Aarogya Setu App – A test for the Personal Data Protection Bill 2019

Introduction

Coronavirus (hereinafter “Covid-19”) will go, but the kind of world it will leave behind will be a very different one than what it has been. This pandemic has brought the world to a standstill and has taken lives of more than half a million people worldwide. Amidst this pandemic, India is struggling with a health emergency wherein the resources available are significantly outnumbered by the requirements of the population.

Given the fact that the virus is extremely contagious, the government has been repeatedly asking the public to practise social distancing. In order to facilitate the same, Aarogya Setu application (hereinafter “the App”) was launched on 2nd April by the Ministry of Electronics and Information Technology for Android and iOS platforms to inform the users about their proximity to the Covid-19 positive person and their chances of getting infected. The App collects personal information of the user which includes name, mobile number, gender and travel history. The App performs contact tracing through Bluetooth and GPS to determine the social graph of the user.  However, there is no legislation in India that expressly regulates processing, collecting and regulating personal information of an individual. Although Section 43A of Information Technology Act, 2000 does provide a procedure for the collection of sensitive personal data, it is applicable to corporate entity and not the State. Therefore, in the absence of any legislation, the App falls short of protecting the right to privacy of an individual.

In this article, it is argued that the App acts as a test of the Personal Data Protection Bill 2019, so as to check whether the Bill is adequate enough to safeguard the right to privacy of individual from such State action it analyses the privacy policy of the App through the lens of Personal Data Protection Bill to understand whether the Bill is adequately framed to safeguard the right to privacy.

Personal Data Protection Bill 2019 and the Privacy Policy of the App

Personal Data Protection Bill (hereinafter “Bill”), 2019 seeks to provide protection to the personal data of individuals and governs the processing of personal data by the government. According to Section 3(13) of the Bill, the government of India (the State) is a data fiduciary and has to comply with the obligations provided in the Bill. The Bill aims at making data fiduciary accountable for collecting, processing and using the data and ensures that principles of data privacy are protected.

In the present case, the App process personal data based on consent and state acts as the data fiduciary. The purpose of collecting personal data is to keep a check on the spread of Covid-19. The information collected by the App satisfies the definition of personal data under Section 2 (28) of the Bill. Therefore the Bill applies not only to all the data processed by the App and stored in the device of users but also to the personal data by the government of India on the cloud.

Section 4 of the Bill clearly states that personal data should be collected for a “specific, clear and lawful purpose”. But Clause 2 (a) allows the government to share the information “with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” This is extremely problematic as it allows the government to share the information with anyone as it deems fit. It gives complete discretionary power to the government to share personal information of the users even with the third party. The clause is completely in contravention to Section 4 of the Bill.

However, the government can still go ahead with sharing the information under section 12(d) and 12 (e) of the Bill that allows the government to process information without consent in case of medical emergency and epidemic. Moreover, even under section 35 of the Bill the State can completely absolve itself from any obligation provided in the Bill if the State considers it necessary or expedient in the interest of security. As per the World Health Organization, the security of the State includes within its ambit the health security. Therefore, had the Bill been passed it would have provided an essay escape to the State to justify the privacy policy of the App on the ground of health security and under Section 35 of the Bill. It would have allowed the State to infringe upon the right to privacy of the individual by freely sharing the data with other relevant authorities without any accountability. In addition to this, Section 35 of the Bill also highlights how the requirement of necessity and proportionality laid down in K.S Puttaswamy v. Union of India has been reduced to “necessary or expedient” under Section 35 of the Bill. This completely takes away the obligation of the government to balance the intrusion in the right to privacy and the objective sought to achieve, thereby enhancing the government’s surveillance powers.

Purpose liability of the APP

Similarly, although it might seem that the purpose limitation of the App is only to inform the users about the proximity of the nearest Covid-19 positive patient, the purpose of the App can easily be expanded under the Bill. Recently the government has made it compulsory to download the app for all the passengers availing the service of a train to travel.  Therefore, it is very possible that government can easily pass an order that makes it compulsory for everyone to download the App in exchange of government benefits and public safety and justify it under Section 35 of the Bill. In fact, the App can have the same fate as that of Adhaar which was first introduced to provide government benefits to citizens and later allowed the government to intrude into the privacy of individuals. Thus, the Bill fails to safeguard the right to privacy of the individuals and had it been in force, it would have justified the Terms of Service and Privacy Policy of the App.

Conclusion

The government certainly has a strong reason to launch the App which is to tackle the spread of Covid-19 but the Terms of Service and the Privacy Policy of the App fail to provide adequate safeguard to protect the right to privacy of the users. The App has also made it clear that the provisions of the Bill are not sufficient to adequately protect the right to privacy of the public. Further, it can be surmised, had the Bill been passed it would have provided legal backing to all the loopholes in the App which clearly pose a threat to individual’s privacy.


ABOUT THE AUTHOR

Gunjan Shrivastav

Gunjan Shrivastav

Gunjan Shrivastav is a second-year B.A.LL.B student at National Law School of India University (NLSIU) Bangalore. Her area of interest mainly includes Constitutional Law, Data Protection Laws and Public Policy. The interface between law and technology interest the most to her.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s