact tracing’ (Smart Nation Singapore, 20 March 2020 accessed 18 August 2020.
[2] Felicia Choo, ‘Parliament: Public agencies not governed by PDPA because of fundamental differences in how they operate’ (The Strait Times, 1 April 2019) accessed 18 August 2020. [3] Public Sector Data Security Review Committee, ‘Public Sector Data Security Review Committee Report’ (Smart Nation Singapore, November 2019) accessed 18 August 2020.
[4] Dewey Sim and Kimberly Lim, ‘Coronavirus: Why aren’t Singapore residents using the Tracetogether contact tracing appl?’ (South China Morning Post, 18 May 2020) accessed 31 August 2020. [5] Australian Government, Department of Health, ‘COVIDSafe App’ (Australian Government, Department of Health, 4 August 2020) accessed 18 August 2020. [6] Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020. [7] The Privacy Amendment (Public Health Contact Information) Act 2020, Division IV. [8] Disaster Management Act 2002, Regulations issued under Section 27(2) of the Disaster Management Act, 2002, NO.R 480 on April 29,2020. [9] Information Regulator, South Africa, ‘Guidance note on the processing of personal information in the managing and containment of COVID-19 pandemic in terms of the protection of personal information act 4 of 2013 (POPIA)’ (Department of Justice and Constitutional Development, Republic of South Africa, 3 April 2020) accessed 18 August 2020. [10] The Presidency, ‘Commencement of certain sections of the Protection of Personal Information Act, 2013’ (The Presidency, Republic of South Africa, 22 June 2020) accessed 18 August 2020. [11] Regulations (n 11) s 8. [12] Minister for Communications and Information, ‘MCI's response to PQ on public agencies' exemption from PDPA’ (Ministry of Communication and Information, 12 February 2019) accessed 18 August 2020. [13] Internet Freedom Foundation, ‘Is Aarogya Setu privacy-first? Nope, but it could be-- If the government wanted. #SaveOurPrivacy’ (Internet Freedom Foundation, 14 April 2020) accessed 18 August 2020. [14] Aditi Agarwal, ‘Aarogya Setu updates Privacy Policy, Terms of Service: Reverse engineering not banned, but function creep now legitimised’ (Medianama, 24 May 2020) accessed 18 August 2020. [15] Neerad Pandharipande, ‘Aarogya Setu not ‘open source’ in real sense, claim cybersecurity activists, say server code must be made public’ (Firstpost, 15 June 2020) accessed 18 August 2020. [16] Priyam Jhudele and Shantanu Pachauri, ‘Aarogya Setu: An analysis of the Data Access and Knowledge Sharing Protocol, 2020’ (Bar and Bench, 26 May 2020) accessed 18 August 2020. [17] Tanisha Ranjit, ‘When and where is Aarogya Setu mandatory? We’re keeping track’ (Internet Democracy Project, 8 May 2020) accessed 31 August 2020. [18] Shashank Mohan and Divij Joshi, ‘Legal Framework for digital surveillance in the COVID-19 Pandemic’ (Medium, 13 July 2020) accessed 18 August 2020. [19] Aditi Agarwal, ‘All you need to know about MEITY's Data Access and Sharing Protocol for Aarogya Setu’ (Medianama, 11 May 2020) accessed 18 August 2020.
Comments