There have been many controversies associated with the Aarogya Setu application ever since its launch in April. The application collects personal data of millions of people, so concerns must arise. Issues like hacking of database have also taken the center stage at times, only to be rebutted by security professionals and experts. So from a legal perspective, are the Aarogya Setu App Privacy Issues real, or just imaginary?
The procedure must be just, fair, and reasonable.”
But what if there is no procedure?
No fundamental right is absolute. There are always reasonable restrictions. In the case of Aarogya Setu, the government definitely has compelling public interest. Further, the government also possesses the capability to preserve the anonymity of the individual to legitimately assert a state intervention into the privacy of an individual. Privacy and anonymity prevent others from gaining access to pieces of personal information- privacy involves hiding information whereas anonymity involves hiding what makes it personal. If the state preserves the anonymity of the individual, it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it.
Dealing with coronavirus
On 11th March 2020, the Director-General of the WHO declared the highly communicable coronavirus, a pandemic. Many countries soon went into total lock down, including India, in an attempt to contain the spread. However, managing a huge population and contact tracing, especially in megacities, is not an easy task. To keep the essential services, supply chain management, and the administration functioning and at the same time containing clusters of infections, the government came up with ‘Aarogya Setu’. The idea behind the application is tracking the contacts of an infected host, catering to people who assess themselves as ‘unwell’ and advising a person to quarantine if he comes in contact with an infected person. But more than the positive effects of the application, Aarogya Setu privacy issues have occupied people’s attention.
Aarogya Setu Application
- What are the present rules controlling the collection of data by the Government?
- Is information privacy even important for a common man?
- Is Aarogya Setu application intruding upon your privacy?
How does Aarogya setu work?
The application is a ‘contact tracking’ application. It figures out if one person has come in close contact with another person by using Bluetooth and GPS. The application requires its users to set the location and Bluetooth of their devices to always on so that if two persons come in proximity, their Bluetooth signals can communicate and make a log of their contact. This log contains a DiD (Digital Identity), GPS location, and timestamp. The location data is collected every 15 minutes and the log of this information remains stored on the mobile device of both the users.
Data belonging to a person is uploaded to the NIC server if a person is tested positive. The application also provides an option for ‘self-assessment’ test which analyses the symptoms mentioned by the users and tells the probability of infection. User data is also uploaded if a person assesses himself as ‘symptomatic’. Through the collected data from other users, the application shows a ‘dashboard’ which displays the number of users who have tested positive, or are unwell, or are completely healthy. This information is displayed based on the location of the user, and covers users within 500m to 10kms of area.
Other than the end user services, the application also allows the government to aggregate datasets, generate reports, heat maps, and other statistical visualizations for the purpose of management of COVID-19. The government may also contact an infected person using the data collected through Aarogya Setu.
What data does it collect?
During logging in to the application for the first time, the user is asked for these details:
- phone number,
- countries visited in last 30 days.
The app also collects location data and uploads it on the server at the time of registration.
All of the collected data during registration is hashed with a unique DiD. After hashing, the application encrypts the data and uploads it on the server. The DiD then becomes the identity of the user and the server information is identified with this DiD. Subsequent to registration location data is collected every 15 minutes, which is stored locally and uploaded to the server in case the user contacts with an infected person.
What does the IT Act say on protecting your data?
The Information Technology Act, 2000, is silent on the subject of data protection vis a vis data collection by the government. The IT Act protects against breach of privacy, but only with respect to the powers conferred under the IT Act, rules, or regulations. The IT Act confers no power to collect sensitive personal data of citizens, and hence cannot protect against a breach of privacy in this case. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, impose a duty to protect personal data of users only on the body corporates and persons located in India but the government. It is silent on how government may take collect or secure data. Thus, the IT Act cannot be referred to if one needs to dig out the Aarogya Setu privacy issues.
Should you even care about your privacy?
- What is the objective of guaranteeing privacy of an individual?
Privacy is the condition or state of being free from public attention. It can also be referred to as ‘the right to be let alone’. The constitution guarantees every individual to perform his actions in private, without being observed or spied upon. In the context of informational privacy, the right to privacy deals with a person’s mind. It allows the person to control over the dissemination of material that is personal to him. Unauthorized use of such information may lead to an infringement of the right to privacy.
To sum up, privacy safeguards individual autonomy so that an individual is able to control vital aspects of his life.
- Why your privacy extends online?
Every visit to the internet leaves electronic tracks, knowingly, consensually, as well as unknowingly. These electronic tracks are the information which reveal the interests and personality of a person.
Individually, these information silos may seem inconsequential. In aggregation, they disclose the nature of the personality, food habits, language, health hobbies, sexual preferences, friendships, ways of dress and political affiliation. In aggregation, information provides a picture of the being: of things which matter and those that don’t, of things to be disclosed and those best hidden.”-Justice D.Y. Chandrachud, Justice K.S. Puttaswamy vs. Union of India and Ors. AIR 2017 SC 4161
In short, if a state is able to profile its citizens using the electronic tracks, there is an apprehension of discrimination based on religion, ethnicity, and case. But this profiling can also be used to further public interest or national security. In this environment, the growth of an individual is indeed going to be inhibited.
So, if privacy is so important, is Aarogya Setu infringing upon your privacy?
The IT Act, 2000, is silent on the subject. The Personal Data Protection Act is yet to be enacted. So, the only recourse left to scrutinize Aarogya Setu privacy issues, is the constitution, which also happens to be the toughest test to pass. This brings us to Article 21 of the constitution, through which the fundamental right to privacy flows.
Article 21- “Protection of life and personal liberty. No person shall be deprived of his life or personal liberty except according to procedure established by law”.
Now as per the constitution, the state has an obligation to take all necessary measures to protect the privacy of its subjects. However, the state can also intrude upon the privacy if state interests warrant so.
…. Since privacy is always integrated with personal liberty, the constitutionality of the law which is alleged to have invaded into a rights bearer’s privacy must be tested by the same standards by which a law which invades personal liberty Under Article 21 is liable to be tested. Under Article 21, the standard test at present is the rationality review expressed in Maneka Gandhi’s case. This requires that any procedure by which the state interferes with an Article 21 right to be “fair, just and reasonable, not fanciful, oppressive or arbitrary.”-Justice S.A. Bobde, (Now Chief Justice of India) , Puttaswamy (Supra)
The first requirement- Is the app legitimate?
- Is the application backed by any law?
“The balance between data regulation and individual privacy raises complex issues requiring delicate balances to be drawn between the legitimate concerns of the state on one hand and individual interest in the protection of privacy on the other.”
When the government interferes with the privacy of a person, it must do so using a law in existence, to justify an encroachment on privacy as express requirement of Article 21. In the case of a disaster, the Disaster Management Act (DMA) empowers the Central Government to plan for effective mitigation of disasters, monitoring with various departments and agencies, as well as evaluate the preparedness to deal with a disaster at all government levels.
Given the nature of the DMA, one may argue that the Act cannot be supposed to have a clearly defined what the government may do and may not do to mitigate a disaster. But, the least the government could do was to put out a notification telling people about the legality of Aarogya Setu or even better, an ordinance perhaps. The government has published dozens of notifications, guidelines, circulars on multiple websites, and issued multiple press releases. Apparently, no notification or circulars are available on the portals of Ministry of Health and Family Welfare (MoH&FW), Ministry of Home Affairs (MoH), National Informatics Centre (NIC), National Disaster Management Authority (NDMA), or even the Integrated Disease Surveillance Program (IDSP), regarding Aarogya Setu.
Interestingly, in its ‘New Guidelines on the measures to be taken by Ministries/ Departments of GoI…’, dated 01.01.2020, the guideline number 3 (iii) says, “Intensive surveillance mechanism as outlined in the Standard Operating Protocol (SOP) issued by MoHFW is to be estimated within the Containment Zone.” The order also mandates 100% coverage of Aarogya Setu application in the containment zones. However, to one’s utter surprise, the SoP issued by the MoHFW does not mention ‘Aarogya Setu’ for even once. IDSP doesn’t even enlist the SARS_COVID-19 as a disease under surveillance.
Does that inspire any confidence in you about the government? Maybe the next point would.
- What is the ‘Empowered Group 9 on Technology and Data Management’? Can it make rules and policies regarding data collected through Aarogya Setu?
The DMA provides for a National Authority. The National Authority then appoints a National Executive Council (NEC). The NEC then assists the National Authority in mitigating disasters. The NEC’s purpose, generally, is ‘implementing the policies and plans of the National Authority to ensure compliance of directions…’. The NEC may prepare the ‘National Plan’ to be approved by the National Authority, as per Section 10 (2) (b) of the DMA. The NEC may also give directions to Ministries or Departments of agencies (e.g. NIC).
But where did the ‘Empowered Committee’ come from? The MHA Order dated 29.03.2020 mentions that the NEC hereby constitutes ‘Empowered Groups of Officers’ as per section 10(2)(h) and (i) of the DMA. But do such powers exist under these sections? NO! The NEC has powers to constitute sub-committees under Section 9. These sub committees can discharge the functions of the NEC. But Empowered Committee? The DMA is unfortunately silent about them.
The second requirement- Is the procedure just, fair, and reasonable?
The procedural part postulates that even if the state intervenes to advance state interests, it must nevertheless put into place a robust regime that ensures the following:
- Legitimacy: There must be a law in existence to justify an encroachment upon the right to privacy. No person can be deprived of his life or personal liberty except in accordance with the procedure established by law. (Already discussed, refer to ‘is the app legitimate?’)
- Need: There must be a legitimate state aim, meeting the reasonable threshold as per Article 14.
- Proportionality: The law must lay down procedures which are proportional to achieve the object of the law.
- Procedural Safeguards: There must be procedural safeguards against abuse of state interference.
What is fundamental is life and liberty. What is procedural is the manner of its exercise, this quality of fairness in the process is emphasized by the strong word, established which means ‘settled firmly not wantonly whimsically. If it is rooted in the legal consciousness of the community it becomes ‘ established’ procedure. And ‘Law’ leaves little doubt that it is normal, regarded as just since law is the means and justice is the end….. It must be “‘right and just and fair” and not arbitrary, fanciful or oppressive, otherwise, it would be no procedure at all and the requirement of Article 21 would not be satisfied.”-Justice Krishna Iyer, in Maneka Gandhi vs. Union of India, 1978 AIR 597
- Is the application needed for serving a legitimate aim?
The answer to this question must be given in affirmative. There is no denying that given the highly contagious nature of the coronavirus, it would be criminal to not trace infected persons and quarantine them. It is indeed a matter of compelling state interest. A neglect in restricting the outbreak is bound to have serious repercussions, especially in areas where the population density is skyrocketing. However, just saying that yes, it is indeed required in a given circumstance, does not absolve the state of its obligation to intrude into privacy of people only according to the procedure established by law. So, the crucial aspect of legitimate aim could be balanced through ‘purpose limitation’.
To ensure that the data is not exploited for any other purpose, the policy also establishes limitation on the time period of data storage on the user devices and servers. The data on mobile would be deleted on the 30th day from the date of collection. The data sent to server will be removed on 45th day from the day of the upload to the server. If someone founds to be positive with coronavirus, his data will be deleted on 60th day from the day of his discharge. The data collected from registration will be deleted on the 30th day from the date of deletion.
Recently, the Aarogya Setu application has inserted additional facilities such as e-pass, which exceed the purpose for which data was initially collected.
- Is the data being collected proportional to the objective to be achieved?
The collection of personal data must not exceed from the threshold of what is necessary to achieve the legitimate aim. Any excess data accumulated would frustrate the principle of proportionality.
e.g. Australia’s contact tracking application asks for age range. Rather than the exact age of an individual.
- Procedural Safeguards
Is the integrity and confidentiality of data being maintained?
Integrity and confidentiality of data ensure security and secrecy of data from any third party.
To make any organization, collecting personal data (especially government organizations) process and handle such data with responsibility, respect to the data subject’s privacy, requires some legal obligation and accountability.
Fairness and transparency
Fair collection of data means users must be aware of the fact that how their personal data is being processed, how is it being stored, who has access to the data and allows the users to make an informed choice.
But every other app has our data, they also do whatever they want, why should the government be questioned?
If someone permits someone to enter their house, doesn’t mean that others can enter the house.”-Justice S.K. Kaul, Puttaswamy (Supra)
This article was co-authored with Adv. Rohit Ranjan Praveer.
The Order constituting the empowered groups can be found here.
The Ministry of Health- SOP for Intensive Health Surveillance can be found here.
The Ministry of Health order dated 01.05.2020 can be found here.
Wondering if you should use Zoom or not? Check out our article!
Bhagyashree is a qualified advocate practicing in criminal/ cyber law and a certified CIPP/ E data protection professional. She has a great academic record with a LLM degree in Computer and Communication Laws from Queen Mary University of London. She also holds technical expertise in the area of digital forensics and investigation.