This article is part of a 5 part series authored by AnantLaw partners
Part 1: Introduction
The words like ‘national security’ have a tendency for governments, courts, civil society and intelligentsia (meant to lead, navigate and gravitate the masses towards an apt-course) to wrinkle/shrink (if not shirk-away) their business-as-usual; and permit actions without undertaking necessary processes and debates.
When some permitted ‘solutions’ crafted during these circumstances entail complexity of artificial intelligence (“AI”), technology, gadgets and/or applications; one cannot, but think about the warning-cacophony inbuilt in the DNA of author Nick Bostrom’s book, ‘Superintelligence: Paths, Danger and Strategies.’
The book begins with “the unfinished fable of sparrows”. The story is about a group of sparrows imagining an easy-life where the sparrows would (find and) train an owlet to build and defend their (sparrows’) nests. While most sparrows agree with this plan, a “one-eyed sparrow with a fretful temperament”, Scronkfinkle, is unconvinced and considers it important to think about “the art of owl domestication and owl-taming first”, before bringing the owlet/owl in their fold. Reply received by Scronkfinkle was that finding an owlet will be difficult enough; therefore, thinking about taming an owl can be thought about later. Scronkfinkle protested against the flaw in the plan – but, in vain, as the flock decided to implement the plan. Scronkfinkle and a couple of other sparrows stayed back to work on how to tame owls and realized the difficulty of the challenge. The end of this story remains unknown – and so, Nick Bostrom dedicated his book to Scronkfinkle and those couple of other sparrows.
Well, gather-around ‘Scronkfinkle(s) and its followers’; for ‘We’ must unravel all difficult challenges and explore ways to tame/domesticate ‘Our Owl’ (AI and other technology related products).
The outbreak of novel coronavirus (“COVID-19”), has posed real challenges. A key issue that many employers are facing is how to prevent potential COVID-19 cases within the workforce, and what measures to implement to protect employees and the business. The question is relevant for multi-national companies and corporate houses with a large workforce due to mobility, ease of human contact and difficulty in tracking records of a large and diverse workforce. The risk of COVID-19 at workplaces does not lessen responsibility of employers to maintain a safe work environment. In order to implement preventive measures, an employer may be required to obtain certain set of data from its employees.
The question, however, arises that in absence of a robust data protection and privacy law framework in India, to what extent an employer can obtain, process, maintain and use data, specially, data which are sensitive in nature. Data protection and privacy laws in India are governed by Information Technology Act, 2000 (“IT Act”) and rules made thereunder (“IT Rules”). The IT Act and IT Rules provide for a basic framework of data protection and privacy which classifies information pertaining to health condition and medical records as sensitive personal data. Further, the corporate houses are required to provide a policy for privacy and disclosure of sensitive personal data under IT Act and IT Rules. Sensitive personal data can be collected by the corporate houses only for a lawful purpose or if such collection is considered to be necessary. However, the IT Act does not give clear guidelines as to how data of the employees should be obtained, accessed, processed or maintained.
Lack of clear rules and guidelines inter alia regarding the processing and access to such sensitive personal data or information puts even greater onus upon employers and corporate houses to conduct themselves in a manner that their actions do not fall afoul of the ‘right to privacy’ enshrined in the Constitution of India. Some international data protection authorities have started to provide guidance but there are divergent views on how employers should comply with data protection requirements, depending on the jurisdiction.
Although the Government of India is yet to release guidelines or advisory for corporate houses concerning treatment of data collected to tackle the COVID-19 pandemic, but, the corporate houses can in the interregnum (or in lack thereof), take cue from the policies and practices adopted in other jurisdictions.
The scope of allegations surrounding data privacy infringement is not limited to the treatment of data collected by the employers or corporate houses; as it extends to the actions taken by the government (including government-controlled enterprises) to prevent, tackle and curb the pandemic. Contact tracing and surveillance (and technological-tools proposed as solutions) are among a few which may pose threat to an individual’s (fundamental) ‘right to privacy’. In absence of any robust data privacy law, the Government of India will have to shoulder and discharge the onus of balancing between right to privacy and public interest amidst this burgeoning pandemic.