COVID-19 has spawned several contact-tracing efforts, triggering collection and processing of sensitive personal data across the world. Legal protections surrounding this large-scale data collection are predominantly nascent, raising concerns over the precedent this sets for data privacy. In India, the landmark Puttaswamy judgment from the Supreme Court recognized privacy as intrinsic to the right to life and liberty. However, the Court conceded that privacy may be abridged if a legitimate interest, say, an epidemic, exists—provided the ‘proportionality’ doctrine is satisfied. The sub-components of this doctrine are as follows: there must be a rational connection between the measure adopted (contact-tracing) and the State aim (containing the spread of the virus). Further, the government is required to assess whether there are any equally effective alternatives, that are less invasive of the rights in question (‘necessity’ test). Finally, the measure undertaken must not infringe on rights to an extent greater than is necessary to fulfill the aforesaid aim (‘balancing’ test).
In this context, a recent order from the Kerala High Court in Balu Gopalakrishnan assumes significance. The Kerala government had contracted a US-based software company, Sprinklr Inc., for analyzing medical data to combat COVID-19. The petitioners in Gopalakrishnan assailed the contract for lacking privacy protections—arguing that it contained no safeguards against the commercial and unauthorized exploitation of the data entrusted to Sprinklr. The Court took note of these objections and issued several directions to secure the confidentiality of the collected data.
This case, however, raises broader concerns regarding India’s data protection regime. With the Personal Data Protection Bill still in the pipeline, it is crucial to evaluate whether governments—both at the state and federal level—are complying with Puttaswamy’s privacy protections.
Concentration of Executive Power:
A pandemic is unarguably a crisis of unprecedented proportions. A worried population, reluctant courts, and the general sense of rallying around the flag gives States enormous powers during crises. It is precisely at such moments that our constitutional tenets are most vulnerable. Drastic measures undertaken during times of crisis have often been entrenched into the political and legal landscape long after the exigency has passed. This is evinced by recent past: the characterization of
Kashmir as a security concern and the subsequent internet shutdown there became such a watershed. Thus, it was no coincidence that when protests broke out a little later against the Modi government’s exclusionary citizenship law, multiple states across India similarly suspended the internet. At times like these, it would do us well to remember Justice HR Khanna’s words of caution, delivered in his ADM Jabalpur dissent, “[The] greatest danger to liberty lies in insidious encroachment by men of zeal, well-meaning but lacking in due deference for the rule of law.”
Rule of Law is designed to function as a constraining apparatus against abuse of power. Strictly defined, it means “Every act done by the government or by its officers must, if it is to operate to the prejudice of any person, be supported by some legislative authority.” The need for legislative authority is based on the democratic principle that the legislature represents the will of the people, and therefore, any infraction of the people’s rights must have statutory backing.
As statutory backing for its contract with Spinklr Inc., the Kerala government relied on the Disaster Management Act, 2005 (DM Act), the Epidemic Diseases Act, 1897 (ED Act), and the Kerala Epidemic Diseases Ordinance, 2020. §2 of the ED Act authorizes “such measures…as it [the State Government] shall deem necessary to prevent the outbreak of such disease”. §4(2)(j) of the Kerala Ordinance, a residuary provision, enables such “measures as may be necessary for the regulation and prevention of epidemic diseases.”
In Ram Jawaya Kapur v. State of Punjab, the Supreme Court had held that executive authority without “specific legislation” cannot encroach upon the legal rights of any person. In the context of data privacy, a specific legislationwould be one that defines the purpose of data collection, details the procedural safeguards against misuse of such data, lays down the period beyond which such data will be purged, and the like. The specificity caveat cannot be met through over-broad clauses in the aforementioned statutes.
Over-broad statutes fall foul of the test of constitutionality, particularly when evaluated against fundamental rights. In Shreya Singhal v. Union of India, the Supreme Court struck down §66A of the IT Act for being “vague and over-broad, and, therefore, unconstitutional”. When defending such statutes, the government often presents assurances of enforcement within constitutional limits, despite their unreasonable scope. Shreya Singhal resoundingly rejected such assurances holding that if a law “is otherwise invalid, it cannot be saved by an assurance … that it will be administered in a reasonable manner.”
Need for an Anchoring Legislation:
There is a need for an anchoring legislation that is specifically tailored to COVID-related data collection, with adequate safeguards and expiration clauses. Absent that, such data collection and outsourcing is an exercise in executive usurpation. As Gautam Bhatia notes, legislations like the DM Act and ED Act grant carte blanche authority such that “just about any executive decree that [the executive believes] is required to tackle the disaster” can be issued.
It is grossly inaccurate to argue that the 1897 ED Act contemplated even the existence of complex data analytics. The invocation of the DM Act is also suspect, since it was designed to deal with natural disasters and not public health emergencies. Although the Act briefly refers to data collection (§§36 and 39), it is only with reference to capacity building and mitigation for natural calamities, not sensitive personal data. The Act enumerates no specific purpose for data collection or limitations and safeguards against misuse. Finally, the Kerala Ordinance—despite being in response to this pandemic—makes no provision authorizing data collection and analyses.
The need for anchoring legislations is recognized across jurisdictions. In a challenge to Kenya’s biometric identification system (similar to India’s Aadhaar), the Kenyan High Court held, “[T]he provision for collection of DNA and GPS coordinates … without specific legislation detailing out the appropriate safeguards and procedures in the collection, and the manner and extent that the right to privacy will be limited … is not justifiable.”
An Alternative Framework for Crisis Governance:
Rule by executive decree is not the only option during a pandemic. Under the Indian Constitution, even an Emergency proclaimed under Art. 352 (in cases of war, or external aggression, or armed rebellion) must be ratified by the Parliament within a month. Therefore, any suggestion that a health crisis should allow the executive to ride roughshod over the legislature would be incompatible with the spirit of the Constitution. Parliaments are functioning across democracies including Canada, UK and the US. Italy is being governed through ‘decree-laws’ subject to Parliamentary approval within 60 days, absent which, they are void ab initio. Curiously though, India’s executive – which possesses similar powers of ordinance – is still refraining from promulgating anchoring legislations. It is instead using ordinances to enact broad, sweeping laws. There is no reasonable explanation for this other than an inherent tendency for overreach, which pervades most governments, across party lines.
Lack of an anchoring legislation not only permits executive excesses, it also creates a precedent that constitutional checks and procedures are dispensable. This is a very dangerous erosion of our constitutional ethos, and reeks of a paternalistic mindset which paints elected representatives as dispensable rubber stamps. Given the scale and efficiency with which technology can operate, placing practical, statutorily ideated limitations on the use and collection of individual data is the only real check on executive arbitrariness. Statutes – including emergency statutes – must evolve from instruments conferring broad powers, into policy prescriptions specifying comprehensive limitations on discretionary authority. Absent that, the right to privacy will become a theorized prescription worthy merely of lip-service, without any practical teeth.
This article was co-authored by Prashant Khurana and Parth Maniktala. Prashant is a recent LL.M. graduate from the UCLA School of Law, USA, and the founding editor of the Polemics and Pedantics Magazine (https://www.polemicsnpedantics.com/). Parth is an LL.B. student at the Faculty of Law, University of Delhi, India. He also serves as an editor of the Polemics and Pedantics Magazine.