By - Chiranjeevi Sarin, Director Sabkuch Legal Private Limited
India launched the ‘Aarogya Setu’ or ‘Health Bridge’ application in the month of April to better equip healthcare authorities to fight the Covid-19 pandemic. It has been downloaded by more than 10 crore people in a very short span of time and uses Bluetooth and GPS to alert users who may have encountered people who later test positive for the coronavirus. The application has received praise from the majority of the people owing to its usefulness and effectiveness. However, the application poses some eyebrow-raising pertinent questions that need to be answered by the government and other concerned authorities.
What type of data is collected by Aarogya Setu app?
Before discussing the pertinent questions raised by Aarogya Setu app, let me first throw light on the type of data collected by Aarogya Setu app. The data collected by the Aarogya Setu app is broadly divided into four categories — demographic data, contact data, location data, and self-assessment data. This is collectively called response data. Demographic data includes information such as name, mobile number, age, gender, profession, and travel history. Contact data is about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred. Location data comprises the geographical position of an individual in latitude and longitude. Self-assessment data means the responses provided by that individual to the self-assessment test administered within the app. Thus, the data collected by the app is vast and extensive.
Why making the app mandatory has not been imposed by Legislation?
It is argued by many that the app breaches the fundamental right to privacy as it coercively extracts personal information from an individual, therefore, it must have legislative sanction. Instead, the app is being imposed through executive order. Companies are being told that all their employees must use the app, and local governments, building societies, and shops are making it mandatory. Why has the government not complied with the orders of the Supreme Court vis-a-vis the need for legislation?
What are safeguards against data theft?
The second pertinent question arising from the usage of the app is that what are the safeguards against data theft and other breaches? The app’s Terms of Service (TOS) confer blanket limited liability on the government. In cases of data theft, who will be held accountable? How can the government be allowed to operate a huge surveillance system without concomitant obligations?
Why is there no protocol for data deletion?
The third important question is why is there no protocol for deletion of data? What legal rights do users have over their data and its deletion? Does the government have a right to hold the data and process it in perpetuity? Under the Terms of Service, the government is obligated to delete certain personal data after a 30-day time period. However, there exists no framework to check compliance of the same. If users have no control over their data, it is a complete violation of their right to informational self-determination and the right to be forgotten.
Will the recent protocol issued by Government silence the critics of the app?
According to the recent protocol issued by Government, the response data containing personal data may be shared by the app’s developer — National Informatics Centre (NIC) — with the Health Ministry, Health Departments of state/Union Territory governments/ local governments, National Disaster Management Authority, state disaster management authorities, other ministries and departments of the central and state governments, and other public health institutions of the central, state and local governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”. The protocol also lays the ground for sharing the data with any third parties — “only if it is strictly necessary to directly formulate or implement appropriate health responses”. The critics however argue that if there is a likelihood of data being shared with third parties then the government should have published a list of third-party entities with whom the data can be shared, for greater transparency.
Further, the protocol says the response data that can be shared with ministries, government departments, and other administrative agencies has to be in de-identified form. This means that, except for demographic data, the response data must be stripped of information that may make it possible to identify the individual personally; it must be assigned a randomly generated ID. The government needs to be appreciated though for this process of data sharing.
It can be inferred from the above assertions that there are few loopholes in the manner of the introduction of the Aarogya Setu app and the app in itself. Consequentially, the recent spate of criticism against the government. Kerala High Court has already issued a notice to the government of India to respond to a case filed against making the app mandatory in public and private sectors. The ongoing cases against the government regarding the invasion of privacy by the app and making the app mandatory in public and private sectors shows that the government is in for a rough road ahead.