JURIST Guest Columnist Vidisha Singh, a B.A. LL.B. (Hons.) candidate at the National Law School of India University in Bangalore, India, discusses growing privacy concerns around the gaps in the policies of the Aarogya Setu contact tracing application in India...
As society grapples to stay on top of the COVID-19 pandemic, there is a heightened responsibility on governments to effectively deal with this public health crisis, in a manner that is least-restrictive towards the civil liberties of its citizens. The use of technology as a part of disaster-response cannot be denied, but the regulatory lacunae in India with regards to the use of such technology mean one must proceed with caution.
Contact-tracing applications have been hailed as a key way to maximize efficient and localized decision making with respect to the spread of COVID-19. Such applications have been adopted in various countries including India, which recently launched its Aarogya Setu application. There have been many an eyebrow raised that these technological interventions, employed as extraordinary measures in the pandemic, may become permanent fixtures of government intrusion in our lives. The core contention in the use of technology in battling such public crises is the infringement of the privacy of citizens. In a trade-off between battling a public health crisis affecting all, and securing the privacy of a few, the scales tip in favor of the former. However, this is not a zero-sum situation. Even in such emergencies, the government must ensure that privacy is not disproportionately infringed.
The Proportionality Principle and PDPB 2019
Due to the lack of a comprehensive data protection legal framework in India, the only authoritative standards are the principles propounded in the Puttaswamy judgement. Nonetheless, this paper relies on the PDPB 2019 to analyse the application through the proposed legal provisions.
In Puttaswamy, the Supreme Court recognized data protection as an essential part of information privacy. It stated that any infringement of such privacy must satisfy three requirements, namely – the existence of a valid law, a legitimate state interest in pursuing that course of action and that the infringement of privacy must be proportionate to the objective sought. Any means of achieving state interest would be considered proportional if it was the least-restrictive means to achieve that goal and did not have a disproportionate impact on the right holder.
The PDPB 2019 comprehensively lays down the rights and duties of the Data Principals, Data Fiduciaries, and Data Processors. It holds the Data Fiduciary accountable for compliance with the Bill, which contains detailed provisions for consent of the Data Principal for data processing, data retention, purpose of collection of data, and transparency in the processing of data. Thus, the Aarogya Setu application can be considered a proportionate infringement of the right to privacy of individuals if it is sanctioned by law as a means of securing a legitimate objective and follows the principles of data protection.
Aarogya Setu – one too many issues
Aarogya Setu collects personal data of the users, which is stored on a government server and remains on the server until 30 days after the user cancels their registration. At the outset, it must be noted that this collection of personal data by the government is not sanctioned by law and is only conducted on an ad-hoc basis. In such unforeseen emergent situations, the Government of India has resorted to the provisions of Disaster Management Act, 2005 to order emergency measures. However, no such order has been issued to supplement the usage of the application to collect personal data. This is problematic because under the PDPB 2019, any data fiduciary must process all personal data in accordance with the law. The absence of such an order gives the government more leeway with how to process personal data of citizens and excludes such data collection from judicial scrutiny.
The problems arising out of the absence of a legal sanction are exacerbated by the fact that the Terms of Service of the application state that the Government will not be liable for any claims in relation to the use of the application of the data collected from it. Not only does this violate the accountability of data fiduciaries in the PDPB 2019, but it disincentivizes the government from complying with the data protection principles by not having to face any adverse consequences.
With regards to pursuing a legitimate state interest, contact-tracing applications have been deployed in various countries to significantly accelerate the rate of individual awareness and testing. However, the suitability of such applications in meeting this interest in India cannot be ascertained with accuracy. The developers of the application have stated themselves that for the application to succeed, at least 50% of India’s population needs to download the application. As Sidharth Deb notes, with non-smartphone users constituting two-thirds of the Indian population, questions arise as to whether this application is already set up to fail.
As per the proportionality test, any infringement on the privacy of the individuals must be achieved by the least restrictive means. The purpose of the application is to notify, trace and suitably support people infected with COVID-19. This vaguely worded provision does not clarify a strict purpose for which one’s data is collected or used. When one downloads the application, they are required to provide personal data such as name, age, gender, profession, travel history and known contacts with COVID-19 patients. The predominant concern in this regard is that the application requires users to provide for more information than is needed for contact tracing. The requirements of ‘gender’ and ‘profession’ have no known correlation to the disease. The government provides no justification for collecting this data, which means that this provision contradicts the principle of data minimization in the PDPB, 2019.
Aarogya Setu’s source code has not been made available to the general public, despite the government’s prevailing policy on open source software. This means that the method and standards of encryption followed in the anonymization of the data are unknown. Open source codes enhance transparency and allow for a community audit of the code, leading to greater security. There have already been instances where the application has compromised data of users due to a bug in the software. Further, in the absence of the source code and an explicit bar on reverse engineering in the Terms of Service, there is no way to ensure that the data remains anonymized and is not reverse engineered by the government later for other purposes.
The use of emergency measures must remain in the ambit of emergency situations, else we risk the creation of an Orwellian state. As noble as the intentions of the government may be, Aarogya Setu fails to satisfy the barebones necessity of the prevailing informational privacy framework. The government has already issued orders making the use of the application, in its present form, mandatory for employees in India. In times of such public crises, the right to privacy cannot be completely compromised. Governments must find a middle ground to protect its citizens’ rights – both of health and privacy.
For more on COVID-19, see our special coverage.
Vidisha Singh is a B.A. LL.B. (Hons.) candidate at the National Law School of India University, Bangalore, India. Her research interests include International Commercial Arbitration, Alternative Dispute Resolution and Technology law.
Suggested citation: Vidisha Singh, India’s Aarogya Setu Contact Tracing App – Compromising Privacy in a Pandemic?, JURIST – Student Commentary, May 18, 2020, https://www.jurist.org/commentary/2020/05/vidisha-singh-aarogya-setu-app-covid19/.
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at firstname.lastname@example.org
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.