Updated: Sep 28, 2020

[Authored by Madhav Sirohi, a 3rd year B.A. LL.B. (Hons.) student at Ram Manohar Lohia National Law University, Lucknow]

In 2017, after much debate, the Supreme Court recognized the Right to privacy as being a fundamental right, ingrained in the Right to life and personal liberty. India joined the bandwagon of nations that acknowledged the privacy of its citizens, following the institution of the rather pervasive Aadhar initiative. However, the country finds itself at similar crossroads with the Aarogya Setu application, which attempts to trace contacts of an individual who voluntarily claims to be Covid-19 positive. The procedure is fairly simple, with the application utilizing the individual’s location data and BlueTooth to identify potential human contacts.

In recent events, various countries have resorted to contact-tracing applications to effectively identify and curb the spread of the virus. Aarogya Setu is India’s attempt at doing so, but it is not without its flaws. After activists and legal experts raised concerns of misuse and callousness, The Ministry of Electronics and Information Technology issued the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. Through this protocol, the Government sought to detail the use of the data collected. However, the loosely worded nature of the protocol has created more problems than it has solved.

Firstly, and most importantly, the application lacks legislative sanction. There exists no law that suggests that citizens install the application and share their data. Especially since the Government’s lobbying for its use is bordering on the imposition of mandatory use. It is settled through multivariate decisions of the Supreme Court, that an intrusion into a fundamental right of a citizen can be made only through law, provided it seeks to serve legitimate state interests. In the current situation, the control of a pandemic amounts to a legitimate state interest. However, it does not grant the Government the unfettered power to indulge in mass data collection and its unrestricted sharing. The power is available to the Government alone and limited to prevent mass surveillance and disproportionate restriction of rights. An enactment will further enable effective constitutional scrutiny into the extent of restriction of the right to privacy. As with Aadhar, the Government has implemented the Aarogya Setu application through an executive order as a circumvention to the legislative scrutiny of the Parliament.

Secondly, the processing of information at the hands of the Government and third parties (read Data processors) must be accompanied by concomitant obligations. Say for example, in case of a data breach, what is the extent of the liability on the Government and the data processors? Here, it becomes important to note that the app collects four types of data - location, demographic, self-assessment, and contact (through Bluetooth). The Terms of Service of the application blatantly state that the liability of the Government is limited. With such aforementioned personal information being collected, there must be not only limitations on the collection of the same but also on the processing along with the imposition of concomitant liabilities for every violation. These parties involved might be better understood with reference to the Privacy and Data Protection Bill, 2019. The bill distinguishes between Data fiduciaries- entities that store and hold data (the Government in this case), and Data processors (Government departments or private entities). The Bill recognizes the distinction between Data fiduciaries and Data processors to enable the imposition of appropriate liabilities, which must be followed with Aarogya Setu as well.

Thirdly, the application is not transparent, thereby making it difficult to address technical vulnerabilities and to ascertain the exact nature of data collection and processing. The application’s Terms of Service data is collected and stored only when a user marks his/her-self Covid-19 positive. The design of the app must be made open source to enable enforcement of public policies such as the right to be forgotten, and ensure data collection is largely minimized along with the prevention of unwanted data collection. An individual must at all times be aware of the entities in control of the data and whether the data is effectively deleted upon the expiration of 180 days.

In conclusion, the most effective solution would be a legislative enactment detailing which departments of the Government have access to which kind of data and identification of third- party data processors. Further, in the absence of a Privacy and Data Protection Act, the liabilities and duties of both, the Government and processors must be established to ensure effective and limited processing of the information collected. Besides, the app must be made open source to allow remedying of any inherent technical vulnerabilities and ensure compliance with the restrictions on data collection and processing. These measures would not only ensure the privacy of the citizens but also inspire confidence among the prospective users, thereby allowing for comprehensive fulfilment of the objective in the first place: curbing the spread of Covid-19.

103 views0 comments