Aarogya Setu App in Teeth of Right to Privacy: A Debacle?

INTRODUCTION  

As the Indian Government is trying to fight this unprecedented pandemic caused by COVID-19, it has been pushing its citizens to use the Aarogya Setu Application. Using digital technology, the Indian Government employed a strategy to improve the situation of public health in the country. On 14th April 2020, the Indian Prime Minister asked every Indian citizen to download the mobile application, and it became the worlds’ fastest app to reach 50 million downloads in merely13 days.

The Indian Government promotes Aarogya Setu as a step to implement contact-tracing. This app takes the information of its users and forms a social graph of individuals. Further, the app tracks location by using GPS and Bluetooth to know where the individual has been and informs the person if he/she comes in contact with someone who is the carrier of the virus. This way, the app determines the current health status of an individual, whether one risks infection. However, the app raises specific questions about the invasion of an individual’s privacy. Due to the app’s design, it is possible that the app and the data used might be at risk of misuse. The risk of misuse is especially glaring because of the terms of service and the privacy policy of the app.

This article seeks to critically examine the violation of citizen’s right to privacy upon using the Aarogya Setu App. Analysing the app’s terms of service and privacy policy vis a vis other contact tracing apps that follow the global privacy standards. Further, this is discussed in the backdrop of absence of any comprehensive Data Protection Law in India and the relevance of the landmark decision of the Indian Supreme Court in the case of K.S. Puttaswamy v. Union of India(‘K.S. Puttaswamy’). 

ABSENCE OF DATA PROTECTION LAW IN INDIA 

Unfortunately, India does not have a data protection law to essentially provide guidelines for public and private authorities to respect privacy and regulate the use of sensitive data. The existing legal provisions in India, such as the Information Technology Act, 2000 have limited applicability. In this light, it becomes necessary to emphasize the judgment of K.S. Puttaswamy, wherein the Hon’ble Supreme Court of India, recognised the Right to Privacy as a part of an individual’s right to life under the Constitution. The court also mentioned that in times of public health crisis, the government may use sensitive information and health records in a manner that ensures anonymity of the patients. The use of this Aarogya Setu app in a legal vacuum gives rise to violations and gives the government a free hand to use the information arbitrarily.

CONCERNS WITH THE AAROGYA SETU APP 

India has been using the Aarogya Setu app as a means of contact tracing. The privacy policy of the app raises fundamental issues of not following certain principles of privacy and it has been criticised for the same.

The app requires a user to fill in information for a self-identification test and collect details such as: name, phone number, age, sex, profession, countries visited in the last 30 days, and whether or not you are a smoker. The app collects a significant amount of personal and sensitive data, which does not agree with the data minimisation principle.

The app’s privacy policy mentions that the government can share information collected by the app to the relevant person to carry out “medical and administrative interventions.” This shows that the information can be exchanged with several departments of the government. The terms of service of the app do not specify any specific ministry for sharing the data and this makes it more susceptible to obfuscated functioning of the government. It has been said that the health ministry’s involvement in the access of the data is minimal; rather, the data collected by the app is used by other departments of the government. The data collected by the app cannot be used by law enforcement agencies and for purposes such as imprisoning people. The app’s main purpose was to notify users about the risk of them getting infected with COVID-19. But the use of the app has extended to other purposes as well. It has been reported that the government is using the data collected by the app to determine whether India should relax the lockdown. This shows that the apparently the application is used for several purposes and contact tracing is just one of them, thus violating the principle of purpose limitation.

Further, the application raises concerns about discriminatory and exclusionary practices. The government has started to monitor the data collected by the app to make policy decisions. Given that India does not have a law that deals with digital surveillance, discriminatory targeting is a conceivable risk attached to using the app. Recently, the Indian government was tracking down any person who had links with Tablighi Jamaat, resulting in biased surveillance on a specific sect. Keeping in mind the fact that the testing rate in India is low, rather than adapting to discriminatory practices, testing people uniformly and universally across the country would help to find out the true extent of the spread of the virus.

Considering the loose terms of service of the app, the government can use the app for even restricting the right of freedom of movement of people. The government has made it compulsory for its employees to download the app. Meaning, that if an employee does not download the app, he/she shall not be allowed to enter the office. Other potential restrictions, such as entry into backs or ATMs may be contingent on the colour coding of a person produced by the app. This would severely impact people, especially the vulnerable sections of the society, and result in denying them the right to have access to basic amenities.

CONTACT TRACING APPS: A COMPARATIVE ANALYSIS  

TraceTogether app of Singapore; and second is the PrivateKit app of Massachusetts Institute of Technology (MIT) are the two models compared with India’s Aarogya Setu. TraceTogether app does not collets location data and only requires access to the user’s mobile Bluetooth. This data collected by the app is anonymised, and the users have control over their personal information. Also, the app’s policy clearly mentions that the data shall be used only by the Ministry of Health of Singapore. Further, PrivateKit app allows users to share their location with the health authorities. The app’s primary purpose is contact tracing but the data can be used for studying people’s wellbeing, community traffic analysis and refuge migration. Thus, some functions of this app might not be in line with the purpose limitation principle. The Aarogya Setu app requires access to GPS and Bluetooth of the users, which is more than what is required by TraceTogether and PrivateKit for contact tracing. As mentioned above, the app’s self-identification test requires a user’s sensitive information, which is way more than the information collected by both the models. The app’s policy does not mention any methods to keep the data anonymised, and there is no mention of any specific ministry having access to this data. This opacity is excessive as compared to the other two models, and thus, the Aarogya Setu app runs inconsistently with principles of purpose limitation and data minimisation.

WAY FORWARD

Recently, the Ministry of Electronics and Information Technology of India(MEIT), released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. This protocol defines some of the terms used in terms of service of the app. It clarifies the MIET shall be accountable for the enforcement of any claims about the app. The protocol suggests that the data collected shall be shared with  “other Ministries and Departments of the Government of India and State Governments,” which is not in line with the principles of necessity and proportionality. Even after the Protocol, the position of data sharing that is to be used in an anonymised manner is still unclear.

The Aarogya Setu app runs inconsistent with the principles of data protection and privacy, and the government must resolve this quickly. For instance, there is a need that the data collected must be processed for a specific purpose, and it must be known to the people. Moreover, the government must justify the use of both GPS and Bluetooth for contact tracing within a framework that does not violate people’s privacy. Even at a fundamental level, there is a requirement of transparency with respect to the app’s Terms of Service and Privacy Policy. Further, there is no accountability mechanism available in case there is a data breach, and this must be considered as well.

According to the K.S. Puttaswamy judgment, there is a requirement of the existence of the law to justify the encroachment of privacy, which in the present context is absent. Therefore, the app is curtailing the Right to Privacy and, in effect violating the Right to Life. The Parliament of India must immediately bring in an ordinance to provide the app with legal backing and create a mechanism to safeguard the rights of individuals.


ABOUT THE AUTHOR

Ramit Singh

unnamed

Ramit Singh is a second-year student at Institute of Law, Nirma University. His interests lie in Constitutional Law and Arbitration Law.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s