Covid-19 has swept the globe, marking its path with a high number of fatalities wherever it has spread, creating an enormous strain on public health and leading to a drastic shift in practices worldwide. There is no industry or arena that has been untouched by it and the massive redirection to the online sphere is perhaps one of the most marked differences that have been felt and seen worldwide. Furthermore, governments across the world are collecting an unprecedented amount of personal data with the ostensible aim of monitoring and controlling the virus.

In this context, it is worrisome that there is no framework to regulate personal data and its use in Pakistan. The Personal Data Protection Bill introduced by the Ministry of Information Technology and Telecommunication (MOITT) last month, has yet to become law or be presented in parliament. The 2020 Bill has seen some changes since its last version was made public in October of 2018 and though more refined than its predecessors, the Bill still leaves a lot to be desired from a rights-based perspective.

Some concerns regarding the proposed legislation include the exception of medical research from the ambit of personal data to be collected with the consent of the data subject where the term medical research has not been defined. Furthermore, Sections 31 and 38 allow for wide exemptions to the federal government to exclude itself from owing responsibility to protect and safely nest the data of its citizens which has been a concern in the past. Additionally, the use of terms ‘vital interests’ and ‘critical personal data’ without providing a definition as to what constitutes these interests can result in an arbitrary enforcement of the law.

While these concerns are alarming on their own, they are made more urgent due to the novel coronavirus, which has engendered an increase in the use of technology to tackle the pandemic. While acknowledging the need to curb its spread and save lives, we cannot forgo privacy rights or ignore the possibility of misuse of health surveillance technology, especially in a country where there is no protection.

To add some perspective, a group of academics led by Professor Lillian Edwards of the University of Newcastle in the UK has released a draft Bill titled Coronavirus Safeguards Bill 2020 that lays down the rules for managing the use of contact tracing and symptom tracking applications safely, and with the least amount of invasiveness possible.

Some concerns regarding the proposed legislation include the exception of medical research from the ambit of personal data to be collected with the consent of the data subject where the term medical research has not been defined.

The model legislation states that the use of such apps must be voluntary to ensure the consent of individuals is prioritised and there are no exclusions based on access to technology. Furthermore, the collection, use and sharing of data must be overseen by a body that is not only autonomous but also capable of reporting on due process, freedom of movement and discrimination in addition to privacy. They also add that anonymisation i.e removing elements of recognizability, be the immediate focus of such efforts and there be strict limitations on the sharing of data, i.e. personal data should not be shared beyond the necessary public health authorities. The need for a sunset clause, making sure that the data is used only for the duration of the pandemic, is also crucial to ensure privacy.

The draft also talks about the possibility of immunity certificates (also being referred to as ‘passports’), stating that only authorised members of law enforcement should be allowed to ask for such documentation. We have already seen over-the-top policing with regard to health surveillance happening in India, with the Aarogya Setu app being made mandatory in places such as Noida (failure to download can lead to fines imposed by the police). These concerns have also echoed in the Australian parliament which will debate the Privacy Amendment (Public Health Contact Information) Bill 2020 that sets out not only a comprehensive set of definitions relating to COVID-19-battling technology and the special measures being taken for the same but also sets out serious offences in cases of non-compliance.

Coming to the corporate model, technology giants Apple and Google, have partnered together to create the Exposure Notification API. To address and allay concerns, both companies have stated that they will not use users’ geolocation data, rather rely on Bluetooth-based tracking. Apple in its ‘draft documentation for an Exposure Notification system in service of privacy-preserving contact tracing’ guarantees principles such as purpose limitations, i.e only for the use of an official government public health authority, and stress the need for the user’s consent, whether in terms of employing the API at all or sharing a positive test result with the authorities. The official app introduced in Pakistan is found wanting in this light, with its inadequate privacy policy and real-time location tracing method that makes for a troubling combination.

The move into proposed regulation by multiple actors to oversee Covid-19 specific data processing shows the significance of privacy-centric framework. However, these are basic safeguards to curtail possible privacy infringements atop what the law is already providing, in these countries. Pakistani citizens, by comparison, have no legal cover under this head and thus are at risk for greater exposure. A model approach would be to incorporate best practices into either the main body of the proposed law itself or to introduce a set of rules to oversee technology being developed for Covid-19 tracking and a robust regulatory framework that ensures that the data used for this purpose is secure, time-bound and not deployed for surveillance in other contexts to provide as much transparency, clarity and protection to the citizens of Pakistan, as possible.