With COVID-19 spreading around the world like a wildfire, the world is trying to find its safe haven in science and technology, looking forward to its help and assistance to track this virus efficiently. Since we all know how rapidly and malignantly this virus gets transmitted, it has become a herculean task for the governments to trace its transmission. India, in pursuance of this idea of building a technological outplay to track it, has launched ‘Aarogya Setu’ App on 2nd April 2020. This app was introduced and designed with the intention of tracking peoples’ interactions with someone who could have tested positive for COVID-19 through a Bluetooth and Location generated social graph. After a few weeks of its release, it has come under a huge radar of criticism, concerning its functionality and efficiency. The main issue is centred around the contention of violation of the right to privacy of its users, as it is believed that the app promotes the intrusion of the government agencies into the private lives of its citizens.
Recently, multiple pleas were filed before the Kerala High court challenging the mandatory usage of the app by the public and private sector office-goers and of course, citizens in the containment area. While the Centre denies the vulnerability of the app to data breach and privacy issues, it strongly affirms that the app has a robust framework of privacy policies. In continuation to this, many cyber activists have put forth their arguments against the app, challenging the inefficient policy framework and the lack of an underlined legal protection. With no robust legislative framework to protect the personal data (as the Personal Data Protection Bill,2019 remains unattended), we are posed with the question of how to safely secure our private data, given the extraordinary circumstances at hand.
As the pandemic-affected countries introduce digital contact tracing apps, here the Indian government has opted a similar scheme and conjured up a mobile application that helps in tracking the virus in the country. Previously, it was used under the name of ‘Corona Kavach’ app which was further upgraded and updated to the present form. It is essentially a contact tracing app that tracks our interactions with someone who could have tested positive for COVID-19 through a Bluetooth and Location generated social graph and is developed by the National Informatics Centre of the Indian Government. The app is a part of a service designed to enable registered users who’ve come in contact with the other registered ones who have been tested positive for COVID-19 to be notified, traced and isolated.
The app alerts you if you’ve come in close proximity of a person, who unknowingly tests COVID-19 positive. The alerts also bring forth instructions on how to self-isolate and on how to access help and support in case of development of symptoms. The Ministry of Electronics and IT estimated the downloads of this app to have crossed 100 million.
The app contains multiple sections which provide our status (regarding the proneness to the risk), a self-assessment test, COVID-19 updates and an E-pass (if applied and made available). It also tells us how many COVID-19 positive cases are present in a radius of 500m, 1 km, 2 km, 5 km and 10 km from the registered user.
Speaking of the several noteworthy clauses of the “Aarogya Setu App”, clause 1 (d) of the Policy of the app addresses the locational features of the individual for places which he has visited onto the Server. In the following provisions of clause 3(d), the information is proposed with two categorical alternatives, firstly, the information does not get uploaded onto the portal and is purged within 30 days. Secondly, in the event of negative coronavirus symptoms, the data will be purged from the server within 45 days and on account of positive results, within 60 days. However, if any person’s information has been uploaded onto the App portal, there is no guaranteed deletion of the same and it can hold information indefinitely.
Right to Privacy
On the global level, this right is considered to be a fundamental human right recognized by international conventions like the UN Declaration of Human Rights, the International Covenant on Civil and Political Right and in numerous other treaties and conventions. This right co-exists with the elements of human dignity, security and reserve. Considering this right’s significance, many countries have already recognised the right to privacy in their constitution. In a few countries like the United States, Ireland and India, the apex courts have implied that the right is found in other provisions of their respective constitutions. The Constitution of India encompasses Right to Privacy under Article 21, which is a requisite of Right to life and personal liberty. The scope of this article is considered as multi-dimensional in our constitutional framework.
A significant turn was taken in this right’s history, associated with the case of K.S Puttaswamy v. Union of India in which, the judgement was passed by the apex court that right to privacy is a fundamental right and will not lose its significance/status amongst the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) and Article 21 (Right to Life and Personal Liberty).
With the constant expansion of the digital world, governments must be increasingly vigilant and particularly should be securing the privacy of its subjects. It is also imperative for them to protect the right to privacy as more and more personal data is being acquired by both governmental and non-governmental organisations for various functions and purposes.
Contentions against the app
The app says that it can calculate the risk of infection based on sophisticated parameters if any of the contacts of registered user tests positive for COVID-19. But it fails to provide us with the specificities of “sophisticated parameters” as technological systems of this kind are experimental in nature. There is also an insufficient demonstration of the privacy-first system that will protect the sensitive personal data of users through security and encryption. After the collection of sensitive data regarding the health, the manner in which the data is collected, stored, shared, processed is unclear. The manner of anonymisation, as well as the measures taken to protect informational privacy, has been left unascertained. The app falls short from a design and governance perspective. Its decision to collect GPS trails/location data is incompatible with generally accepted principles for data minimisation. There are concerns about the app producing inaccurate results because Bluetooth and GPS technology tend to lack accuracy for virus exposure. There will then be a huge possibility of false positives and false negatives. Bluetooth signals cannot recognize physical barriers such as walls and floors which make virus transmission impossible, and therefore, they may misidentify individuals as COVID-19 positive and send the authorities on a wild goose chase. Similarly, since Bluetooth based apps cannot account for a surface to person transmission, they will also yield false negatives. There is a lack of technical specifications deployed for the Bluetooth technology, algorithms and artificial intelligence systems.
The unanswered question of mentioning private parties involved in the app’s development as it’s a PPP (Public-Private Partnership) initiative, leads to a further dilemma. And the absence of a regulatory legislative framework to back the policies and functioning of the app adds to the trust issues that citizens exhibit.
But the government sternly denies any inefficiency or yielding of any negative effects. In the words of K. Vijayraghavan, Principal Scientific Adviser to the Government of India, “Since the disease spreads pre-symptomatically and asymptomatically there is a grave need to enable digital tracking system at least until the invention of a vaccine and there is no compromise of privacy.”
The Former Supreme Court Judge BN Srikrishna, a judicial luminary, the chairman of the committee that drafted the Privacy Protection Bill 2011, stated that the government’s move to mandate the use of the app, as prescribed in multiple government orders, was “utterly illegal” (as reported in Indian Express 12th May 2020)
In a recent development, the Ministry of Electronics and Information Technology (MeitY) released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020. It revealed the Government of India’s National Executive Committee (“NEC”) has constituted an Empowered Group on Technology and Data Management, which is looking at among other things the development and implementation of the app. The Protocol is not a statute, and nor does it offer any legislative foundation for the app. A troubling aspect in this regard is that Government authorities have said that there are no plans to create underlying legislation to hold the usage of the app accountable since the priority at present is to deal with the epidemic. The Protocol is drafted in a manner, which justifies the centralised collection of data through the new Aarogya Setu platform.
For the effective working of the app, India doesn't even have the required number of smartphone users and internet penetration required for such apps to even be theoretically effective. Notably, the app is currently available only for Android and iOS smartphones as well as KaiOS-based Jio Phone models.
With an elaborate constitutional mechanism to preserve the rights of citizens, the present request for transparency and security must be met with, if not, would mean a failure of the legal machinery and loss of trust of the citizens. Often privacy concerns are traded off in the interest of public health. This is not considered ideal for the future of the country since the citizens are now aware of all the shortcomings of having a stained privacy system. Complete and undisputable trust can only be achieved if apps like these, operating in hard times and enforced by the governments on a large scale, are bulwarked by a cogent legislative framework. And this framework must meet the best standards of privacy and data protection. Not ignoring the unprecedented and unusual times like these, it is believed by us that our right to claim data safety and privacy is just as important as our right to health. And hence, should not be compromised at any given circumstance.
K.S Puttaswamy v. Union of India [2017 (10) SCC 1]
Article by Sri Abhigna Pillalamarri, a first-year law student at Symbiosis Law School, Hyderabad.