This Article is written by our editor, Darshit Sidhabhatti of National Law University, Odisha
“The ability to control data is meaningless if the subject cannot take action when they no longer consent to its processing.”
Covid-19 Virus has been demolishing healthcare systems, but this is not the only threat it possesses. The virus has brought along a wide and strong sense of social stigma which threatens the structure of the society in general. Various Governments and organizations had to issue guidelines to counter the stigma that accompanies the virus. As per the UNICEF guidelines The level of stigma associated with COVID-19 is based on three main factors: 1) it is a disease that’s new and for which there are still many unknowns; 2) we are often afraid of the unknown; and 3) it is easy to associate that fear with ‘others’.[1] However, all of this is of little use, when states are trying to intensively collect and store data to monitor the patients. In extension, The information is transformed into Quarantine Lists, which reveal personal information such as a subject's name, residential address, phone number, port of departure, and final destination. The lists were either made available on their websites or were ultimately leaked via unknown networks.[2]
The mention in the quarantine lists for several citizens may transform into their identity. Such identification as a Covid-19 patients, rather as carriers is uncalled, belittling and becomes irrelevant after recovery from the virus. Thus, even after the recovery, the lists remain accessible on the web to resurface the identity of a person as a mere Covid-19 patient. Publication of such information brings back the discourse about the need for ‘Right to be forgotten.’
As per The Personal Data Protection Bill of 2019, which is tabled before the Lok Sabha: The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary under certain conditions.[3] Therefore, questions arise about the after-effects of such identity markers post recovery in traumatising times of a pandemic.
Primarily, the collection of data by the state in order to monitor the spread of the virus is essential. Personal data can also be collected if it is necessary to take any action to provide medical care or health services to any individual during an epidemic, disease outbreak, or other public health danger, according to the Data Protection Bill.[4] However, such processing has led to distribution and disclosure of the said data in recent times, which is unwarranted. After massive publication of such lists that have resulted in stigmatisation, the pulling back of such data is essential which finds its means in the right to be forgotten.
Data Protection and The Right to be Forgotten.
The right to be forgotten stems from decision wherein the European Court of Justice takes the step to recognize and rather introduce the right in 2014, in the case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González.[5] The European Union GDPR can be utilized to source the definition of the said right, it states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.”[6]
It refers to the ability of individuals to limit, de-link, limit or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant or anachronistic.[7] In the said case, the European Court of Justice ruled that European citizens have the right to ask commercial search firms like Google, which collect personal information for profit, to delete links to private information if they are no longer necessary. By the standards set for the data to be filtered upon internet, the patients that have recovered from Covid-19 should be forgotten on the web pages that appear as a result to their webpage.
The Case against the Right to be Forgotten
Free speech advocates have across the legal-tech arena have certain valid concerns with the emerging right against the web. The case states that the online "right to be forgotten" is in danger of becoming a weapon of global censorship, and that deleting content from the Internet is incompatible with the Web's open nature and free flow of information.
The web was designed to work upon algorithms created to cater to the user’s need of data, to be precise it is designed as per behavioural patterns of the user. Therefore, if the user searches for the required data the right to be forgotten would act as a barrier for neutral parties or users in genuine need of information. If the duty were to be extended outside of Europe, the big-tech claimed, it could be violated by repressive regimes seeking to conceal human rights violations.
However, the aforementioned contentions do not seem to weigh equally against the need of such right in certain conditions, which involves that of the pandemic. Furthermore, the Indian judicial system through various measures has already recognised the right.
Standards of Right to be Forgotten during Covid-19 outbreak.
Deliberating upon the standards of exercising the right to be forgotten amidst a pandemic certain factors shape the said right. Firstly, The appropriateness of right to be forgotten would require that the right to privacy be balanced with freedom of speech.[8]Secondly, Such right cannot be exercised if the personal data is needed for the purpose of public interest, compliance with any legal obligation, national security, scientific research.[9] Thirdly, examining the relevance of personal data to the public and the change of such relevance through the passage of time.
In the present scenario of the Corona virus outbreak, the affected would withstand with the right despite of the aforementioned factors, as: The demand for keeping personal details away from the surface of visible web pages after a substantial time of recovery does no harm to any citizen’s freedom of speech. Further, the data is required for keeping track of the people that are potential carriers of the virus and security of the masses in order to eliminate possibility of contact with the affected. However, post recovery the monitoring is stopped and the data is rendered practically useless for public interest; this data includes, travel history, personal addresses and contact details of the patients which would suffice to cause social boycott and isolation of the person even post recovery. More importantly, the data is irrelevant as it is useless for the monitoring of virus and the elaborate personal details are of no use for maintaining records of the affected. Even if the data is required in retrospect, the publication is irrelevant and the data published online should be pulled back. Thus, the right to be forgotten gains even more importance in times of a pandemic; herein, the Corona Virus outbreak.
Seeds of the right in Indian soil
Although, the right requiring the erasure of data from primary sources is yet to be recognised under the Indian law, the judiciary at certain instances has actively initiated the recognition of the online right.
The High Court of Orissa has in a recent case stirred the discourse about right to be forgotten in cases of revenge porn. The need for a legal bulwark against the growing threat of internet harassment, according to Justice S K Panigrahi "No one, particularly a woman, would want to build and show grey shades of her character."[10] People shall have the legal right to enforce the right to be forgotten as a 'in rem' right. Numerous Courts across the nation have recognised the right in line with the approach of Western judicial systems. Removal of changed names from the search engines.[11] As a result, those who wish to try such cases now have a way to do so.
Conclusion
As per the Apex Court of India, any interference in the privacy of a person can only be done when that interference is sanctioned and authorised by law.[12] The uncalled publications have debatable or rather weak legal backing. While there is no law backing disclosure, legislation invoked to handle a public health emergency, the Epidemic Act, 1897, and the Disaster Management Act, 2005. Furthermore, at present the Data Protection act is tabled before the parliament and thus on legal terms, there is little or no scope for penalty for the publication. However, this recurs the need to have the right to be forgotten to shield privacy and medical ethics at threating times like the present. The data of patients, especially of the ones who have recovered has no relevance or importance on the web, rather is a reminder of wrongful publication and cause of an exile.
[1] https://www.unicef.org/documents/social-stigma-associated-coronavirus-disease-covid-19 [2] https://caravanmagazine.in/commentary/covid-19-pandemic-quarantine-lists-right-to-privacy [3] s.20 The Personal Data Protection Act, 2019. [4] s.12(f), The Personal Data Protection Bill, 2019. [5] Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González,ILEC 060 (CJEU 2014) [6] Art. 17, The General Data Protection Regulation, European Union. [7] Michael J. Kelly and David Satola, the right to be Forgotten, University of Illinois Law Review (2017) at p.01. [8] Justice B.N. Srikrishna Committee report on data protection, p.76. https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf. [9] Justice K.S. Puttaswamy (Retd.) & Anr. v/s Union of India & Ors. AIR 2017 SC 4161 [10] Subhranshu Rout v. State of Odisha, BLAPL No. 4592 of 2020, High Court of Orissa. [11] Vasunathan v. The Registrar General, High Court of Karnataka, 2017 SCC 424. [12] Justice K.S. Puttaswamy (Retd.) & Anr. v/s Union of India & Ors. AIR 2017 SC 4161.
Comments