Rakshitt C. Bajpai, a student pursuing law at Dr. Ram Manohar Lohiya National Law University, India, discusses the importance of privacy in the face of geofencing measures being implemented around the world. . .
The spread of COVID19 has led to a lot of chaos. In the wake of several instances of lockdown violations and quarantined patients escaping hospital wards, the government has decided to use an application that triggers e-mails and SMS alerts to an authorized government agency if a person has jumped quarantine or escaped from isolation. Lockdown is an essential step in containing the virus and preventing its transmission. Geofencing is an efficient way to maintain the lockdown as it is not labour intensive like police patrolling and is similar to mobile tracking, which makes it user friendly for the police.
However, unregulated use of such technology might lead to a breach of privacy rights and misuse of the data being provided by the citizens to such apps.
Geofencing & COVID19
Geofencing is a feature in a software program that uses the GPS or RFID to define geographical boundaries. Based on its configuration, it can trigger text messages, send targeted advertisement on social media, control vehicles, disable certain technology, etc. Some geofences are set up to monitor activity in secure areas, allowing management to see alerts when anyone enters or leaves a specific area. Geofencing is already being used in Kerala to help the authorities maintain the lockdown and track the people leaving their house. The mobile app which is being used for geofencing is known as COVID-19 Quarantine Alert System (CQAS).
There are also other countries trying to maintain public order and their respective quarantine period by the application of the geofencing technology.
Recently, the government of Hong Kong undertook a similar measure by introducing electronic tracker wristbands which alert the authorities about the people violating 14 days quarantine period. These wristbands are based on the principles of geofencing technology, which is different from GPS tracking. The Hong Kong government has argued that the wristband poses no privacy concerns because it does not track one’s exact location and merely looks at signals to deduce whether someone is inside or outside of the home.
These bracelets contain a QR code that pairs up with a smartphone app by the name of StayHomeSafe, which uses the strength of surrounding communications signals like Wi-Fi, Bluetooth and GPS to track a person. If someone tries to breach the quarantine by leaving their home, the app triggers a warning and alerts the government. Anyone violating their quarantine could face up to six months in prison and a fine of up to HK$25,000 ($3,200).
Other countries like Australia are using conventional ways like phone tracking to monitor infected people, whereas, some like Taiwan are using an electronic security monitoring system that will allow easier tracking of all quarantined individuals.
Legitimacy of Geofencing in India
The action of the government seems to be legitimate enough based on the fact that it has been reinforced with the help of a legal statute. The Indian Telegraph Act (1885) governs the use of wired and wireless radio communications, digital data communications and gives exclusive jurisdiction and privileges to the government for establishing, maintaining, operating, licensing and oversight of all of these.
As per Section 5(2) of the Indian Telegraph Act, 1885, the Central as well as State Government can carry out lawful interception of phones and computers. However, if done illegally, it is a punishable offence under Section 25 and Section 26 of this act, with an imprisonment up to 3 years in addition to a fine at the discretion of the court.
Although, in the case of Justice KS Puttaswamy v. Union of India, the court said that if any such limitation is to be put on the right to privacy, it will come under the ambit of ‘reasonable restriction,’ and the reasons for imposing such limitation should meet the requirements and criteria for ‘reasonable restriction.’ In this case since COVID19 has been declared a pandemic and steps are being taken for the maintenance of public order and preventing the spread of this virus, it seems to be a justified restriction.
Breach of Privacy
CQAS collects phone data, like the device’s location, on a common secured platform and alerts the local agencies in case of a violation by patients in isolation. It also prepares a list of mobile numbers, segregates them on the basis of telecom service providers and location data provided by the companies, which is further used by the application to create geo-fencing. Therefore, there is a probability of misuse of location data by the telecom companies.
India is not a party to any international convention on protection of personal data like the General Data Protection Regulation (GDPR), which aims to simplify the regulatory environment for usage of personal data by companies. However, there are certain provisions of some existing statutes which might be able to deal with the possible misuse of data. Nevertheless, India is a party to the Universal Declaration of Human Rights, which acknowledges the Right to Privacy.
The 2000 Information Technology (IT) Act was recently amended by the government to cater to the need of data protection. This resulted in the inclusion of Section 43A and Section 72A, which give a right to compensation for improper disclosure of personal information. Based on Section 43A a certain set of guidelines known as the Reasonable Security Practices and Procedures and Sensitive Personal Data or Information Rules (SPD) were framed. Similar to the GDPR, they set out some necessary procedures for the collection, storage and use of personal data. These rules can be used as a patchwork of legislation to deal with issues regarding data privacy. However, neither the IT Act nor these rules provide for any penalties or punishments in case of any misuse of data. The Data Protection Bill, which has been delayed for a long time is capable enough to tackle most of the issues regarding data privacy and data protection, but it is still under discussion.
Therefore, without any such statutory regulation there are chances of misuse of the personal data of citizens. In the case of geofencing, there have been prior instances of it being misused in the marketing industry. Recently, some anti-abortion groups in the US were using geofencing to identify and send content to women visiting abortion providers. This would be a grave violation of human rights and, as India recently recognized right to privacy as a fundamental right under Article 21 of the Indian Constitution, it would also result in the violation of the Fundamental Rights of the citizens. Since, the Fundamental Rights are enforceable only against the State and not private companies, the offenders in such crimes can easily get away with it.
There is no specific legislation in India to deal with the misuse of data by the companies. The IT Act was not drafted primarily for data protection and cannot cater to the changing dynamics of privacy and data protection. As far as the SPD rules are concerned, despite being framed for the purpose of data protection, they are obsolete in certain aspects. As we know, modern problems require modern solution, special legislation like the Data Protection Bill, is the need of the hour.
Rakshitt C. Bajpai is a student pursuing law at Dr Ram Manohar Lohiya National Law University, India.
Suggested citation: Rakshitt C. Bajpal, Geofencing, Data Protection and Privacy Amidst Pandemic, JURIST – Student Commentary, April 26, 2020, https://www.jurist.org/commentary/2020/04/rakshitt-bajpai-geofencing/
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.