Misuse of Aarogya Setu Data: Addressing the question of liability

On 1st May 2020, the Ministry of Home Affairs issued an order mandating compulsory usage of ‘Aarogya Setu’ application for all employees who would be travelling to their respective workplaces.[i] The order also mandates that the state authorities will ensure 100% coverage of the application in ‘containment zones’.[ii] Aarogya Setu is an application developed by the National Informatics Centre, attached to the Ministry of Electronics and Information Technology. The application is a contact tracing application, and was developed in order to track the spread of the Covid-19 virus, via a ‘Bluetooth and location generated social graph’. It requires a user to provide their personal information, as defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as ‘IT Rules, 2011’).[iii]

Aarogya Setu’s privacy policy

Since the application collects personal information and owing to the lack of a robust data protection framework in India, data privacy concerns are bound to arise. To this regard, the privacy policy of the application needs to be examined. Owing to the purpose limitation principle, the policy stipulates that the collected personal data will only be used for ‘…generating reports, heat maps and other statistical visualizations for the purpose of the management of COVID-19 in the country…[iv], and would not be disclosed or transferred to any third party.[v] The policy further stipulates that the application is equipped with ‘standard security features’ for protecting the collected data. It stipulates that the data collected is encrypted and stored on a securely encrypted server. However, it does not specify what ‘standard security features’ or encryption mechanisms are adopted. Moreover, according to the policy, any collected data will be retained for anywhere between 30 to 60 days, depending upon the status of the user.[vi] In light of such long-term retention of personal data, a question that arises is – who can be held liable in the event of misuse of such data?

Liability in the event of misuse of data

An assumptive answer to the above question would be the state. To this regard, the Information Technology Act, 2000, however, does not provide a promising legal basis. It would prima facie appear that section 43A and section 72 of the Information Act, 2000, can be invoked in such a scenario. However, there are certain limitations that impede the application of these provisions. One on hand, the former provision requires the data collector to be a body corporate. Considering that the definition of a ‘body corporate’ does not include the state or its agencies, it is highly unlikely that the state can be subjected to the liability under the provision. Consequently, it would also be difficult to subject the state to the obligations enumerated under the IT Rules, 2011, which provide for data protection measures. On the other hand, the latter provision requires that the person breaching confidentiality or privacy does so in pursuance of the powers conferred upon him under the Information Technology Act. The Bombay High Court, while highlighting the essential ingredients of section 72, categorically stipulated that ‘the person who discloses electronic record etc. should have secured the access to them in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder’.[vii] Considering that the personal information collected, has been collected in pursuance of the powers under the National Disaster Management Act, 2005 and not the Information Technology Act, 2000, it is difficult to hold the state liable under section 72 of the Act.

In addition to the above, the Terms of Service of the application categorically stipulate that the government will not be held liable for, inter alia, ‘any unauthorized access to your information or modification thereof’. Pertinently, such limitation of liability is not exhaustive, thereby indicating that the state is not accountable for any breach of security/safety pertaining to the personal data that is collected.

Considering that the application involves collection and usage of personal data, and in some cases, even sensitive personal data[viii], it is imperative that such mandatory usage is supported by accountability and transparency. The standards laid out in the Puttaswamy judgment clearly stipulate a threefold test, i.e. legality, need and proportionality, for justifying an invasion of privacy by the state.[ix] Although the requirement of legality appears to be fulfilled in light of the wide amplitude of powers granted to the National Disaster Management Authority under section 6(2)(i) of the Disaster Management Act, 2005, there seems to be a lack of clarity over whether mandating compulsory usage of the application fulfils the other two requirements.

Concluding remarks

The Central Government’s decision to make usage of the application mandatory has attracted severe criticism. A prominent Indian politician even went to the extent of claiming that the application is a tool for mass surveillance. However, such claims are yet to be proved. The application, albeit shrouded in controversy, has not only been downloaded by nine crore people, but has also been lauded globally. Moreover, many nations have begun to use similar contact tracing applications to control the spread of the virus.

Nevertheless, it is of utmost importance that the questions of liability and accountability are effectively addressed. To this regard, firstly, the Terms of service of the application can be modified to limit the exemption from any liability relating to misuse of such data. Such limitation of liability should, one, be based on clear and reasonable parameters, two, be exhaustive, and three, not apply to events of misuse of data. The terms of service should clearly stipulate that the state is accountable for the safety and security of the personal data collected. Secondly, the privacy policy should also stipulate what security procedures and practices the application has undertaken in order to protect such data. Elaboration of the phrase ‘standard security features’  would certainly facilitate in improving transparency between the state and the user, thereby calming the uproar surrounding the mandatory usage of the application. Although the application’s privacy policy stipulates that the collected data is encrypted at the stage of the collection as well as storage, specifying the standard or method of encryption would certainly help in this regard.

[i] Directive no. 15, Annexure 1 to the Order (No. 40-3/2020-DM-I(A)) issued by the Ministry of Home Affairs, dated 1st May 2020

[ii] Guideline no. 3(iii) of the Order (No. 40-3/2020-DM-I(A)) issued by the Ministry of Home Affairs, dated 1st May 2020

[iii] Section 2(1)(i), Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

[iv] Clause 2(a), Privacy Policy of Aarogya Setu

[v] Clause 6, Privacy Policy of Aarogya Setu

[vi] Clause 3, Privacy Policy of Aarogya Setu

[vii] Avdhesh Kumar Paras Nath Pathak vs State of Maharashtra and Anr. Criminal Application no. 2562 of 2019

[viii] Section 3, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

[ix] Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1


Kunal Kishore Bilaney


Kunal Kishore Bilaney is a fifth-year law student, pursuing B.B.A LL.B (Hons.) at Alliance University, Bangalore. His areas of interest include criminal law and technology law.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create a website or blog at WordPress.com

%d bloggers like this: