Aarogya Setu: An analysis of the Data Access and Knowledge Sharing Protocol, 2020

The Aarogya Setu mobile application was introduced as India’s technological tool to fight against the novel Coronavirus disease (COVID-19). The App is based on contact tracing, which means that it helps identify people who are likely to be carriers of the disease. While the erstwhile methods of contact tracing required physical interviews with people, mobile technology has made the task a lot easier and safer.

The use of such applications, however, has raised. a number of privacy concerns. Ever since the publication of the app, there have been several concerns regarding the vast collection of data and its end-use, especially in the absence of any clear legal basis or legislative framework to address these growing concerns.

The Ministry of Electronics and Information Technology (MeitY) on May 11, 2020, notified the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 . Through this Protocol, the government attempts to answer common queries surrounding the collection and use of data. However, the legal basis for collection and end-use of the data remains unattended.

The invasion of privacy through such collection of data can only be justified if it satisfies the three-fold requirement as enunciated by the Supreme Court in Justice KS Puttaswamy (Retd.) v. Union of India. The Protocol, which is in the nature of an executive order, does not even satisfy the first requirement of legality, which postulates that there must be a law in existence to justify an encroachment on privacy. An executive notification cannot be used to encroach upon fundamental rights. Only a legislative Act or an Ordinance (when the Parliament is not in session) providing legal framework for the app could have satisfied the requirement of legality.

Definitions under the Protocol

One area where the Protocol does well is clearly defining the key terms used throughout, unlike the privacy policy of the app.

“Appropriate health responses” have been defined to include prevention and management of the COVID-19 pandemic, syndromic mapping, contact tracing, communication to an affected or at-risk individual’s family and acquaintances, performance of statistical analysis, medical research, formulation of treatment plans or other medical and public health responses related to the redressal and management of the COVID-19 pandemic.

The definition of “individuals” includes persons who are infected, at high risk of being infected, or who have come in contact with infected individuals. While this definition is a welcome clarification, it is still not clear why this definition was adopted considering that the data of "all" users of the app is collected.

“Response data” is the umbrella term used for all data collected through the app. This includes within its fold demographic data, contact data, self-assessment data and location data. This classification of data into categories is helpful to identify the data being collected, but the use of data throughout the Protocol is indicated in terms of the umbrella of response data and not their respective categories.

While the meaning of each of the constituent categories of response data is self-apparent, the terms have still been defined under the Protocol, which is encouraging from a privacy perspective.

Setting of accountability

The ministry responsible or the government department in charge of the App and enforcement of any claims was unclear before the publishing of the Protocol. The Protocol has clearly established the MeitY as the authority responsible for its enforcement. However, the Protocol also lays down that the MeitY shall act under the overall direction of the Empowered Group 9 on Technology and Data Management (“Empowered Group”) which has been created via the National Disaster Management Authority.

Collection and processing

The Protocol imbibes proportionality and purpose limitation for the collection of data and its use. It is provided that response data will be collected proportionately and be strictly used only for the purpose of formulating appropriate health responses.

The storage of contact and location data on the device by default is a step in the right direction. This data may be uploaded to the server for appropriate health responses.

Data sharing principles

The sharing of data with governments, ministries, and health departments has also been compartmentalised by the Protocol.

Sharing of personal data

Response data containing personal data will be shared with the concerned authorities when such sharing is strictly necessary to formulate or implement an appropriate health response. It would have been a privacy-positive step to limit the sharing of personal data to the Ministry of Health and Family Welfare and health departments.

However, making “other Ministries and Departments of the Government of India and State Governments…” does not seem to pass the proportionality test, as the benchmarks for such strict necessity or when this clause may be invoked has been kept vague. It would have made for a better approach if ministries and departments apart from health were given personal data access only in times of critical need.

Sharing of de-identified data

In cases where assistance in formulating a critical health response is required, response data will be shared in de-identified form. It is pertinent to note here that the term "critical health response" used for this purpose is undefined. The term "de-identified data" is defined under the Protocol and is different from anonymised data, which is a term used under the Personal Data Protection Bill, 2019. De-identified data has been defined to mean data that has been stripped of personally identifiable information and has been assigned a randomly generated ID.

Further, the National Informatics Centre has been placed under an obligation to maintain records of data sharing. This includes documentation of when the data was shared, with whom the data is being shared, the categories of data being shared, and the purpose of sharing.

Obligations of entities with whom data is shared

A strict purpose limitation has been placed on any entity with whom data is shared. Further, data shall not be retained beyond a maximum ceiling of 180 days in any manner. The entity receiving response data is also barred from sharing the data further with any third party, unless strictly necessary. Any third party with whom such data is shared shall also be subject to the same obligations as are applicable on the entity sharing it.

Violations

The Protocol states that any violations of the directions under it shall be punishable as per Sections 51 to 60 of the Disaster Management Act, 2005 (DMA). It is interesting to note, however, the interplay of this direction with paragraph 6(d) of terms of use of the app, which relieves the government from any liability in case of unauthorised access to data or modification thereof. Until such a head-on conflict is resolved by amending the terms of use of the app, it remains to be seen how the violations of Protocol will be dealt with.

Further, under the DMA, offence for an intrusion of privacy can be made only under Section 51(b), which lays down the offence of refusing to comply with any direction made by an appropriate authority without reasonable cause. Where this offence is committed by a department of the government, it would fall under Section 55 of the DMA, under which the head of the concerned department is deemed guilty of the said offence. Pertinently, no prosecution can be initiated under Section 55 without the previous sanction of the Central or state government, as the case may be.

Does the Protocol bridge Aarogya Setu to privacy?

This Protocol could be seen as the government’s response to the growing concerns surrounding the vast data collected by the application and a legal vacuum in which it was being done. It is laudable on part of the government to bring in this Protocol to dispel fear regarding the working of the app and its privacy policy. However, the Protocol has failed to address the bigger concern of absence of a law without which any encroachment of privacy would be a violation of Article 21 of the Constitution.

Although the existence of legislation would not by itself justify an encroachment, it would at least satisfy the first requirement of legality. Before the notification of the Protocol, Justice (Retd.) BN Srikrishna also pointed out that there is no accountability in the system in case of data breach. Accountability concerns remain unresolved even after the notification of this Protocol as it is inconsistent with the Terms of Use of the App.

It is the need of the hour that Parliament immediately brings an Ordinance to give legal basis to the app and provide a robust mechanism to ensure rights are not violated and remedies are provided in case of their infringement.

Priyam Jhudele is a fintech and regulatory lawyer. Shantanu Pachauri is an LLM candidate at the National Law University, Delhi.