A CRITICAL ANALYSIS OF ‘AAROGYA SETU’ IN LIGHT OF RIGHT TO PRIVACY

This article has been authored by Ashutosh Rajput, a second year student at Hidayutullah National Law University.

Introduction

The advent of COVID-19 has forced the government of every nation to take several indispensable steps to prevent the transmission of the disease. India also took many steps to prevent its transmission, including an effort through technical intervention by making citizens aware of their surroundings through Aarogya Setu app. This app was launched on 2nd April 2020 and it makes it mandatory upon all the individuals, who live in containment zones, to register themselves with the app. On 14th April 2020, Prime Minister Narendra Modi in his address to the nation appealed to download the app. Interestingly, this app reached 50 million downloads in mere 13 days which is a record in itself.

In furtherance to it, the Ministry of Home Affairs (Order) also directed employees of both private and public sectors, who were working physically in workplaces, to mandatorily download this contact-tracing app. However, this mandatory clause was later transformed into a voluntary clause. Even though it was not mandatory for the employees to download the said app but Clause 9 (ii) of the said Order read that “……employers on best effort basis should ensure that Aarogya Setu is installed by all employees having compatible mobile phones”, thereby making it mandatory upon the employer to ensure that the app was installed in the mobile phones of all the employees.

Additionally, its Terms of Use stipulate that the terms are subjected to several amendments and failure to comply with any of the amendments shall result in a restriction on app usage. Furthermore, it can be undisputedly stated that in order to maintain compliance with the Terms of Use, an individual has to forcefully give his consent. This giving of forceful consent goes against the very purpose of Article 21 of the Indian Constitution and the person who coerced such consent will be liable in the action for damage as propounded in the case of R. Rajagopal v. State of T.N.

Working of Aarogya Setu

When an individual registers himself, he has to link his name, age, sex, profession, whether he is a smoker or not, and phone number to his geo-location data. Geo-location data can be described as information which is used to identify the physical location of an electronic device. Primarily this app uses a phone’s Bluetooth and GPS connection which helps in keeping the record of other users by detecting the same. As soon as any of the users declare symptoms or tests positive of COVID-19 through the app’s self-assessment survey, it records and uploads the same to the servers and makes the other individuals alert of being in their proximity. This data is then sent to the government.

For instance, X and Z are two people (registered users) who are under each other’s Bluetooth range, then the app will record the time and the GPS location of such interaction on each other’s app by automatically exchanging each other’s DiD (unique digital ID) and if at all Z tests positive after such interaction with X then the information will be uploaded to the government’s server, meanwhile the exchange that took place between X and Z will remain encrypted in a manner that both the parties cannot have each other’s access.

Infringement of the Privacy and Judicial Pronouncements

Though this app was introduced with a noble objective of tackling the ongoing pandemic, it has sparked major concerns regarding the privacy of a user. The questions raised against the app pertain to the lack of information available on what type of data will be collected, how long it will be stored and what uses it will be put into. Since India lacks a compressive data protection law, there are no restrictions upon the government to encroach upon an individual’s fundamental right to privacy.

The Indian Constitution aims to protect the fundamental rights enshrined under Part III. Article 21 deals with the right to life and personal liberty. The state must not infringe an individual’s privacy and take all requisite steps to protect it. The Supreme Court in Kharak Singh v. State of U.P. for the first time propounded that the right to privacy is an integral part of the right to life. In R. Rajagopal v. State of T.N., the Supreme Court held that the right to privacy is a ‘right to let alone’ and no one can publish anything, whether truthful or critical without their consent or else it would be a gross violation of their privacy.

The Supreme Court in Puttaswamy & Anr. v. Union of India & Ors. observed that if at all the state interferes with the privacy of an individual that has been embedded under Article 21 of the Constitution then such meddling must pass the proportionality test. This judgment also recognized data protection as an essential part of information privacy.

Proportionality Test

Proportionality test has been laid down in Modern Dental College & Research Centre v. State of Madhya Pradesh & Ors. Important aspects of the same have been summarized as under.

Legality

It suggests that there should be a fundamental law which authorizes such interference upon fundamental rights by the government. Additionally, that law should be fair, just, and reasonable. The government, in the present case, predominantly relied upon National Disaster Management Act, 2005 (NDMA) to defend itself. But it must be noted that under this legislation, the government’s power is restricted to control the actions of the executive agencies and in no manner it can infringe individual’s civil right, i.e. right to privacy. It means that the government through NDMA can modify the working methods of executive but in no manner this legislation can interfere in the fundamental rights guaranteed by the Indian Constitution to its citizens. Hence, this legislation should not be looked upon by the government. Thereby, failing the legality test.

Suitability

Suitability states that there should be a strict relationship between means and the end. But this app can wrongfully showcase an individual as positive COVID-19 which contradicts the medical purpose of testing and in no manner an application-based test can be at par with the actual medical test. And this wrongful showcase may infringe one’s fundamental right as to the right to life with dignity as it will restrict such person’s movement without entitling him a true report.

Proportional Interference

The Privacy Policy of ‘Aarogya Setu’ consists of 7 clauses which deal with what personal information is collected, how it is collected, by whom as well as the purposes for which it is used. Clause 3(b) of the Privacy Policy states that “All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App”. Additionally, Clause 4 (b) of the Privacy Policy states that “You cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.”

A conjoint reading of both the clauses pertains to the excessive interference on the privacy. It is a well-stated fact that soon after an individual uninstalls a particular app, then all the terms and conditions are deemed to end at that particular instance. However, Clause 4 (b) provides that the information will get obliterated only after the expiry of 30 days after such un-installation. Moreover, it cannot be fact-checked, neither by the user nor by a researcher, whether the government has deleted the user’s personal information as there is no transparent auditing of the same.

Major Disparities between the Privacy Policy and the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 (Protocol)

1. The privacy policy of the app states that the personal information of a corona positive user will be retained for 60 days from the day a user has been tested positive while the sunset clause of the Protocol states that the personal information will not be retained for more than 180 days. Furthermore, it is stated that this 180-day time period may get reduced or may get extended, but it is ambiguous whether the consent of an individual would be asked if the period is to be extended.

2. Though the protocol allows the users to delete their demographic data before 180 days, the procedure to delete such data has not been specified. Moreover, the protocol is silent on the deletion of other types of personal data such as contact data, self-assessment data, and location data.

3. As per the Protocol, the data will be shared with the third party and the government will be responsible for any breach by such third party, but it is unclear whether the third party will be held liable.

4. It has been stated in the Protocol that the National Informatics Center (NIC) “shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses.” The phrase “appropriate health responses” has a wider connotation which has not been defined or explained anywhere.

Government’s liability vis-à-vis the Information Technology Act, 2000 (IT Act)

Pursuant to the liability clause of the Terms of Service, the government in any manner will not be liable for

(a) the failure of the App or the Services to accurately identify persons in your proximity who have tested positive to COVID-19;

(b) the accuracy of the information provided by the App or the Services as to whether the persons you have come in contact with in fact been infected by COVID-19.

This immunity provision of the government goes against the very purpose of Section 43A of the IT Act. The said Section states that the government should not cause wrongful gain or wrongful loss while handling an individual’s sensitive personal data and if the government does not adhere with this clause then the government has to pay damages by way of compensation to the affected individual. Therefore, if the government causes a wrongful gain or loss to any person while handling their sensitive personal data as in the present case, then the government will have to pay damages by way of compensation to the person thus affected. The liability clause in the terms of service hits at the root of Section 43A of the IT Act and hence it is inconsistent with the laws in force.

Conclusion

It was indeed a much-needed step by the government to crusade against the current pandemic. After all, the government launched this app by considering the health crisis of its population without any malicious intent of infringing privacy. But it would be great if the government comes up and address all the questions pertaining to privacy issues concerning the App. It is believed that people are forced to download this app without knowing its consequences. It also does not follow the proportionality test which is a prima facie infringement of privacy. Internationally, such intervention is inconsistent with the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights as both the covenants recognize the right to privacy as a special human right. India is signatory to both the Covenants and hence its violation can cause a major legal backlash.

To counter such discrepancy, the government should put more emphasis on easing the liability clause to gain user’s trust in case of the data breach. Further, the disparity between the provisions of the protocol and the privacy policy should be shorted out as soon as possible. Rather than frequently amending the Terms of Use and coercing the user to accept such terms, the government should focus more on the user’s free consent on each provision.