Privacy in a Pandemic: Is the Aarogya Setu App legal?

How would you feel if your parents constantly knew where you go, who you see, and what you do On May 1, 2020, the Ministry of Home Affairs made it mandatory for local authorities to “ensure 100% coverage of Aarogya Setu App among residents of Containment Zones”. You are now required to download an app that makes it compulsory for you to link your name, age, sex, profession and phone number to your geolocation data. This app then accesses your location information continuously and uses bluetooth technology to record who you come in contact with and when. All this information is uploaded to a central server that is controlled by Big Brother. When the government knows more about you than your parents, surely you would ask: is this legal?

For a long time, India did not have a coherent privacy law. The Information Technology Act lacked legal and procedural safeguards to preserve the integrity of its citizens’ personal information. It is no secret that India lacks a general culture of privacy. So, in 2017, during the course of hearing on Aadhaar, when former Attorney General Mukul Rohatgi argued that Indians don’t have a fundamental right to privacy, social media had a panic attack. The Supreme Court of India was immediately tasked with the duty of deciding this issue. In culmination, in the case of Justice KS Puttaswamy v. Union of India, much to the delight of privacy advocates, the Court emphatically declared that the “privacy of the individual is an essential aspect of dignity. The ability of the individual to protect a zone of privacy enables the realization of the full value of life and liberty.”

In what came to be its seminal judgement on privacy, the Supreme Court recognized the distinction between anonymity and privacy. While privacy prevents access to your information, anonymity hides what makes it personal. Making our medical records public knowledge would certainly be a disproportionate invasion of privacy. Analysing the data of hospital records to collect information in a public health epidemic may not.

Justice DY Chandrachud states it thus,

if the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions on the basis of the data available to it.

Of course, this did not mean that our privacy is protected from all encroachment. The Court set out three conditions that should be met to in order to successfully intrude on citizenry’s privacy.

First, there must be a governing law. Second, this governing law must have a legitimate aim. And third, the law adopted must be proportionate to the objective sought to be achieved. It is in this context that the Union government has been deliberating a data protection law for over two years.

Does data available to the State also mean that the State can go out of its way to capture that data? While India’s Disaster Management Act allows Central and state governments to collect data so that it may take measures necessary for the prevention or mitigation of disasters, in absence of specific legislation, it is legally suspect to suggest that it justifies constant surveillance of its people. When courts are finally confronted with this question, it is likely that the outcome of the challenge will be determined first and the logic of the decision second. Be that as it may, does the Aarogya Setu App at the very least meet the test of anonymity recognized by the Supreme Court?

According to its privacy policy, the information collected on the app is uploaded to a server every 15 minutes. This information is then used “in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country…” In theory, the government’s ‘use’ of data preserves anonymity. What the privacy policy does not explain is why your geolocation needs to be linked to your age, sex, phone number and profession.

Privacy laws across the globe are essentially grounded in consent. Every person is entitled to protect his or her personal information from public encroachment. Having said that, nothing stops us from waiving it in exchange for service. In checking the box under ‘Terms of Service’ page, we regularly trade our personal information to access social media platforms, play games on the phone, and buy shoes off the internet. The Aarogya Setu App does not arise of out such contractual consent. The government’s direction was issued under Section 10 of the Disaster Management Act. Non-compliance attracts a prison term which is ordinarily one year but may extend to two years.

It’s ultimately a coercive recreation of the social contract. No doubt those in favour of the app would argue that if the same information is already available with Google and Facebook, why not the Government of India? More so if the purpose is noble?

Paranoia around the app’s security concerns remain unaddressed too. Users of the app do not know what security practices are being followed. Its policy merely says the data is encrypted. which is unconvincing. With information currently available, there is no way to know if the government is complying with even the rudimentary provisions of India’s Information Technology law.

French ethical hacker Elliot Alderson has recently demonstrated that breaching the app’s security features is not difficult. He successfully located the data on the app’s server, tracked movements across India, determined who was infected with COVID-19 and sent his findings to the Government of India. Anyone interested can essentially identify who is infected in an area of his choice, across the country. Apparently unworried, on May 6, 2020, the government responded to Elliot Alderson with a letter that stated “no personal information of any user is proved to be at risk”.

Where do we stand if there is a data breach and liability is to be apportioned? In reality, asserting rights in a court of law for the average person is a daunting task. It often takes a disproportionate amount of time, commitment, and resources. To add to the misery, according to the app’s terms and conditions, the user “agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof.”

It seems nobody is responsible for the information stored on the app. The only remedy available to the common citizen is to challenge the legal validity of the terms and conditions or the constitutional validity of the government’s directions.

Fundamentally, for a constitutional challenge to succeed, there must be a clear violation of the right and a clear demonstration that the encroachment is unreasonable and disproportionate. For example, the first successful challenge based on the right to privacy occurred in the case of Shirin RK v. State of Kerala. The Court held that a university’s rule to restrict the use of mobile phones within its hostel from 10:00 pm to 6:00 am and then from 6pm to 10pm violated students’ right to privacy.

The Aarogya Setu App is far more complicated. It is basically a vehicle for disaster management. Courts will always be reluctant to invalidate executive action that’s geared towards saving the lives of its citizens. Privacy advocates may argue that the ends do not always justify the means. In the end, it will come down whether the courts are more interested in protecting the rights of the individual or that of the group.

Originally published on May 12, 2020 in Bar and Bench


Add Your Comments

Your email address will not be published. Required fields are marked *