Coronavirus (hereinafter “Covid-19”) will go, but the kind of world it will leave behind will be a very different one than what it has been. This pandemic has brought the world to a standstill and has taken lives of more than half a million people worldwide. Amidst this pandemic, India is struggling with a health emergency wherein the resources available are significantly outnumbered by the requirements of the population.
Given the fact that the virus is extremely contagious, the government has been repeatedly asking the public to practise social distancing. In order to facilitate the same, Aarogya Setu application (hereinafter “the App”) was launched on 2nd April by the Ministry of Electronics and Information Technology for Android and iOS platforms to inform the users about their proximity to the Covid-19 positive person and their chances of getting infected. The App collects personal information of the user which includes name, mobile number, gender and travel history. The App performs contact tracing through Bluetooth and GPS to determine the social graph of the user. However, there is no legislation in India that expressly regulates processing, collecting and regulating personal information of an individual. Although Section 43A of Information Technology Act, 2000 does provide a procedure for the collection of sensitive personal data, it is applicable to corporate entity and not the State. Therefore, in the absence of any legislation, the App falls short of protecting the right to privacy of an individual.
Personal Data Protection Bill (hereinafter “Bill”), 2019 seeks to provide protection to the personal data of individuals and governs the processing of personal data by the government. According to Section 3(13) of the Bill, the government of India (the State) is a data fiduciary and has to comply with the obligations provided in the Bill. The Bill aims at making data fiduciary accountable for collecting, processing and using the data and ensures that principles of data privacy are protected.
In the present case, the App process personal data based on consent and state acts as the data fiduciary. The purpose of collecting personal data is to keep a check on the spread of Covid-19. The information collected by the App satisfies the definition of personal data under Section 2 (28) of the Bill. Therefore the Bill applies not only to all the data processed by the App and stored in the device of users but also to the personal data by the government of India on the cloud.
Section 4 of the Bill clearly states that personal data should be collected for a “specific, clear and lawful purpose”. But Clause 2 (a) allows the government to share the information “with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions.” This is extremely problematic as it allows the government to share the information with anyone as it deems fit. It gives complete discretionary power to the government to share personal information of the users even with the third party. The clause is completely in contravention to Section 4 of the Bill.
Purpose liability of the APP
ABOUT THE AUTHOR
Gunjan Shrivastav is a second-year B.A.LL.B student at National Law School of India University (NLSIU) Bangalore. Her area of interest mainly includes Constitutional Law, Data Protection Laws and Public Policy. The interface between law and technology interest the most to her.