Given the nature of data being collected, the scale on which the app is being operationalised, and the possibility of the data mine that comes out of such an initiative, it is important to take a closer look at the relevant legal framework, writes, Joysheel Shrivastava
On April 2, the Government of India released ‘AarogyaSetu’ App (Sanskrit for ‘Health Bridge’), aimed at combatting the spread of COVID-19 via contact tracing, connecting health services to the people of India and disseminating relevant information to its users.
To register on the app, a user is required to provide his/her name, contact number, age, sex, profession, travel history. This registration information is then hashed with a digital unique ID (DiD). The app uses GPS and Bluetooth feature to collect location data of the user at 15-minute intervals and to identify if the user has been in proximity to an infected person. This information collected is stored in the appand uploaded to the online serveronly for confirmed or suspected positive cases.
Since its release, the government has been promoting the contact-tracing app. On May 1, the Ministry of Home Affairs released an order, mandating all employees (private and public) to download the app. Market speculation also suggests thatAarogyaSetu App will be pre-installed on smartphones once the lockdown restrictions are relaxed and manufacturing commences. In just a little over a month, the App has already witnessed 80 million downloads (interestingly, Whatsapp took over 5 years to cross the 70 million mark in India).
Given the nature of data being collected, the scale on which the app is being operationalised, and the possibility of the data mine that comes out of such an initiative, it is important to take a closer look at the relevant legal framework.
Legal Vacuum
India currently doesn’t have a holistic data protection regime and this is likely to remain status quo pending the Personal Data Protection Bill, 2019 being passed by the Parliament, and the Bill attaining the force of law.
That said, the Sensitive Personal Data Rules 2011 (Rules) prescribe rules for dealing in personal data, and require that: (i) the user’s consent is obtained prior to collection, store, use and transfer of the data; (ii) comprehensive security practices to ensure adequate control measures; (iii) the data is transferred only to those entities that can provide the same level of data security as mandated by the Rules; and (iv) the entity collecting the data makes a privacy policy available to its users, which clearly specifies the purpose of collection, methods in which the data will be used, the possibility of disclosure of the data to a third party, and the reasonable security practices being followed. Failure on part of an entity to adhere by these rules, which results in loss to the data subject, invokes obligations to compensate.
However, these rules apply only to corporate bodies, and not governments dealing in personal data. Therefore, at present, the app currently operates in a legal vacuum and is guided only by its skeletal Terms of Use.
Data Privacy Concerns – A Comparative Analysis
A reading of AarogyaSetu’s Terms of Use raises several pertinent data privacy concerns, stemming from a lack of purpose limitation and transparency regarding storage, security practices and use. However, the App is not the first of its kind, and there are examples from other countries from which we can borrow data protection practices. DespiteAarogyaSetubeing inspired by Singapore’s Trace Together (which also inspired Australia’s Covidsafe), there are significant differences from a data standpoint, as noted below.
Authorised Access: AarogyaSetu’sTerms of Use are silent on which agency, authority or arm of the government will have access to (a) the datacollected, and (b) the key to de-encrypt the anonymised data,to link the DiD to information collected, in order to carry out COVID-19 responses measures – is it the Ministry of Home Affairs or the Ministry for Health and Family Welfare or state governments or all of them?
On the other hand, TraceTogether’s policy clearly states that it is the Ministry of Health, which has access to the data collected. Similarly, Covidsafe’s policy restricts the access only to health authorities.
Further, while the Terms of Use repeatedly state that the data is being stored “securely”, given that we are not aware of the contours of authorised access, we are also unaware of what could possibly constitute unauthorised access.
Anonymization: Cognizant of the risk that a stagnant device ID would allow a third party to track a data subject over time, TraceTogether uses an algorithm to issue new IDs every 15 minutes and Covidsafe changes this encrypted reference code every two hours. In comparison, the AarogyaSetu app issues a single DiD per user and from the Terms of Use it appears that this is not switched up for an alternate DiD at any point in time.
Transfer of Data: The Terms of Use allow the information collected to be shared with “persons carrying out medical and administrative interventions”. However, there is no information on who these persons are, their qualifications, the amount of information they receive, the form in which they receive the data (encrypted/ anonymised), whether these are government or private personnel, the level of security and encryption levels used by them, and at what point these ‘persons’ delete the data collected, if at all.
Use of Data: Terms of Use clearly states the information collected shall be used to generate heat maps, reports, and statisticalvisualisations and to communicate with the user.
However, it also states that user’s registration information shall be stored for “such period as required under any law”. If AarogyaSetuhas been positioned as a COVID-19 response measure, then there appears to be no legitimate reason to store this data under any law. “Any law” is a phrase so vague that it its ambit is truly unknown, thereby rendering it manifestly arbitrary. Notably, the Terms of Use do not contain any language to the effect that the information collected would be deleted, and that the functionality of the App would be terminated once the situation improves. This issue is magnified manifold by the legal vacuum and opacity on which governmental authority has access to this data, and we run the risk of the data being misused and institutionalising mass surveillance.
Lastly, TraceTogether and Covidsafe recognise the right of a data subject over their information and specifically require their consent before uploading the information onto the server. In contrast, AarogyaSetu uploads the information to the server without requiring such consent, simply if there is a likelihood of the user having contracted the virus.
The Need for Safeguards
In the Puttaswamy judgment (2017), a nine-judge bench of the Supreme Court of India ruled that the right to privacy is a fundamental right. The Court went on to note that the right is not absolute, and that may be overridden by competing interests (such as public health); and the corollary would be that public health cannot operate at the cost of the right to privacy. The bottom-line is that the Terms of Use are not airtightand need to be amended to increase its data protection standards.
Considering that COVID-19 spreads though proximity, containment is tricky. Contact tracing has proven to be an effective means at containing the virus and the government’s quick move to roll out the app and digitise the process is definitely a welcome move. However, the need of the hour is to safeguard the user’s autonomy over their data, by introducing additional safeguards within the Terms of Use and a broader framework within which AarogyaSetu will be operationalised.
(The author is a Mumbai-based lawyer with experience in fintech and data protection advisory. Views expressed are personal.)