The Aarogya Setu mobile application was introduced as India’s technological tool to fight against the novel Coronavirus disease (COVID-19). The App is based on contact tracing, which means that it helps identify people who are likely to be carriers of the disease. While the erstwhile methods of contact tracing required physical interviews with people, mobile technology has made the task a lot easier and safer.
The use of such applications, however, has raised. a number of privacy concerns. Ever since the publication of the app, there have been several concerns regarding the vast collection of data and its end-use, especially in the absence of any clear legal basis or legislative framework to address these growing concerns.
The Ministry of Electronics and Information Technology (MeitY) on May 11, 2020, notified the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 . Through this Protocol, the government attempts to answer common queries surrounding the collection and use of data. However, the legal basis for collection and end-use of the data remains unattended.
The invasion of privacy through such collection of data can only be justified if it satisfies the three-fold requirement as enunciated by the Supreme Court in Justice KS Puttaswamy (Retd.) v. Union of India. The Protocol, which is in the nature of an executive order, does not even satisfy the first requirement of legality, which postulates that there must be a law in existence to justify an encroachment on privacy. An executive notification cannot be used to encroach upon fundamental rights. Only a legislative Act or an Ordinance (when the Parliament is not in session) providing legal framework for the app could have satisfied the requirement of legality.
Definitions under the Protocol
“Appropriate health responses” have been defined to include prevention and management of the COVID-19 pandemic, syndromic mapping, contact tracing, communication to an affected or at-risk individual’s family and acquaintances, performance of statistical analysis, medical research, formulation of treatment plans or other medical and public health responses related to the redressal and management of the COVID-19 pandemic.
The definition of “individuals” includes persons who are infected, at high risk of being infected, or who have come in contact with infected individuals. While this definition is a welcome clarification, it is still not clear why this definition was adopted considering that the data of "all" users of the app is collected.
“Response data” is the umbrella term used for all data collected through the app. This includes within its fold demographic data, contact data, self-assessment data and location data. This classification of data into categories is helpful to identify the data being collected, but the use of data throughout the Protocol is indicated in terms of the umbrella of response data and not their respective categories.
While the meaning of each of the constituent categories of response data is self-apparent, the terms have still been defined under the Protocol, which is encouraging from a privacy perspective.
Setting of accountability
The ministry responsible or the government department in charge of the App and enforcement of any claims was unclear before the publishing of the Protocol. The Protocol has clearly established the MeitY as the authority responsible for its enforcement. However, the Protocol also lays down that the MeitY shall act under the overall direction of the Empowered Group 9 on Technology and Data Management (“Empowered Group”) which has been created via the National Disaster Management Authority.
Collection and processing
The Protocol imbibes proportionality and purpose limitation for the collection of data and its use. It is provided that response data will be collected proportionately and be strictly used only for the purpose of formulating appropriate health responses.
The storage of contact and location data on the device by default is a step in the right direction. This data may be uploaded to the server for appropriate health responses.
Data sharing principles
The sharing of data with governments, ministries, and health departments has also been compartmentalised by the Protocol.
Response data containing personal data will be shared with the concerned authorities when such sharing is strictly necessary to formulate or implement an appropriate health response. It would have been a privacy-positive step to limit the sharing of personal data to the Ministry of Health and Family Welfare and health departments.
However, making “other Ministries and Departments of the Government of India and State Governments…” does not seem to pass the proportionality test, as the benchmarks for such strict necessity or when this clause may be invoked has been kept vague. It would have made for a better approach if ministries and departments apart from health were given personal data access only in times of critical need.
In cases where assistance in formulating a critical health response is required, response data will be shared in de-identified form. It is pertinent to note here that the term "critical health response" used for this purpose is undefined. The term "de-identified data" is defined under the Protocol and is different from anonymised data, which is a term used under the Personal Data Protection Bill, 2019. De-identified data has been defined to mean data that has been stripped of personally identifiable information and has been assigned a randomly generated ID.
Further, the National Informatics Centre has been placed under an obligation to maintain records of data sharing. This includes documentation of when the data was shared, with whom the data is being shared, the categories of data being shared, and the purpose of sharing.
A strict purpose limitation has been placed on any entity with whom data is shared. Further, data shall not be retained beyond a maximum ceiling of 180 days in any manner. The entity receiving response data is also barred from sharing the data further with any third party, unless strictly necessary. Any third party with whom such data is shared shall also be subject to the same obligations as are applicable on the entity sharing it.
Further, under the DMA, offence for an intrusion of privacy can be made only under Section 51(b), which lays down the offence of refusing to comply with any direction made by an appropriate authority without reasonable cause. Where this offence is committed by a department of the government, it would fall under Section 55 of the DMA, under which the head of the concerned department is deemed guilty of the said offence. Pertinently, no prosecution can be initiated under Section 55 without the previous sanction of the Central or state government, as the case may be.
Does the Protocol bridge Aarogya Setu to privacy?
It is the need of the hour that Parliament immediately brings an Ordinance to give legal basis to the app and provide a robust mechanism to ensure rights are not violated and remedies are provided in case of their infringement.
Priyam Jhudele is a fintech and regulatory lawyer. Shantanu Pachauri is an LLM candidate at the National Law University, Delhi.