“AAROGYA SETU APP: INSUFFICIENT DEMONSTRATION OF PRIVACY AND LAW”
Author: Swasti Jain
UPES, Dehradun.
ISSN: 2581-8465
Abstract
Amidst this pandemic of COVID-19 in the country, technology has also taken its speed where the central government has been pushing its people to use the Aarogya Setu application. The Central government has been promoting its usage to enable contract tracing as a means to control its spreading. The use of technology to curb this disease cannot be denied, but the regulatory measures must be taken into consideration. It is seen that the concern related to privacy and security are being echoed about the usage of this app. Activists all around are raising their voice, challenging the inefficient policy framework, and lack of legal protection. This makes the app susceptible to misuse.
With increasing doubts and concerns this article briefly examines the violation of citizen’s right to privacy which is enshrined under Article 21 of the Constitution of India, upon using the Aarogya Setu App. Also, by analyzing the framework for data protection laws available in India with relevance to the landmark decision of the Hon’ble Supreme Court in the case of K.S Puttaswamy[1] and analyzing the privacy issues related to this Aarogya Setu App has been discussed. Further, it is posed with the question of what will happen to data and application when this pandemic is over.
INTRODUCTION
The Indian government has been continuously trying to fight with this unprecedented and chaotic pandemic of coronavirus in the country, for the same, it has been promoting the usage of the Aarogya Setu application. It is essentially a contact tracing app that tracks interactions with someone who could have tested positive with Covid-19 or coronavirus through a Bluetooth device and GPS technology. This app is developed by the National Informatics of the Indian Government and it generates the information of its users and forms a social graph of individuals. It allows health departments to take effective actions to mitigate the spread of the pandemic and enhance their preparedness.[2]
For the app to be effective the app must be installed on as many phones as possible and the users must uniformly update their health and surrounding status so that the society must be aware of the circumstances. Also, the home ministry made it mandatory[3] for government and private sector employees to install this app which will directly ensure 100% coverage among any organization as well. Soon after subsequent guidelines[4] issued by MHA has softened its stance in this regard and now encourages employee and district officials to ensure the installation of this app necessary.
However, this application raises certain questions, the core contention is in the use of technology in overcoming this crisis is an invasion in an individual’s right to privacy which is given under Article 21.[5] It is possible that the data collected might be at the risk of misuse. This is especially arising because of the conditions and privacy policy of the app.[6]
ABSENCE OF DATA PROTECTION LAWS IN INDIA
On analyzing Puttaswamy[7] verdict, it describes how can any restriction be applied to the fundamental right to privacy has to comply with four prolonged tests of legality, the legitimate aim, proportionality, and procedural safeguards. These principles do not mean mere existence of the law, how the principle demands that this law ought to be clear specific that is sufficient to guarantee that individuals have advance notice of the manner in which they will be implemented.
With this issue of a mandatory download of the Aarogya Setu app, many organization, and statutory authorities force their employees to download this app. So, the need for a well-defined law remains intact. The collection of personal data without informed consent directly undermines the principles of privacy given under Puttaswamy’s judgment. It is very well known that by continuously using the app, it collects the personal information of the individuals such as location data through GPS technology and Bluetooth and demands to be traced by a valid law, which has to simultaneously be passed by the proportionality test.
At present India does not have a comprehensive legal framework for data protection to provide guidelines and regulate the use of sensitive data. The only existing legal provision is the Information technology act, 2000 which has a very limited scope and proves to be unsatisfactory.
In this light, the paper relies on Personal Data Protection Bill, 2019 to consider this application through the proposed legal provisions.[8] This Bill comprehensively lays down the rights and duties of Data Fiduciaries, Data Principals, and Data Processors. For the compliance of the bill, it holds data fiduciary accountable which further contains detailed provisions for the consent of the Data holder or principle, collection of data, and transparency in its processing. Thus this app can be categorized to be in square of infringement of the right to privacy if sanctioned by law. There is an urgent need to expand the scope of data protection to protect individuals’ data and limiting the boundaries for its processing, simultaneously strengthening the grounds of reasonable restrictions that can hamper privacy.
AAROGYA SETU APP: PRIVACY AND DESIGN ISSUES
Aarogya Setu app has become the most downloaded application since its release. India has been using this contact tracing app which is similar to the applications introduced by google and apple and uses Bluetooth technology. However, unlike Google or Apple, it also uses GPS technology for the collection of Data of an Individual. After installation, firstly this app collects information like name, gender, age, profession, contact number, and travel history. This information is now processed and hashed to a unique device ID, then uploaded to the Central unit Database. The app demands Bluetooth and GPS to be switched on all the time and takes admin access. This access results in the approval to collect more data than required which can be considered as a security risk by large.
When two devices with this app come closer or in a range of proximity, they exchange those unique IDs with each other. Experts suggest[9] that the application engages in pseudo-static ID instead of privacy-oriented dynamic pseudo ID as was with foreign country’s i.e. Singapore’s contact tracing application. Initially, these records generated through Bluetooth and GPS technology are stored locally on the phone, but once an individual develops symptoms of coronavirus, the system will directly upload it to the Central unit database. The interactions are mapped out to display Covid-19 patients all around.
The terms of services[10] and privacy policy[11] still create a lot of concerns in the minds of privacy-protecting activists with the most fundamental aspect of proportionality and data protection principles. The policy mentions that the union can share the data which is collected by the app in order to carry out “medical and administrative intervention”[12] with the relevant person. This signifies that the data can be shared with several other departments of the government. Moreover, as per the terms of services, no particular ministry has been specified for exchanging data of an individual and this raises more susceptible issues to carry out the proper functioning of the government. The main purpose of this application was to identify the coronavirus infected people in contact with the other healthy individuals. Instead, the information collected through this app has been used for other purposes as well. It has been significantly seen that the government is analyzing this data to determine whether they should give relaxation in this lockdown or not.[13]
Another issue that rises, there is no clear way for the users to come out of this app. One of the sections of user rights talks about canceling the registration and the information saved will be deleted within 30 days of termination. However, there is no provision in this app to delete the account and it is nowhere mentioned, on deleting the application will amount to canceling the registration or what other consequences on data will be suffered.
With these loose terms and conditions, the government can use the information to restrict the right freedom of movement of the people enshrined in the Constitution of India. Having the application of continuously monitoring the location of an individual, will severely impact people and will be an infringement of the right to privacy. This may prove in contrast to the main aim of this contact tracing application. Such location data can be used to track their address without implied consent. This surveillance will have a negative impact on citizen’s rights.
NO LEGISLATIVE BACKING: AAROGYA SETU APP
The Hon’ble Supreme Court of India has deliberated on the issue of privacy on various occasions. In 1975, Govind v. State of Madhya Pradesh[14] the hon’ble court held that right to privacy is implicit in Article 21 of the Constitution of India, for citizen’s liberty. In 1996, in PUCL v. Union of India[15], the court gave guidelines imposing procedural restraints, while keeping that privacy right includes informational privacy as well. A historic turn took place in 2017 in KS Puttaswamy v. Union of India wherein the Hon’ble Supreme Court held that a ‘test’ should be applied, depending on the rights that may be infringed. It mentioned about the importance of data protection laws and recognized the requirement of the existence of the law to justify the encroachment of privacy.
Presently, the only issuance comes from the MHA guidelines under the Disaster Management Act, 2005. However, these provisions are not adequate and prove to be unsatisfactory[16] as a legal base. On analyzing the powers driven from the Disaster management act, 2005, the central directions are executive in nature. The statute does not have any clause to deal with surveillance. The act has to be tested on laws infringing fundamental rights. Recently, the government released the Aarogya Setu Data Access and knowledge sharing protocol, 2020 for the implementation of MHA guidelines. But this protocol does not derive its legislative standing from the Disaster Management Act. Importantly, it does not provide any legal status to the app itself. Thus, this protocol cannot be considered in providing any legislative foundation for this application.
The app does not have a legal framework that may govern it beyond the terms of services and privacy policy. Moreover, the app does not satisfy the ‘test’ given in the Puttaswamy’s Judgement, to have a rational nexus between goals to be achieved and way to be adopted, as to ensure the interference in individuals rights is justifiable. The lack of statutory backing and regulatory measures make the app prone to misuse.
WHAT WILL HAPPEN TO DATA AND APP AFTER THE PANDEMIC?
The Aarogya Setu data Access and knowledge sharing the protocol has been released by the ministry of electronics which mentions a sunset clause where the data is retained for six months means personal data will be deleted after the expiration of this period. It has to be taken into consideration that this sunset clause does not apply to the app and the app may be repurposed for another use after the pandemic gets over.
The officials of NITI Aayog said that the Aarogya Setu App will have no use after this pandemic but can be used purposely for building National Health Stack[17]. A report said that this is similar to BHIM as a ‘starter’ for Unified Payments Interface (UPI) and Aarogya Setu will act as a ‘starter’ for National Health Stack. Indian still does have any data protection law in place so it would be unwise to use this app, other than its original use of contact tracing. It is still not clear if there are safeguards for sensitive data to be taken in use at large.
CONCLUSION
In light of the present situation, the functioning of this contact tracing app namely ‘Aarogya Setu’ is being challenged. The reason behind this is that this app lacks an inadequate legal framework and runs inconsistently with the principles of privacy and personal data protection. Personal Data to any person is the most crucial aspect, it is important to note that the public data remains safe and secure. There is an urgent need to have an elaborate constitutional mechanism to preserve the rights of the individuals. The government must justify the use of both GPS technology and Bluetooth for contact tracing within a proper and well-defined framework that does not infringes on the right to privacy provided under Article 21 of the Indian Constitution. There needs to be transparency at a very basic level with respect to the privacy policy and terms of Services.
Even though the Aarogya Setu App has been accepted by the majority of the public, but still, there is a need for the existence of “proper law” in place to justify the violation of the right to privacy. Therefore, the Aatogya Setu App is in violation of privacy rights. It is the time when the government calls for deliberative clearance of all the issues and brings in an ordinance to support the application with the legislative backing and ensure a mechanism to provide safeguard which will not compromise with the individual’s rights in the realm of the Indian Constitution.
[1] K.S. Puttaswamy v. Union of India (2017) 10 S.C.C. 1 (India).
[2] Ministry of Electronics and Information technology, Notification of Aarogya Setu Data Access and Knowledge Sharing protocol, Government of India, (May 11, 2020), https://static.mygov.in/rest/s3fs-public/mygov_159051652451307401.pdf.
[3] Ministry of Home Affairs, MHA Order Dt. 1.5.2020 to extend Lockdown period for 2 weeks w.e.f. 4.5.2020 with new guidelines, Government of India, (May 01, 2020), https://www.mha.gov.in/sites/default/files/MHA%20Order%20Dt.%201.5.2020%20to%20extend%20Lockdown%20period%20for%202%20weeks%20w.e.f.%204.5.2020%20with%20new%20guidelines.pdf.
[4] Ministry of Home Affairs, Government of India, (May, 17, 2020), https://www.mha.gov.in/sites/default/files/MHAOrderextension_1752020.pdf.
[5] INDIA CONST. art. 21.
[6] Kashish Aneja & Nikhil Pratap, Implement Aarogya Setu, but only through the law, The Hindu, (Apr. 22, 2020), https://www.thehindu.com/opinion/op-ed/implement-aarogya-setu-but-only-through-law/article31391708.ece.
[7] K.S Puttaswamy, supra note 1.
[8]Vidisha Singh, India’s Aarogya Setu Contact Tracing App- Compromising Privacy in a Pandemic? JURIST Student Commentary, (May 18, 2020), https://www.jurist.org/commentary/2020/05/vidisha-singh-aarogya-setu-app-covid19/.
[9] Shashidhar K.J, Aarogya Setu App and its many Conflicts, Observer and Research Foundation, (June 06, 2020), https://www.orfonline.org/expert-speak/aarogya-setu-app-many-conflicts-67442/.
[10] Aarogya Setu TERMS OF SERVICE, Government of India, https://web.swaraksha.gov.in/ncv19/tnc/.
[11]Privacy Policy, Government of India, https://static.swaraksha.gov.in/privacy/.
[12] Id.
[13] Vasudha Venugopal, Aarogya Setu, drone data to play part in lockdown exit strategy (Apr. 08,2020) https://economictimes.indiatimes.com/industry/healthcare/biotech/healthcare/arogya-setu-drone-data-to-play-part-in-lockdown-exit-strategy/articleshow/75040648.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst.
[14] Govind v. State of Madhya Pradesh (1975) 2 S.C.C. 14 (India).
[15] People’s Union of Civil Liberties (1967) 1 S.C.C. 301 (India).
[16] Vrinda Bhandari Faiza Rahman, Constitutionalism during a Crisis: The Case of Aarogya Setu The leap blog (May 25 2020) https://blog.theleapjournal.org/2020/05/constitutionalism-during-crisis-case-of.html.
[17]NITI Aayog, National Health Shack, Government of India, (July, 2018,) http://niti.gov.in/writereaddata/files/document_publication/NHS-Strategy-and-Approach-Document-for-consultation.pdf.