Introduction:
Aarogya Setu app is a contact tracing application which is developed by the Indian government (Department of Health). It assists the user by providing essential health services and information regarding nearby COVID-19 positive cases. Apart from this, the application also informs the user about the regular updates and advisories released by the Health Ministry, Central Governent and State Authorities. The application which was launched on April 2, 2020 resulted in the many privacy concerns of the citizens. Also, the mandatory imposition of the app and infringing the right to privacy of citizens are in contravention with the existing laws in India.
The functioning of the App
While completing the registration process, the user must accept the terms of the privacy policy. The app obtains details or personal information or geo-data of the user’s name, gender, phone number, age, profession, countries visited in the last 30 days and medical history with supporting Indian languages based on which the app will update the status of the risk of user through self-assessment tool. This information will be managed by a unique digital id i.e., Digital Identity Number (DID) which makes the user access the subsequent transactions of the app.
The user needs to provide Bluetooth and GPS services (location access) to the app to perform its functions and track the spread of the Coronavirus in India. The users have to answer the questions asked by the app to identify whether they are at a risk of contracting the virus ot not. Apart from this, the app suggests the measures if in case the user comes in the range of contact with any person who tested positive of COVID-19. The details of the users can be accessed by the government for the proper responses to the users under clause 1(a) of the Privacy Policy. Apart from this app alerts the users through notifications and also provides help-line numbers.
Users can find features like ‘COVID updates’ and ‘e-pass’ on the app. Through COVID updates, users can be accessed to the official information provided by the Ministry of Health which gives the statistics of a total number of confirmed, recovered, deceased cases across the country with the data right from the user’s place of residence. Another main feature is ‘e-pass’’, it is a filter for people who are travelling public places. This feature will provide three colours Green, Orange, and, Red based on the information provided by the user. Green status indicates a risk-free individual who can travel to the public places, Orange status advises people to avoid social gatherings and should maintain social distancing and, persons with Red status will be strictly instructed to self-quarantine.
Trough app Bluetooth user can connect to another registered user regarding the health issues then their apps will exchange their DIDs automatically and records the time and location. The collected information will be securely stored and if any user tests positive of COVID-19 then such information will be securely uploaded to the government server. The app collects every location details that the users have been in the 15-minute intervals and every self-assessment test of the users which will be first stored in their mobiles and then it will be uploaded to the government server along with users DIDs.
When will the data uploaded to the server:
The data provided by the users in the app can be uploaded to the government server under clause 1(d) of the Privacy Policy. Data can be uploaded to the server in three situations they are:
- When a person declares as COVID-19 positive.
- When the self-assessment symptoms indicate the chance of infecting with Coronavirus.
- When the self-assessment results in Orange status of risk.
Retention:
The entire information received from the users under clause 1(d)[1] of Policy retained by the government under clause 3(b) of the Policy. Data retention in this app can be done in three different periods as propounded by clause 3(b) based on different headings.
- The data received under clause 1(d) retains for 30 days, after that the data can be removed from the ‘app’ if it is not uploaded to the server.
- If the data uploads to the server then there arise two circumstances: one is if the person tests positive with the Coronavirus, then the data will be removed from the server within 60 days after the recovery of such person. Another circumstance is if a person tests negative with COVID-19, then the data can be removed from the server within 45 days. In these two circumstances, data can be removed from the ‘server’ but it cannot be deleted from the app, it can remain in the app for an indefinite period.
On self-assessment symptoms of a person may lead to the mere suspicion of ‘Orange status’ which results in the transfer of data to the server and thereby the data cannot be deleted from the app which is the most major privacy concern of the people.
The data collected in clause 1(a) of policy i.e., name, gender, age, etc, and in clause 1(d)of the policy i.e., the GPS information can remain for the indefinite period in the ‘app’ thus the users’ privacy is infringing.
Privacy concerns:
There are some privacy concerns raised regarding the app as it collects some personal sensitive information from the users. They are:
Excessive collection of personal data: In the name of the app, personal information of the users has been excessively exposed at the cost of citizen’s privacy rights. One more disadvantage is that India does not have data protection laws to limit data collection.
Government’s liability: In case of rendering false information, unable to generate true Corona positives, unauthorized access to the user’s information, leakage of user’s personal details etc., the government is having limited liability or no liability is the major concern of the people.
No option of open source: There existed an adopted policy of open source code in India, but the application of ‘Aarogya setu’ app does not expose to an open-source formula which is the problematic issue to the public at large. By making the app available with open source code will reduce the people’s privacy issues.
Legal framework and Privacy laws:
App infringing the privacy policies of the citizens by getting access with the sensitive personal information provided by the users as stated above.
Clause 2(a) of the privacy policy states that:
“The personal information collected from or about you under Clause 1(a) above, will be stored locally in the App on your device and will only be uploaded to and used by the Government of India (i) in anonymized, aggregated datasets to generate reports, heat maps and other statistical visualizations for the management of COVID-19 in the country and/or (ii) in the event you have tested positive for COVID-19 or have come in close contact with any person who has tested COVID-19 positive. Any personal information uploaded to the cloud will only be used to inform you, or those you have come in contact with, of possible infection. Such personal information may also be shared with such other necessary and relevant persons as may be required to carry out necessary medical and administrative interventions.[2]”
This clause allowing the government to use the user’s personal information regarding their health concerns, but the wide scope of this clause enables the government to share the users’ information to anyone the government wants.
Clause 2 (c) of privacy policy states that:
“The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required to comply with a legal requirement.[3]”
Here, the word ‘legal requirement’ does not define anywhere in the policy; it can be impliedly deduced that the word legal requirement can be included whatever the government wants. These flaws in the app can lead to excessive use of user’s personal information.
Reverse engineering:
Reverse engineering processes through which a person can analyze and study the computer programme and its functions to check whether the theme of the programme promised by the developers is fulfilling or not.
Section 52 (ab)[4] and section 52 (ac)[5] of Copyright Act, 1957 allows the reverse engineering of Computer programmings. But clause 3 of its Terms of Services restricts the reverse engineering of Aarogya Setu app.
Clause 3 of Terms of Service states:
“You agree that you will not tamper with, reverse-engineer or otherwise use the App for any purpose for which it was not intended including, but not limited to, accessing information about registered users stored in the App, identifying or attempting to identify other registered users or gaining or attempting to gain access to the cloud database of the Service[6].”
Reverse engineering is the essential option for the security officers to check on the Aarogya Setu app because it deals with the citizen’s personal information. Also, this clause is going against the provisions of the Copyright Act (statutory Act). So this clause should be removed from the Terms of Service because a statutory law prevails over the general laws.
PRIVACY LAWS IN INDIA:
There have been raised many concerns about the privacy policy about the app. There is also an application before the government to update the privacy policies of the app with the required changes to secure the privacy of the users. Also, there are many inconsistencies with the app which are infringing the privacy options like lack of transparency, excessive tracking of location, and with the Digital Identity Number (DID) of the app. The privacy laws regarding the app are discussed below:
Right to privacy:
Right to privacy considered as “right to freedom from the indefensible invasions”. Here, the information provided by the users is sensitive which is a matter of concern in privacy also of the right to privacy.
In the landmark case of Justice K.S.Puttaswamy(Retd) vs Union Of India[7], the supreme court recognized ‘right to privacy’ in article 21 of the Indian constitution and also admitted that in concern to the health issues the scope of the right to privacy can be extended if there are any necessary encroachments into the individual’s privacy. The case also includes the “purpose limitation” and “data minimization” which the app is not concerning about.
Information Technology Act, 2000:
Privacy laws in India currently dealt under the Information Technology Act, 2000 along with Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011. This Act also includes the right to privacy under section 43 which punishes unauthorized access into the computer. But this Act not properly furnished to deal with the privacy concern regarding the Arogya Setu app because it is only applicable to a corporate entity not on the State.
Personal Data Protection Bill, 2019:
The app was built to the standard of Personal Data Protection Bill, 2019 (PDPB) which is pending in the parliament. The bill seeks to protect the individual’s data. PDPB holds “data fiduciary” which makes the developers accountable for the collection, processing, and storage of the personal data which is defined under clause 3(13) of the bill, which states as:
“Data fiduciary” means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of the processing of personal data[8].
The bill also provides grounds for the processing of personal data without consent in chapter-III from clause 12 to 15. The present issue i.e., COVID-19 is balanced by clause 12(d) and clause 12(e) of the bill. Clause 12(d) states: to respond to any medical emergency involving a threat to the life or a severe threat to the health of the data principal or any other individual and clause 12(e) states: to undertake any measure to provide medical treatment or health services to any individual during an epidemic, outbreak of disease or any other threat to public health. But the government is allowed to use personal information under the exceptions mentioned under clause 35[9] and clause 38[10].
But the bill is still pending in the parliament, it has no binding effect to enforce and invoke the above-stated provisions to exempt the state.
National Disaster Management Act, 2005:
The mandatory imposition of the Aarogya Setu app for all public and private employees by executive order under the Disaster Management Act (NDMA). But the government has no power under the NDMA to invade the privacy of a person. Also, there is no such provision under NDMA regarding the employees or the empowered group. So as there is no proper legislation for the imposition of mandatory use of the app, then there will be no accountability if there is any beach.
In-State of Madhya Pradesh v. Thakur Bharat Singh[11], Supreme Court held that all the executive action operates only when it has the authority of law to support it.
Digital Information Security in Healthcare Act, 2018 (DISHA):
DISHA is a proposed health information security Act in India, it is draft put out by the Ministry of Health (MoH) for sharing the health care data to regulate the health data. Application of app regarding this Act is expected to be void in the Indian legal system.
Conclusion:
Firstly, the mandatory imposition of the app and the getting access to the personal information of citizens is the big flaw by the government. Neither the provisions of Disaster Management Act, 2005 nor the Epidemic Diseases Act authorized to infringe the privacy rights of the people.
Secondly, the ‘Terms of Service’ and the ‘Privacy Policy’ of the app which is in the hand of the government of India where the citizens are the victims and there are no safeguards involved to protect the citizens.
Thirdly, mandatory imposition has become a threat to the people and imposition o sanction for non-installation of the app resulting in the violation of the human rights and dignity of the people.
Lastly, the mandatory condition on employees became very problematic because not all the employees have smartphones to use the app. In my view, in the present situation, the app is violating the privacy laws in India due to no proper anchoring legislation regarding the functioning and mandatory imposition of the app. So, the government has to implement the Data Protection Bill to recalibrate the app and also take the required measures to achieve efficiency in privacy.
[1] Clause 1(d) of Privacy Policy- collecting and storing of location information by the app.
[2] Clause 2(a) of privacy policy.
[3] Clause 2(c) of privacy policy.
[4] Section 52 (ab)- the doing of any act necessary to obtain information essential for operating inter-operability of an independently created computer programme with other programmes by a lawful possessor of a computer programme provided that such information is not otherwise readily available.
[5] Section 52 (ac)- the observation, study or test of functioning of the computer programme in order to determine the ideas and principles which underline any elements of the programme while performing such acts necessary for the functions for which the computer programme was supplied.
[6] Clause 3 of Terms of Services.
[7] (2017) 10 SCC 1(India).
[8] Clause 3(13) of Personal Data Protection Bill, 2019.
[9] Clause 35-Where the Central Government is satisfied that it is necessary or expedient
[10] Clause 38- Where the processing of personal data is necessary for research, archiving, or
statistical purposes, and the Authority are satisfied.
[11] (1967) 2 SCR 454 (India).