Right to privacy v. Aarogya Setu

Harshul Khadiya

Aug, 07, 2020

Amidst Covid’19, a disease that has kept entire country on its toes, there are concerns about the use and efficiency of the contact tracing app called 'Aarogya Setu,' an app designed to track the Covid-19 spread. The major issue which this app brought with it is about the right to privacy.

Amidst Covid’19, a disease that has kept entire country on its toes, there are concerns about the use and efficiency of the contact tracing app called 'Aarogya Setu,' an app designed to track the Covid-19 spread. The major issue which this app brought with it is about the right to privacy. Recently, pleas was filed before the Kerala High Court challenging the order issued by the Ministry of Home Affairs on May 1, 2020 which made it mandatory for local authorities to ensure 100% coverage of Aarogya Setu App among residents of Containment Zones. Though the Centre denies the vulnerability of the app to data breach and privacy issues, it strongly affirms that the app has a robust framework of privacy policies, but due to governments poor history with privacy, no information about the operator the app, and the absence of data protection legislation compound people’s anxieties because via this app, the government now have continuous access to an individual’s location and demographic data. Throughout pursuit of this agitation, many cyber activists including Justice B.N Krishna have put forward their claims against the app, questioning the inefficient policy framework and the lack of the legal protection underlined above.

Breif Introduction to Arogya Setu
Aarogya Setu App was launched a few weeks ago, which literally means "bridge to health". It is essentially a contact tracing, Syndromic mapping and Self-assessment" digital service developed by National Informatics Centre of the Indian Government which tracks our interactions with someone who could have tested positive for Covid-19 through a Bluetooth and Location generated the social graph and is. This app was launched by the Indian government after many pandemic-affected countries which had earlier launched similar digital contact tracing app, The app alerts you if you've come near to a Covid’19 patients and also offer advice on how to protect oneself and how to seek care and support in the event of symptoms developing0. As per the data provided by The Ministry of Electronics and IT estimated the downloads of this app to have crossed 100 million. Aarogya Setu app also contains multiple sections which provide our status (regarding the proneness to the risk), a self-assessment test, Covid-19 updates, and an E-pass (if applied and made available).

Right to Privacy: At a Glance
Right to privacy has been recognized in various International Human Rights Treaties and is one of the core foundation stones of democratic society. It creates an obligation upon member states of such treaties for effective protection of right to privacy against government surveillance. India being a signatory of Universal Declaration of Human Rights (UDHR), which has attained the status of customary international law, and if the International Covenant on Civil and Political Rights (ICCPR) wherein separate articles has been mentioned about the right to privacy, has an obligation to ensure full adherence of the provisions. UN has enphasised enough on the importance of legislative measures for protection of right to privacy under the ICCPR has been by the UN Human Rights Committee (HRC) in its General Comment No. 16 which talks about right to privacy.
Not only international treaties but the Constitution of India also encompasses Right to Privacy under Article 21, which is a requisite of Right to life and personal liberty. The scope of this article is considered as multi-dimensional in our constitutional history. This topic was first debated in the case of M.P. Sharma v. Satish Chandra where the court ruled that right to privacy is not a Fundamental Right. But in another case before the Supreme Court, Gobind v. State of Madhya Pradesh , it was held that the right to privacy is implicit in Article 21 and is very much a part of personal liberty.

The Right to privacy dynamics was changed in 2017 when the Supreme Court in the case of K.S Puttaswamy v. Union of India held that right to privacy is a fundamental right and will not lose its significance/status amongst the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) and Article 21 (Right to Life and Personal Liberty).
The government is under obligation to be vigilant and particular in securing the privacy of the data of its subjects as the digital world is continuously expanding. Section 43 of The Information Technology Act makes unauthorized access into a computer resource as an offence as it is breach of privacy. Since this right is emerging as one of the most essential rights of this era, it has become a legally binding dutyon the governments to protect the rights of privacy as more and more personal data is being acquired by both governmental and non-governmental organisations.

Critical Anaylsis of Aarogya Setu
The Indian Government order to require the public and private employees to download the app mandatorily can be considered as a clear violation of the right to privacy given the absence of any governing law, there is no clarity on the principles of collection limitation, use limitation and storage limitation which again is against the guidelines issued in the case of K.S Puttaswamy v. Union of India. The main argument against this app was that India does not have any legislation on data protection to support these type of apps though recently, Ministry of Electronics and Information Technology released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 202 revealed a group has been formed by the Government of India’s National Executive Committee (“NEC”) on Technology and Data Management, which is looking at among other things the development and implementation of the Aarogya Setu but the problem again lies at the legality because the Protocol is not a statute, and nor does it offer any legislative foundation for the Aarogya Setu Mobile Application. In addition to the lack of a statutory basis, the Indian Aarogya Setu app deviates from international best practice for contact tracing apps and for the following reasons fails to meet data security standards:
a) Lack of Data Minimization: Aarogya Setu app at the time of Registration requires its users to share large amounts of personal data: name, phone number, age, sex, profession, countries visited in the last 30 days and smoking habits. Which clearly is inconsistent with the principle of data minimization, laid in KS Puttuswamy case.
b) Lack of Transparency: While it is claimed that personal data collected by Aarogya Setu is aggregated and anonymised, there is no publicly available information about what processes and techniques are followed for aggregation and anonymization and anonymization is again considered necessary provision to comply with in KS Puttuswamy case.
c) Lack of Accuracy: concerns are being raise about the app claiming that it is producing inaccurate results because Bluetooth and GPS technology tend to lack accuracy for virus exposure. There will then be a huge possibility of false positives and false negatives which instead of doing good can leave people in state of fear.
d) Lack of Accountability: The Terms of Service clearly absolves the government from any liability arising out of misidentification of an individual’s COVID-19 status and also from all the clause of IT act, as mentioned in the liability clause.
e) Unauthorized Data Sharing and Risk of Function Creep: The Government is not prohibited from sharing personal data collected by the Aarogya Setu app with third parties. The government is allowed to share this personal information with other necessary and relevant persons for necessary medical and administrative interventions. Also because the Privacy Policy for Aarogya Setu fails to specify which government departments will have access to personal data collected by the app, the sensitive personal data collected for contact tracing may also be used for law enforcement agencies for punitive purposes.

Conclusion: The government's weak record on privacy, the lack of transparency and the absence of regulations on data security have prompted serious concerns.:
(A) Since there are clear grounds for infringing privacy, where does the application derive its legislative assent from?
(B) What about unclear safeguards against data theft?
(C) Why isn't the App open source?
(D) How to deal with the problem of the false positives?
(E) Migrant labourers who have no access to food and accommodation, let alone smartphones, how do they secure themselves?
Ever-changing rules followed by their clarifications add to the problem. The ambiguity of the Protocol fails to address the threat to privacy posed by the app. The government must address these concerns in an open manner. Contradictory statements from ministers and combative rejoinders to those who raise valid concerns, has only worsened the confusion. At the end of the day, no clever technology- standing alone- is going to get us out of this unprecedented threat to health and economic stability. At best, the most visible technical solutions will do more than help on the margin. At the minimum, it is the obligation of their designers to ensure they do no harm.