The World Health Organization (WHO) recommends contact tracing as an effective strategy to prevent the spread of communicable diseases.
The process of contact tracing, as recommended by the WHO, contextualized for SARS-COV-2. Diagnosed patients identify contacts with whom they have interacted recently, contacts are then listed by the authorities, and follow-ups are conducted (including medical interviews, testing), and medical advice is given accordingly. The process of contact follow-up is continued during quarantine and after patients recover.
The infographic illustrates how a software using big data analytics draws on multiple sources of information to pool in data, which is then processed via knowledge mapping to track COVID-19 patients and contacts to effectively trace infections.
As States around the world struggle with rising figures of those infected with coronavirus, they are increasingly turning to cyber-surveillance. Increasingly, governments are investing in and rolling out smartphone apps to track citizens’ movements, trace locations and map outbreaks in a bid to tackle COVID-19. While not without its benefits, the proliferation of cyber surveillance raises important concerns regarding health rights and privacy of ordinary citizens.
Health v. Privacy – The Debate
Whilst technology has an important role to play in a global effort to save lives through the dissemination of health messages, awareness campaigns and also increased access to healthcare, heightened surveillance may also threaten privacy in ways which could degrade trust in governments.[1]
Citizen’s personal data is being used to guide policy, contact trace, and enforce lockdowns and the ever growing means by which this is being done; through phone records, CCTV, and temperature checkpoints lends credence to worries of a panopticon which may never be rolled back.[2]
This is all the more important given many laws are currently being passed by decree as elected legislatures are unable to sit and hold votes, even emergency ones. These laws are far reaching and new rules may not be time-limited, and are all the more alarming as the number of users online are at a record high – creating and generating data without the surety of their core digital rights.
The scale and magnitude of the spread of COVID-19 must not be used as an excuse to violate privacy. The UN High Commissioner for Human Rights has emphasised that ‘human dignity and rights need to be front and [center]’ in the effort to combat the spread of coronavirus.[3] The issue is determining the appropriate level of interference in the right to privacy that can balance the benefits to public health with continued respect for human rights.
Is cyber surveillance legal?
International human rights law allows for States to make limitations so long as it is provided by law, undertaken in pursuit of a legitimate aim (such as public health), and are necessary and proportionate to the achievement of that aim. The ICCPR and the Siracusa Principles of 1985[4] identifies legitimate aims which include national security, public safety and public health as grounds for limiting – by law and when necessary and proportionate to such aims – a number of rights.
In order for cyber-surveillance to be a legal limitation to the right to privacy, a law must be passed in order to allow for it, and the aim it pursues must be legitimate. It has been demonstrated by the scientific community and public health experts that measures to limit social contact are required to limit the spread of the coronavirus. Therefore, laws which deprive individuals of their liberty or privacy in order to enforce these limits may be considered adequate in this situation and are not arbitrary under Article 9 (right to liberty and security) and are not prohibited under Article 17 (right to privacy) of the ICCPR.
This is supported by case law for instance in Big Brother Watch and Others v. the UK, the ECtHR held that ‘the decision to operate a bulk interception regime in order to identify hitherto unknown threats to national security is one which continues to fall within States’ margin of appreciation’.[5] According to the Court, this interception regime constituted ‘a valuable means to achieve the legitimate aims pursued, particularly given the current threat level from both global terrorism and serious crime.’
States can also derogate from treaties. Article 4 of the ICCPR allows for derogations in times of public emergencies with the exceptions of the right to life, the probation on torture, slavery, and the freedom of religion. The right to privacy and freedom of expression are derogable rights, however, derogations must only be to the extent that they are strictly required.[6]
Pakistan
The right to privacy is enshrined in Pakistan’s Constitution under Article 14(1), which states that “[t]he dignity of man and, subject to law, the privacy of home, shall be inviolable.”[7] That said, the Pakistan Telecommunications Authority has also been given broad powers by law to authorise cyber-surveillance. Yet there remain concerns that this wide exception to the right to privacy in the Constitution may be prone to abuse.[8]
Issues with Cyber-Surveillance
Despite the plethora of benefits brought about by cyber surveillance technologies – there are issues concerning its usage:
- Potential Exclusion of Vulnerable Communities: those who do not have access to smartphones may be deprived of receiving information or receiving services equitably.[9]
- Improper Application and Location Thresholds: location data by mobile phone providers has been deemed inaccurate and in some cases, unsuitable in determining possible infections from the coronavirus.[10]
- Potential of Misuse: continued risk of misuse by governments who may normalize the use of surveillance to such an extent that it is expanded beyond the pandemic.[11]
- Lack of Data Security Protocols: there are also concerns regarding the safety and storage of data systems, including data gathered from third-party apps particularly as they rely on cloud computing and storage, amongst others.[12]
- Lack of State Capacity: in Pakistan, the health sector needs to be empowered with qualified data scientists for the categorization, collation, analysis and summation of data from COVID-19 cases in real-time, especially given the deficiencies in the National Institute of Health (NIH)’s data measuring capabilities.[13] Therefore, building data science capacity in the public sector is vital.
Recommendations
In order to enhance cyber surveillance frameworks, it is necessary to ensure congruence with provisions of privacy and
other rights as outlined above. The following recommendations can thus be implemented:
- Given Pakistan’s emerging data management capabilities it will be useful to engage data scientists, engineers and the private sector to create dashboards that monitor, map, track and record coronavirus cases on real-time dashboards for the NIH and other health agencies in Pakistan. Smartphone apps, particularly for returnees from abroad, can also be rolled out.
- An ‘infected unless proven healthy’ approach could be adopted which allows individuals to voluntarily download an application which would become a de facto requirement for participation in public life.[14]
- In order to avoid breaches of privacy, anonymized data can also be used, as purported by the European Commission. This would ensure that no personal information is included in the data collected, instead unique identifiers are used instead of names in order to pseudonymise the data.
- The government must be transparent about any data-sharing agreements with other public or private sector entities, including owners of third-party apps or software in use.
- Data should also be encrypted to ensure recipients can share data without misusing it. The system should also be independently verified to ensure that false information is not provided which can trigger inaccurate notifications.[15] Proper data security protocols must be implemented.
- Any laws which give the state surveillance powers should be publicly declared and reported to treaty bodies when fundamental rights are being limited. They should all include protections and safeguards against abusive surveillance and provide access to effective remedies, such as through remote complaints mechanisms.
For more information, refer to the detailed research paper by RSIL: Public Health v. Individual Privacy in the Age of Cyber Surveillance
Follow RSIL on Facebook, Twitter, Linkedin and stay tuned to our Website for more on the impact COVID-19 from a legal and policy perspective.
—————————————
[1] Joint Civil Society Statement: States use of digital surveillance technologies to fight pandemic must respect human rights, April 2, 2020, https://www.hrw.org/news/2020/04/02/joint-civil-society-statement-states-use-digital-surveillance-technologies-fight
[2] Nani Jansen Reventlow, Why COVID-19 is a Crisis for Digital Rights, April 16, 2020, https://ilg2.org/2020/04/16/covid-19-and-the-digital-rights-crisis/
[3] OHCHR, COVID-19: States should not abuse emergency measures to suppress human rights – UN experts, March 16, 2020, https://www.ohchr.org/EN/NewsEvents/Pages/DisplayNews.aspx?NewsID=25722&LangID=E
[4] UN Commission on Human Rights, The Siracusa Principles on the Limitation and Derogation Provisions in the International Covenant on Civil and Political Rights, 28 September 1984, E/CN.4/1985/4
[5] Big Brother Watch And Others v. The United Kingdom, 58170/13, [2014] ECHR 178
[6] See Human Rights Committee’s General Comment No. 29 (at para. 5)
[7] The Constitution of the Islamic Republic of Pakistan – National Assembly http://www.na.gov.pk/uploads/documents/1333523681_951.pdf
[8] State of Privacy in Pakistan, Privacy International
https://privacyinternational.org/state-privacy/1008/state-privacy-pakistan
[9] Barrie Sanders (supra n.2)
[10] Noyb, Data protection in times of coronavirus: not a question of if, but of how, March 30, 2020, https://noyb.eu/en/data-protection-times-corona
[11] Barrie Sanders (supra n.2)
[12] Advanced Analytics for Coronavirus Trends and Predictions, TeraData
https://www.teradata.com/Blogs/Advanced-Analytics-for-Coronavirus-Trends-Patterns-Predictions
[13] New COVID-19 Cases as Pakistan Tally Hits 194, Express Tribune, March 17, 2020. https://tribune.com.pk/story/2177847/1-10-new-covid-19-cases-confirmed-as-pakistans-tally-hits-194/
[14] Noyb, Ad hoc Paper (V0.2) SARS-CoV-2 Tracking under GDPR, March 29, 2020, https://noyb.eu/sites/default/files/2020-03/ad_hoc_paper_corona_tracking_v0.2_5.pdf
[15] Noyb, Ad hoc Paper (V0.2) SARS-CoV-2 Tracking under GDPR, March 29, 2020, https://noyb.eu/sites/default/files/2020-03/ad_hoc_paper_corona_tracking_v0.2_5.pdf
Team: Jamal Aziz, Ayesha Malik, Noor Fatima