On 1st May 2020, the Ministry of Home Affairs issued an order mandating compulsory usage of ‘Aarogya Setu’ application for all employees who would be travelling to their respective workplaces.[i] The order also mandates that the state authorities will ensure 100% coverage of the application in ‘containment zones’.[ii] Aarogya Setu is an application developed by the National Informatics Centre, attached to the Ministry of Electronics and Information Technology. The application is a contact tracing application, and was developed in order to track the spread of the Covid-19 virus, via a ‘Bluetooth and location generated social graph’. It requires a user to provide their personal information, as defined under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (hereinafter referred to as ‘IT Rules, 2011’).[iii]
Liability in the event of misuse of data
An assumptive answer to the above question would be the state. To this regard, the Information Technology Act, 2000, however, does not provide a promising legal basis. It would prima facie appear that section 43A and section 72 of the Information Act, 2000, can be invoked in such a scenario. However, there are certain limitations that impede the application of these provisions. One on hand, the former provision requires the data collector to be a body corporate. Considering that the definition of a ‘body corporate’ does not include the state or its agencies, it is highly unlikely that the state can be subjected to the liability under the provision. Consequently, it would also be difficult to subject the state to the obligations enumerated under the IT Rules, 2011, which provide for data protection measures. On the other hand, the latter provision requires that the person breaching confidentiality or privacy does so in pursuance of the powers conferred upon him under the Information Technology Act. The Bombay High Court, while highlighting the essential ingredients of section 72, categorically stipulated that ‘the person who discloses electronic record etc. should have secured the access to them in pursuance of any of the powers conferred under this Act, rules or regulations made thereunder’.[vii] Considering that the personal information collected, has been collected in pursuance of the powers under the National Disaster Management Act, 2005 and not the Information Technology Act, 2000, it is difficult to hold the state liable under section 72 of the Act.
In addition to the above, the Terms of Service of the application categorically stipulate that the government will not be held liable for, inter alia, ‘any unauthorized access to your information or modification thereof’. Pertinently, such limitation of liability is not exhaustive, thereby indicating that the state is not accountable for any breach of security/safety pertaining to the personal data that is collected.
Considering that the application involves collection and usage of personal data, and in some cases, even sensitive personal data[viii], it is imperative that such mandatory usage is supported by accountability and transparency. The standards laid out in the Puttaswamy judgment clearly stipulate a threefold test, i.e. legality, need and proportionality, for justifying an invasion of privacy by the state.[ix] Although the requirement of legality appears to be fulfilled in light of the wide amplitude of powers granted to the National Disaster Management Authority under section 6(2)(i) of the Disaster Management Act, 2005, there seems to be a lack of clarity over whether mandating compulsory usage of the application fulfils the other two requirements.
The Central Government’s decision to make usage of the application mandatory has attracted severe criticism. A prominent Indian politician even went to the extent of claiming that the application is a tool for mass surveillance. However, such claims are yet to be proved. The application, albeit shrouded in controversy, has not only been downloaded by nine crore people, but has also been lauded globally. Moreover, many nations have begun to use similar contact tracing applications to control the spread of the virus.
[i] Directive no. 15, Annexure 1 to the Order (No. 40-3/2020-DM-I(A)) issued by the Ministry of Home Affairs, dated 1st May 2020
[ii] Guideline no. 3(iii) of the Order (No. 40-3/2020-DM-I(A)) issued by the Ministry of Home Affairs, dated 1st May 2020
[iii] Section 2(1)(i), Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
[viii] Section 3, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011
[ix] Justice K.S. Puttaswamy vs Union of India (2017) 10 SCC 1
ABOUT THE AUTHOR
Kunal Kishore Bilaney
Kunal Kishore Bilaney is a fifth-year law student, pursuing B.B.A LL.B (Hons.) at Alliance University, Bangalore. His areas of interest include criminal law and technology law.