As the Indian Government is trying to fight this unprecedented pandemic caused by COVID-19, it has been pushing its citizens to use the Aarogya Setu Application. Using digital technology, the Indian Government employed a strategy to improve the situation of public health in the country. On 14th April 2020, the Indian Prime Minister asked every Indian citizen to download the mobile application, and it became the worlds’ fastest app to reach 50 million downloads in merely13 days.
ABSENCE OF DATA PROTECTION LAW IN INDIA
Unfortunately, India does not have a data protection law to essentially provide guidelines for public and private authorities to respect privacy and regulate the use of sensitive data. The existing legal provisions in India, such as the Information Technology Act, 2000 have limited applicability. In this light, it becomes necessary to emphasize the judgment of K.S. Puttaswamy, wherein the Hon’ble Supreme Court of India, recognised the Right to Privacy as a part of an individual’s right to life under the Constitution. The court also mentioned that in times of public health crisis, the government may use sensitive information and health records in a manner that ensures anonymity of the patients. The use of this Aarogya Setu app in a legal vacuum gives rise to violations and gives the government a free hand to use the information arbitrarily.
CONCERNS WITH THE AAROGYA SETU APP
The app requires a user to fill in information for a self-identification test and collect details such as: name, phone number, age, sex, profession, countries visited in the last 30 days, and whether or not you are a smoker. The app collects a significant amount of personal and sensitive data, which does not agree with the data minimisation principle.
Further, the application raises concerns about discriminatory and exclusionary practices. The government has started to monitor the data collected by the app to make policy decisions. Given that India does not have a law that deals with digital surveillance, discriminatory targeting is a conceivable risk attached to using the app. Recently, the Indian government was tracking down any person who had links with Tablighi Jamaat, resulting in biased surveillance on a specific sect. Keeping in mind the fact that the testing rate in India is low, rather than adapting to discriminatory practices, testing people uniformly and universally across the country would help to find out the true extent of the spread of the virus.
Considering the loose terms of service of the app, the government can use the app for even restricting the right of freedom of movement of people. The government has made it compulsory for its employees to download the app. Meaning, that if an employee does not download the app, he/she shall not be allowed to enter the office. Other potential restrictions, such as entry into backs or ATMs may be contingent on the colour coding of a person produced by the app. This would severely impact people, especially the vulnerable sections of the society, and result in denying them the right to have access to basic amenities.
CONTACT TRACING APPS: A COMPARATIVE ANALYSIS
TraceTogether app of Singapore; and second is the PrivateKit app of Massachusetts Institute of Technology (MIT) are the two models compared with India’s Aarogya Setu. TraceTogether app does not collets location data and only requires access to the user’s mobile Bluetooth. This data collected by the app is anonymised, and the users have control over their personal information. Also, the app’s policy clearly mentions that the data shall be used only by the Ministry of Health of Singapore. Further, PrivateKit app allows users to share their location with the health authorities. The app’s primary purpose is contact tracing but the data can be used for studying people’s wellbeing, community traffic analysis and refuge migration. Thus, some functions of this app might not be in line with the purpose limitation principle. The Aarogya Setu app requires access to GPS and Bluetooth of the users, which is more than what is required by TraceTogether and PrivateKit for contact tracing. As mentioned above, the app’s self-identification test requires a user’s sensitive information, which is way more than the information collected by both the models. The app’s policy does not mention any methods to keep the data anonymised, and there is no mention of any specific ministry having access to this data. This opacity is excessive as compared to the other two models, and thus, the Aarogya Setu app runs inconsistently with principles of purpose limitation and data minimisation.
Recently, the Ministry of Electronics and Information Technology of India(MEIT), released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. This protocol defines some of the terms used in terms of service of the app. It clarifies the MIET shall be accountable for the enforcement of any claims about the app. The protocol suggests that the data collected shall be shared with “other Ministries and Departments of the Government of India and State Governments,” which is not in line with the principles of necessity and proportionality. Even after the Protocol, the position of data sharing that is to be used in an anonymised manner is still unclear.
According to the K.S. Puttaswamy judgment, there is a requirement of the existence of the law to justify the encroachment of privacy, which in the present context is absent. Therefore, the app is curtailing the Right to Privacy and, in effect violating the Right to Life. The Parliament of India must immediately bring in an ordinance to provide the app with legal backing and create a mechanism to safeguard the rights of individuals.
ABOUT THE AUTHOR
Ramit Singh is a second-year student at Institute of Law, Nirma University. His interests lie in Constitutional Law and Arbitration Law.