In our previous blog Legal Overview of Data Privacy Impact Assessment, we discussed the legal compliance and regulations pertaining to Data Privacy Impact Assessment. Moving forward, this blog attempts to provide an insight into the effectiveness of a Data Privacy Impact Assessment.
INTRODUCTION
In the digital world where preservation is a norm, the ongoing COVID-19 pandemic puts forth unprecedented privacy concerns for policymakers. Owing to its high mortality and rapid transmission rate, the most efficient tools are explored by the Governments, across jurisdictions, to contain the pandemic; digitally-enabled contact tracing being one such instrument.
Where contact tracing has been among the oldest methods of controlling transmission, a digital update of the same by harnessing mobile technologies offers a more sophisticated and efficient approach. Drawing on such operational advantages, several mobile applications were developed across the world to map the spread of the pandemic. However, the same did not remain immune to the public health versus privacy conundrum.
Amidst speculations over the safety of such applications and the debilitating public trust in the same, a few countries, particularly in the European Union (EU), conducted and published a Data Protection Impact Assessment (DPIA) report of such contact tracing applications. Around the same time, India launched the Aarogya Setu application for contact tracing and mapping of the pandemic. The privacy concerns over the particular application were sharply expressed.
However, with the Personal Data Protection Bill, 2019 (PDP Bill) still in the pipeline, India doesn’t have a regulatory framework at par with the General Data Protection Regulation (GDPR). Due to lack of a robust framework, the concept of DPIA is not addressed in India.
CONCEPTUALIZING PRIVACY BY DESIGN AND DPIA
The concept of Privacy by Design (PbD) is based on a proactive approach to privacy infringement. Under PbD , the Data Controllers or Data Processors assess privacy issues at the design phase, i.e., at the very beginning of the development of the system or service, and also assess the potential bottlenecks expected throughout the lifecycle of the system, process or service. It is guided by the seven foundational principles of privacy by design set forth by Ann Cavoukian which includes privacy embedded into the design, end-to-end security, and transparency, among others.
The principle of data protection by design under Article 25 of the GDPR is a derivative of the concept of PbD. The core idea behind the two concepts is to ensure risk assessment and management at the designing phase of any system, product, or service and extend such assurance through the life cycle of such system, product, or service. This risk assessment for PbD is undertaken through a DPIA which entails identification and mitigation of risks to acceptable levels.
According to the Guidelines for DPIA for the purposes of Regulation 2016/679, DPIA is a process designed to describe the processing, assessment of necessity and proportionality, and management of risks to the rights and freedoms of natural persons resulting from the processing of their personal data. As per Article 35(1) of the GDPR, a DPIA is required when a new technology is introduced and the processing is likely to result in a high risk to the rights and freedoms of natural persons.
UTILITY OF DPIA IN DIGITAL CONTACT TRACING
The World Health Organization (WHO) Interim Guidance for Contact Tracing in COVID-19, defines contact tracing as the identification, assessment, and management of people who have been exposed to a disease to break the chains of transmission.
Article 6 of the GDPR clarifies that processing of data shall be lawful only and to the extent that at least one of the legal bases provided under the particular Article are followed, such as consent given by the Data Subject, compulsory processing of data for the performance of a contract, etc.
Since Recital 43 of the GDPR doesn’t recognize the consent given to public authorities as freely given consent, it is ruled out as a lawful basis for contact tracing by public health authorities of the Governments. In this regard, Paragraph 29 of the European Data Protection Board (EDPB) Guidelines 04/2020 suggests that the legal basis for undertaking contact tracing during a healthcare emergency is a performance of a task carried out in the public interest as stated under Article 6(1)(e) of GDPR. Recital 46 of the GDPR further reinforces the lawfulness of processing data in the public interest for humanitarian purposes, including for monitoring epidemics and their spread.
According to the Global Privacy Assembly, one of the leading forums for data protection, apart from the sophisticated technology, the success of contact tracing applications in reducing the transmission depends on the trust that individuals place on such applications. An assurance that their privacy and ethical concerns will be addressed is a significant determinant of the reach and efficiency of such applications. In these circumstances, reinforcement of public trust through DPIA is advisable. In furtherance of the same, by October 2020, The European Council reported that around 17 countries in Europe conducted a DPIA of contact tracing apps to mitigate high risks, and quite a few among them published the assessment reports in the public domain.
THE INDIAN SCENARIO
Aarogya Setu, the contact tracing application deployed by the Government of India to map the spread of the pandemic, through self-diagnosis and official reports, was vehemently criticised for its loosely built privacy framework. Considering that the application recorded every movement of an individual in addition to other personal identifiers, it should have been secured with the utmost diligence.
The Aarogya Setu application was laced with infirmities ranging from the inadequacy of purpose limitation to the limited liability undertaken by the Government over the collected data. In this regard, a DPIA of the application could have helped in the early detection and mitigation of such high privacy risks.
Mindful of the information-dense digital era, the PDP Bill provides for a DPIA to be conducted by significant Data Fiduciaries involved in new technologies or large-scale profiling or use of sensitive personal data. However, the pendency of the PDP Bill leaves no regulatory framework for risk assessment and mitigation of privacy issues surrounding Aarogya Setu app and the likes.
ALTERNATIVES TO DPIA IN THE INTERIM
As already discussed above, the primary idea behind a DPIA is early detection and mitigation of privacy risks. Where risk assessment and correction is at the core of DPIA, in the absence of a mandatory DPIA, public health authorities in India need to organically inculcate the following preventive measures that reduce the potential privacy risks involved in the functioning of an application. Such measures will build public confidence in digital solutions and render them more effective against the pandemic.
- Transparency of Purpose
Clarity while defining the purpose of the data collection is of paramount consideration. It is advisable to be transparent about the purpose of the application; whether it is merely proximity notification or it is likely to extend its purpose to collection of other identifiers. While designing the application, an approach with the least interference should be preferred and the requisite information should be shared with the users through the Privacy Policy of the application.
- Minimum Collection and Anonymisation
The Information Commissioner’s Office of the United Kingdom has suggested minimal processing of data by the digital solutions deployed during the pandemic. The data that serves the core purpose should only be collected; the data so collected should be anonymized in ordervto erase any link between the individual and his personal data.
- Clarity in Purpose Limitation
As observed in the Indian context, the aspect of purpose limitation of the data collected through the Government contact tracing application was ill-defined. Limiting the duration of storage of data based on the fulfilment of the assigned purpose and safely destroying the collected data once the purpose has been served prevents mismanagement of personal data.
AMLEGALS REMARKS
In this unprecedented situation, the real-time collection and processing of data by the contact tracing applications may secure the public health objective, but such loosely designed digital solutions pose a high risk to the informational privacy of individuals. The principle of PbD was forwarded to address such weak designing of applications, and a DPIA was introduced as an investigative mechanism to avoid such imperfections in designing.
Though the DPIA is a defined method of risk assessment and prevention, pro-active solutions to potential privacy infringement may be undertaken in other ways. In the Indian context, where the law providing for DPIA hasn’t yet been passed by the Legislature, no privacy regulations bar the conduction of a DPIA by Data Controllers. Therefore, so long as the absence of a definite procedure for DPIA is put forth as a reason for not conducting the same, the Data Fiduciaries in India may undertake a risk assessment of their systems, products, or services by adhering to the foundational principles of PbD.
– Team AMLEGALS, assisted by Ms. Anumeha Smiti (Intern)
For any queries or feedback, please feel free to connect with aditi.tiwari@amlegals.com or mridusha.guha@amlegals.com
Leave a Reply