As society grapples to stay on top of the COVID-19 pandemic, there is a heightened responsibility on governments to effectively deal with this public health crisis, in a manner that is least-restrictive towards the civil liberties of its citizens. The use of technology as a part of disaster-response cannot be denied, but the regulatory lacunae in India with regards to the use of such technology mean one must proceed with caution.
Contact-tracing applications have been hailed as a key way to maximize efficient and localized decision making with respect to the spread of COVID-19. Such applications have been adopted in various countries including India, which recently launched its Aarogya Setu application. There have been many an eyebrow raised that these technological interventions, employed as extraordinary measures in the pandemic, may become permanent fixtures of government intrusion in our lives. The core contention in the use of technology in battling such public crises is the infringement of the privacy of citizens. In a trade-off between battling a public health crisis affecting all, and securing the privacy of a few, the scales tip in favor of the former. However, this is not a zero-sum situation. Even in such emergencies, the government must ensure that privacy is not disproportionately infringed.
In the absence of a comprehensive data protection framework in India, this paper analyses the Aarogya Setu application and its privacy policy on the touchstone of the proportionality principle laid down in the Puttaswamy judgement, and through the lens of the Personal Data Protection Bill, 2019 (PDPB 2019). It highlights how the Privacy Policy and Terms of Service results in a risk of establishing a surveillance framework that may outlast the need of the hour.
The Proportionality Principle and PDPB 2019
Due to the lack of a comprehensive data protection legal framework in India, the only authoritative standards are the principles propounded in the Puttaswamy judgement. Nonetheless, this paper relies on the PDPB 2019 to analyse the application through the proposed legal provisions.
In Puttaswamy, the Supreme Court recognized data protection as an essential part of information privacy. It stated that any infringement of such privacy must satisfy three requirements, namely – the existence of a valid law, a legitimate state interest in pursuing that course of action and that the infringement of privacy must be proportionate to the objective sought. Any means of achieving state interest would be considered proportional if it was the least-restrictive means to achieve that goal and did not have a disproportionate impact on the right holder.
The PDPB 2019 comprehensively lays down the rights and duties of the Data Principals, Data Fiduciaries, and Data Processors. It holds the Data Fiduciary accountable for compliance with the Bill, which contains detailed provisions for consent of the Data Principal for data processing, data retention, purpose of collection of data, and transparency in the processing of data. Thus, the Aarogya Setu application can be considered a proportionate infringement of the right to privacy of individuals if it is sanctioned by law as a means of securing a legitimate objective and follows the principles of data protection.
Aarogya Setu – one too many issues
Aarogya Setu became the most downloaded application in the world in the month since its release. Yet, its Terms of Service and Privacy Policy have created a storm among privacy activists for its non-compliance with the most fundamental aspects of proportionality and the data protection principles.
Aarogya Setu collects personal data of the users, which is stored on a government server and remains on the server until 30 days after the user cancels their registration. At the outset, it must be noted that this collection of personal data by the government is not sanctioned by law and is only conducted on an ad-hoc basis. In such unforeseen emergent situations, the Government of India has resorted to the provisions of Disaster Management Act, 2005 to order emergency measures. However, no such order has been issued to supplement the usage of the application to collect personal data. This is problematic because under the PDPB 2019, any data fiduciary must process all personal data in accordance with the law. The absence of such an order gives the government more leeway with how to process personal data of citizens and excludes such data collection from judicial scrutiny.
The problems arising out of the absence of a legal sanction are exacerbated by the fact that the Terms of Service of the application state that the Government will not be liable for any claims in relation to the use of the application of the data collected from it. Not only does this violate the accountability of data fiduciaries in the PDPB 2019, but it disincentivizes the government from complying with the data protection principles by not having to face any adverse consequences.
With regards to pursuing a legitimate state interest, contact-tracing applications have been deployed in various countries to significantly accelerate the rate of individual awareness and testing. However, the suitability of such applications in meeting this interest in India cannot be ascertained with accuracy. The developers of the application have stated themselves that for the application to succeed, at least 50% of India’s population needs to download the application. As Sidharth Deb notes, with non-smartphone users constituting two-thirds of the Indian population, questions arise as to whether this application is already set up to fail.
As per the proportionality test, any infringement on the privacy of the individuals must be achieved by the least restrictive means. The purpose of the application is to notify, trace and suitably support people infected with COVID-19. This vaguely worded provision does not clarify a strict purpose for which one’s data is collected or used. When one downloads the application, they are required to provide personal data such as name, age, gender, profession, travel history and known contacts with COVID-19 patients. The predominant concern in this regard is that the application requires users to provide for more information than is needed for contact tracing. The requirements of ‘gender’ and ‘profession’ have no known correlation to the disease. The government provides no justification for collecting this data, which means that this provision contradicts the principle of data minimization in the PDPB, 2019.
The privacy policy states that the personal data would be stored on government servers in “anonymized, aggregated datasets” to generate reports and heat maps for the management of the COVID-19 crisis. A good model for a contract-tracing application is limited to notifying people that they have been in contact with a positively tested patient. There is a lack of clarity regarding the need to aggregate and anonymize the personal data of countless citizens to serve this purpose. Further, if the data is actually anonymized, this raises questions as to the basis on which it may be aggregated by the government. These aggregated datasets will not be erased from government servers at any point, which conflicts with the data retention provisions.
Aarogya Setu’s source code has not been made available to the general public, despite the government’s prevailing policy on open source software. This means that the method and standards of encryption followed in the anonymization of the data are unknown. Open source codes enhance transparency and allow for a community audit of the code, leading to greater security. There have already been instances where the application has compromised data of users due to a bug in the software. Further, in the absence of the source code and an explicit bar on reverse engineering in the Terms of Service, there is no way to ensure that the data remains anonymized and is not reverse engineered by the government later for other purposes.
Another aspect of the application which fails the proportionality test would be the lack of purpose limitation provisions in the privacy policy. It provides that the information collected by the app using the self-assessment tests and the Bluetooth/GPS tracking, once uploaded to the government server, may also be provided to persons carrying out “necessary medical and administrative interventions” in relation to COVID-19. It also states that the personal information collected may be used to comply with legal requirements. These vague provisions mean that not only could your data be retained for longer than the policy mentions, but also be shared with third parties engaged in the medical or administrative purposes.
Moreover, the application continuously monitors the user’s GPS location and saves it on the device, to be uploaded on the server in case the patient tests positive. This is in contrast with other contact tracing applications, which resort to the use of Bluetooth to develop their contact records. Continuously tracking the movements of the citizens using GPS is a disproportionate infringement of their privacy, because such granular access to one’s location history is effectively surveillance. Such location data can be used to determine many personal details of the user, such as their addresses, without their express consent. Moreover, this information can also be used to enforce compliance with the lockdowns mandated by Executive Orders, as they would fall under the necessary administrative measures envisaged in the privacy policy. The use of GPS data to enforce lockdowns is far beyond the mandate of a contact-sharing application, violating the principle of purpose limitation in PDPB 2019.
There is no mention in the privacy policy of the application being temporary and to be used only during the COVID-19 pandemic. This suggests that the application could be used for other governmental purposes. The Government has altered the Privacy Policy once already, without notifying its users. What’s to stop it from doing it again to include provisions allowing more data grabbing? Aarogya Setu being the starting point for a permanent surveillance framework in the near future is a looming possibility and its Privacy Policy does little to assuage those concerns. Potentially leading to long-term surveillance, the application fails the proportionality test by having a disproportionately negative impact on the citizens’ rights.
Conclusion
The use of emergency measures must remain in the ambit of emergency situations, else we risk the creation of an Orwellian state. As noble as the intentions of the government may be, Aarogya Setu fails to satisfy the barebones necessity of the prevailing informational privacy framework. The government has already issued orders making the use of the application, in its present form, mandatory for employees in India. In times of such public crises, the right to privacy cannot be completely compromised. Governments must find a middle ground to protect its citizens’ rights – both of health and privacy.
For more on COVID-19, see our special coverage.
Vidisha Singh is a B.A. LL.B. (Hons.) candidate at the National Law School of India University, Bangalore, India. Her research interests include International Commercial Arbitration, Alternative Dispute Resolution and Technology law.
Suggested citation: Vidisha Singh, India’s Aarogya Setu Contact Tracing App – Compromising Privacy in a Pandemic?, JURIST – Student Commentary, May 18, 2020, https://www.jurist.org/commentary/2020/05/vidisha-singh-aarogya-setu-app-covid19/.
This article was prepared for publication by Tim Zubizarreta, JURIST’s Managing Editor. Please direct any questions or comments to him at commentary@jurist.org