Aarogya Setu App Needs Legislative Backing
____________________________________________________________________
This Blog is written by Amrith R. from School of Excellence in Law, Tamil Nadu. Edited by Saumya Tripathi.
____________________________________________________________________
INTRODUCTION
The COVID-19 pandemic is an unprecedented one. The Severe Acute Respiratory Syndrome coronavirus 2 or SARS-CoV-2, the strain of the novel coronavirus that causes the coronavirus disease COVID-19, has already claimed more than 5 lakh lives over the world. A virus, invisible to the naked human eyes, has wreaked havoc across the globe, affecting over 7 million people. The virus made its first entry into Kerala in India on January 30, 2020 and has, since then, affected over 2.5 lakh people, and claimed almost 7,000 lives. The pandemic, which is supposed to be the worst after the World War II, has brought the economic activities in the entire globe to a complete standstill. India, although not as badly affected as the European nations, has imposed a 68-day total lockdown in the country. The lockdown has obviously been successful to a large extent; it has reduced the doubling rate of the virus and has delayed the inevitable stage – the community transmission – of the virus. As far as the medical war with the coronavirus is concerned, we have been able to ramp up the testing activities, arrange isolation beds and ventilators, improve the production of testing kits, drastically increase the manufacture of masks, sanitizers, gloves and Personal Protective Equipment (PPEs), improve the recovery rate, and even produce 30 vaccines in human-trial mode. Every stakeholder – doctors, nurses, frontline healthcare workers, researchers and scientists, the Government of India, various State Governments, the Opposition, the bureaucrats and the officials, the Armed Forces – has risen up to the challenge and has been working day-in and day-out to emerge victoriously from the war against corona. We are trying to convert a major challenge into a big opportunity.
Technology is being used as one of the most important tools in the fight against the pandemic and Governments across the globe have been deploying technological solutions to tackle the threat posed by COVID-19. Singapore launched TraceTogether app; Australia came out with COVIDSafe for a proper contact tracing system. On the same lines, the Indian Government launched a contact tracing application called ‘Aarogya Setu’. The App collects all personal information and location data to track individuals who have (i) either tested positive for COVID-19 or (ii) have come in contact with a positive case. The Government of India vide an order dated 1st May, 2020 made it compulsory to download this app in private and public offices as well as in containment zones. Although the App could be a very useful tool in contact tracing, thereby aiding in containing the outbreak, the privacy policy of the app requires major changes and evolutions in order to make it safe and secure for its users.
AAROGYA SETU: A BRIEF INTRODUCTION
Aarogya Setu app is a contact tracing application which was developed by the National Informatics Centre under the Ministry of Electronics and Information Technology. It aids the user by providing essential health services and information regarding nearby COVID-19 positive patients. Besides, the app also informs the user about the regular updates and advisories released by the Health Ministry, Central and State Governments. The app, which was launched on April 2, 2020, raised many eyebrows across the legal fraternity. The objective of the application was stated to raise awareness and knowledge about the virus and make healthcare services accessible to people along with keeping a record of the number of people affected in a particular area. The app finds out the proximity of a person to those who have tested positive for the virus. The application is also based on a ‘closed source code’ which means that nobody except for the original proprietor can access the data, examine it or improve upon it even if they have the necessary skills to do so.
After the registration process in the application is complete, the user must accept the terms of the privacy policy. The app obtains details or personal information or geo-data of the user’s name, gender, phone number, age, profession, countries visited in the last one month and medical history with supporting Indian languages based on which the app will update the status of the risk of the user through a self-assessment tool. This information will be managed by a unique digital ID i.e., Digital Identity Number (DID) which makes the user access the subsequent transactions of the app.
The user has to provide Bluetooth and GPS services (location access) to the app to perform its functions. The users have to answer the questions asked by the app to identify whether they are at a risk of contracting the virus or not. Besides, the app also suggests the necessary measures, if in case, the user comes in the range of contact with any person who has tested positive of COVID-19. The details of the users can be accessed by the Government for the proper responses to the users under clause 1(a) of the Privacy Policy. Apart from this, the app alerts the users through notifications and also provides help-line numbers.
Features like ‘COVID updates’ and ‘e-pass’ are available on the app. Through COVID updates, users can access the official information provided by the Ministry of Health. ‘E-pass’ is a filter for people who want to travel in public places. This feature will provide three colors Green, Orange, and, Red based on the information provided by the user. Green status indicates a risk-free individual who can travel to the public places, Orange status advises people to avoid social gatherings and should maintain social distancing and, persons with Red status will be strictly instructed to self-quarantine.
SIGNIFICANCE OF AAROGYA SETU APP
Through the introduction of Aarogya Setu App, technology is deployed in the fight against the pandemic. As the Government has to open the economy gradually, real time response mechanisms require real time insights. As the app works on processing and collecting ‘personally identifiable information’, the right to privacy guaranteed under the Constitution as a fundamental right gets invoked. The Government may collect and process personal data, but any such processing for targeted surveillance mechanisms must be reasonable, necessary and proportionate[1]. The fight against the pandemic is dependent on active participation by the citizenry. It is on this basis that technological solutions which are people centric have been deployed. A system which involves rapid data collection, analysis, assessment and timely reporting is extremely essential in a highly populated country like India to prevent or at the very least delay the community transmission of the virus.
The app although brought ahead with a good intention has so many shortcomings, legal loopholes and challenges. They can be broadly classified as the following: –
• Challenges to privacy laws and harmonizing right to privacy and right to health
• Legal challenges in general
CHALLENGES TO PRIVACY LAWS AND HARMONIZING RIGHT TO PRIVACY AND RIGHT TO HEALTH
1) The privacy policy of the Aarogya Setu app has several shortcomings. Lack of transparency and verifiability pose many serious concerns with regard to its It is important that to popularize it among the citizenry, the application should be made open source.
2) Data auditing is not allowed on the app as of today. By allowing data auditing, concerns regarding lack of checks and balances, and accountability could be It is important that technologies used for minimized data must have an in-built privacy and security architecture that is auditable.
3) The app does not provide any precise definition on the purpose of its use. It is imperative that the privacy policy clearly mentions the purpose of the app and specifically denies any other kind of use.
4) Most of the user data collected have got nothing to do with contact tracing. The privacy policy should be tweaked in such a way that minimal data is collected for maximum output.
5) The current time frame for storage of data is 30 days on mobile phone, 45 days on server if the patient has tested negative but has come in contact with an infected person, and 60 days in case patient has tested positive, from the date of uploading on the It is important that the data be stored for a lesser period to prevent any misuse and external interference.
6) Although the privacy policy asserts that data will not be shared with anyone except the health officials of the Government, it does not disclose the sharing protocol.
7) The right to health is a facet of the right to life under Article 21 of the Constitution. It also guarantees the right to privacy of an individual. However, when the two rights are in conflict, it is critical to ensure a harmonious construction by applying the said doctrine. The two rights need to be weighed in the balance, to ensure that the least amount of infringement is caused cumulatively.[2]
LEGAL CHALLENGES IN GENERAL
1• First and foremost, the app does not have any legal standing of its own. Neither an Ordinance, nor an Act was passed by the President or the Parliament respectively to give a legal foothold to this application. The Puttaswamy judgement makes it clear that the right to privacy may only be curtailed per a law which has a legitimate purpose at a proportionate level.
2• The privacy judgement laid down three key tests that a legislation should satisfy if takes away the right to privacy. They are necessity, proportionality and legality. The measures taken must harmonize with the right to privacy and should limit themselves to the extent necessary and proportional, in order to meet the ends of maintaining public health. Without a data protection law in our country, it is necessary that utmost caution be taken to adhere to privacy principles.
3• The privacy policy gives the details of the grievance redressal office but there is little guidance on how soon complaints will be addressed, or how users exercise their right to access and confirm.
4• The privacy policy and terms of use of the app do not specify when the anonymised data sets stored in Government servers are to be purged completely after the pandemic ends.
Clause 2(a) of the privacy policy which allows the government to use the user’s personal information regarding their health concerns, has a wider scope since this enables the government to share the users’ information to anyone.
Clause 2 (c) of privacy policy states that: “The personal information collected will not be used for any purpose other than those mentioned in this Clause 2 save as required to comply with a legal requirement.” However, the term ‘legal requirement’ has not been defined anywhere in the policy. These flaws in the app can lead to excessive use or probably misuse of users’ personal information.
IMPACT OF AAROGYA SETU APP
As economies open up and normal life resumes, this app may enable all governments to detect outbreaks and prevent community transmission. This app assumes more significance since as of now, there is no vaccine for the rapidly spreading disease.
The COVID-19 pandemic is an unprecedented situation. Circumstances like these allow the imposition of ‘reasonable restrictions’ on the right to freedom of movement and privacy. Even while imposing such restrictions, the onus is on the State to follow the principles laid out in the Puttaswamy Judgement. The ‘proportionality test’ laid down by the Supreme Court in Puttaswamy for deciding whether a restriction of right to privacy is reasonable or not has three prongs:
1• Legality – Requirement of a law, with a legitimate purpose.
2• Suitability – Government’s action must be suitable for addressing the problem, i.e., there must be a rational relationship between means and ends.
3• Necessity – Must be the least restrictive alternative.
The Government must strike an exact balance between confidentiality of information of the individual, privacy and data protection concerns so as to benefit the community at large and ward off all the suspicions about the application. The Government is facing a dilemma in ensuring the individual’s right to privacy is maintained while at the same time communities across the country do not fall victim to the chain of the virus. In times of a public health emergency of such huge proportions, the individual cannot be isolated from the community. The responsibility of the individual towards their community is greater in this scenario. As the virus spreads at a rapid pace, once the host comes close in contact with their neighbour, the individual has a moral obligation on those around them to take maximum precautions and preventive measures in place. At the same time, it is also imperative that the privacy of the infected and high-risk individuals is protected to prevent social stigmatization once they re-enter the community. Moreover, leaking the information and sensitive healthcare records of patients, infected people or recovered people might expose them to their physical community, which could potentially increase the harm. Therefore, privacy is not just important from an individual’s rights perspective, but also from a community rights perspective, and therefore an important aspect to the right to health. The Government should seek to maximize individual rights by according the highest levels of privacy, while at the same time ensuring that community is protected as a whole as well.
ABSENCE OF LEGLATIVE PROVISIONS FOR AAROGYA SETU APP
Aarogya Setu, though well intentioned, falls short of widespread public confidence. Its mandatory use has raised questions of restricting the right to privacy, without a law that is essential, specific and explicit with respect to the rights that it seeks to infringe and the procedural safeguards that it establishes. Health data should be confidential; any leak not only violates privacy and individual autonomy; it also degrades public trust among the people. The Puttaswamy judgement mandates that right to privacy may only be curtailed by a law which has a legitimate purpose. Any law restricting fundamental rights needs to spell out the right which it seeks to infringe, the basis of the infringement, and the procedural safeguards that it establishes. Therefore, The Prime Minister’s Cabinet must consider advising the President to pass an Ordinance since the Parliament is not in session. An Ordinance can not only legitimize the executive mandate to download the app based on certain predefined considerations, but can also establish procedural safeguards which would inspire public confidence. An Ordinance would suffice the need of such law which may be passed by the Parliament once it reconvenes. An Ordinance would be an important milestone to garner public trust. There is no website detailing the project and the purposes of the App. The Government has a policy and has assured on adopting open source code software. However, this privilege has not been extended to the Aarogya Setu App. Hence, the highest standard of transparency is not be achieved.
The privacy policy and the terms of use of the app do not adhere to the principles of data minimization and purpose limitation. A few data sets, such as profession, have no relevance with contact tracing. There is no reasonable explanation as to why geo-location data is being collected every 15 minutes or during self-assessment is relevant for contact tracing. It is necessary that only those data sets are obtained that have a direct role to play in enabling contact tracing. Additionally, though the privacy policy states that the use of data obtained from the application will only be as per clause 2 or to fulfil any legal requirement, the term ‘legal requirement’ has not been defined in the privacy policy. The non-specificity of the term ‘legal requirement’ raises ambiguity in its use and has the potential of being misused.
Concerns regarding the ease of accessing the grievance mechanisms, especially for citizens in rural areas need to be catered to. The legal framework should outline the duration of the restrictions in place and their geographical reach. Blanket and indiscriminate collection and retention of data creates risks of abuse of civil liberties and civil rights. Furthermore, both privacy policy and terms of service are silent on whether the Government can compile and integrate the data collected via the App with existing health care data collected by the Government. The integration of databases and data sets will not sustain the proportionality test laid down in Puttaswamy judgment.
RELATED CASE LAWS
In the landmark case of Justice K. S. Puttaswamy vs Union Of India[3], the Supreme Court recognized ‘right to privacy’ in Article 21 of the Constitution and stated that in concern to the health issues the scope of the right to privacy can be extended if there are any necessary encroachments into the individual’s privacy. In the case of State of Madhya Pradesh v. Thakur Bharat Singh[4], the Supreme Court held that all the executive action operates only when it has the authority of law to support it. Therefore, a legislation backing the app is sine qua non.
ANALYSIS OF AAROGYA SETU APP
For Aargoya Setu to work as a successful app in contract tracing, it must be deployed at a mass scale. Hence, a citizen’s trust of the app will be central to its usage. Trust cannot be built without transparency and accountability from the Government. Instead of forcing the people and making the download mandatory, the Government should encourage professionals working in public and private spaces to voluntarily download the app. Mandated or forced downloading of the app faces multiple implementation challenges. Firstly, access to smartphones or internet connectivity is limited and may not be affordable for or available to everyone. The imposition order is unclear on whether the professionals have to use the App only while they are reporting to work, as employers might not be in a position to request their staff to use the App during non-working hours. Moreover, keeping track of all private professionals to download the App is a cumbersome work.
As we are living in exceptional times, the people of India may be willing to place their benefit of the doubt on the Government, and will trust them to do the right thing by ensuring that all checks and balances are adhered to and no harm is caused while at the same time protecting their privacy. The Government must repay this trust by placing all measures in place to prevent violation of their right to privacy. The ‘TraceTogether’ App details its technical specifications in a policy paper for the community to critically evaluate and understand. The Government should make the code completely open source along with the back-end protection. Reproducible build techniques should be implemented to ensure that users can verify that the App is from an audited source code. Encouraging security research to reverse engineer the systems are important tests for robustness in which keeping transparency would help. The privacy policy ought to be amended to define the term ‘legal requirement’ which must be in consonance with the tests laid down in the Puttaswamy judgment. Necessity should be observed when data is being collected, keeping in mind that the objective of the application is containment of the pandemic. Lawfulness should be ensured by adhering and remaining within the realms of existing laws.
CONCLUSION
Technology’s help can be sought to keep us safe; however, it should not infringe people’s right to privacy. In this context, the Government must bring a legislation to back the app, which would strike a balance between disease containment and privacy. The limit for storing personal data should be fixed at 21 days. The privacy policy must be clear on which departments within Government of India will have access to data, to ensure purpose limitation that will minimize the risk of associated misuse. Experts in the legal fraternity have stressed the need for a personal data protection law to back the government’s decision to make the app mandatory for everyone. One of the main demands of privacy and cybersecurity experts is to throw open the source code of Aarogya Setu app so that they can be audited for flaws in programming application. Although the privacy policy states that the data sets will be aggregated and anonymised, it does not mention the standards used for anonymisation. Proper anonymisation is essential to minimise risk for re-identification of these data. All data sets, including the initial identifications necessary at time of app installation must be anonymised. Any data collected must be used exclusively to combat COVID-19.Any other use must be avoided as far as possible and legally prohibited to prevent data misuse.
REFERENCES
[1] Justice K.S.Puttaswamy(Retd) vs Union Of India (2017) 10 SCC 1(India).
[2] Central Public Information Officer, Supreme Court Of India v Subhash Chandra Agarwal, Civil Appeal No. 10044 of 2010.
[3] Ibid
[4] (1967) 2 SCR 454 (India).
Statutes
1) The Constitution of India, 1950
Cases
1) Justice K. S. Puttaswamy vs Union of India (2017) 10 SCC 1(India).
2) State of Madhya Pradesh v. Thakur Bharat Singh (1967) 2 SCR 454 (India).
Command Papers
1) “Privacy Framework for the Aarogya Setu App”, The Dialogue,