Aarogya Setu app lacks clear legal backing and limits

Aarogya Setu app lacks clear legal backing and limits, tends towards surveillance

Aarogya Setu app. (Reuters Photo)

In April, the Indian government’s National Informatics Centre (NIC) launched the ‘Aarogya Setu’ mobile application as a part of the government’s efforts to contain the spread of COVID-19. On May 12, the Kerala High Court will hear arguments in a petition challenging the central government’s notification making the use of Aarogya Setu mandatory for every person in a containment zone, and all public and private sector employees.

Aarogya Setu is supposed to be a tool that enables better ‘contact tracing’ – one of the key elements in fighting infectious diseases. Apps and other technological solutions with similar purposes have sprung up in many countries over the past two months, as we all come to terms with the impact of the COVID-19 pandemic.

These apps have been watched warily by academics, researchers and advocates who work on healthcare, technology and privacy. However, as the only democratic country to make the contact tracing app mandatory for a large section of its population, it is more important than ever to look at whether the use of this app is actually in India’s interests.

Also Read: Aarogya Setu: A bridge too far?

There are two key legislations under which much of India’s response to the COVID-19 pandemic has been housed – the Disaster Management Act, 2005, and the Epidemic Diseases Act, 1897. The root of the problem lies in the fact that neither actually anticipates in any level of detail the circumstances we are in today. Frameworks for contact tracing, or the use of Aarogya Setu, where they exist, are based largely on executive orders. They also do not always adhere to the rights-based standards set out by the Constitution.

The process of contact tracing requires that if an individual is found to be infected with the disease, their contacts are identified and traced, in order to follow the spread of the disease, and contain it. The collection of personal information of the individual who is infected, as well as of the people they have been in contact with, are essential elements – leading to an intrusion of the privacy of all these individuals.

While the Constitution provides for a fundamental right to privacy, as most notably articulated by the Supreme Court in the famous Puttaswamy judgement, we do not have a data protection law yet. It is the duty of the State to ensure that privacy intrusive actions meet the Constitutional tests that help define the circumstances in and the extent to which an intrusion of individual privacy is acceptable. A public health emergency is an obvious answer. However, the requirements under law are more specific.

 

 

The first test is legality – whether there is a law that enables such intrusive action. Such a law should ideally be passed by Parliament, be clear and not arbitrary in nature. This allows individuals to know what to expect in terms of any violations of rights such as privacy. 

Other tests include those of necessity and proportionality. The State must show that the intrusion of privacy is necessary to meet a legitimate aim (public health in this case), that the kind of intrusion that is taking place is the least privacy restrictive measure available, and that the extent of intrusion is proportional to the problem at hand. State actions should also be subject to judicial, or at the very least institutional, oversight mechanisms that are transparent and accessible.

In the context of COVID-19, India does have a broader ‘Integrated Disease Surveillance Programme’ meant to guide contact tracing and other measures to contain the spread of infectious diseases. This provides for a largely individualised and targeted contact tracing process that requires trained workers to collect and analyse information. The framework has been set up by the Ministry of Health and Family Welfare (MoHFW) over several years. However, it does not appear to account for privacy and data protection concerns.

For latest updates on coronavirus outbreak, click here

Aarogya Setu supposedly amplifies this tracing process. It requires every user of the app to provide information about their location history (GPS and Bluetooth), along with personal information that can identify them. This information is maintained either on your phone or on servers managed by the government. If it is found that you may have been in close proximity with a person infected with the virus, then the personal information you provide may be used to contact you, and for further steps to be taken.

While this does seem like an efficient way to speed up the contact tracing process, it is not conventional contact tracing in itself. It also demands a much higher threshold in terms of privacy protections, by virtue of being a mass information collection exercise as opposed to a targeted exercise.

The Aarogya Setu app is governed only by its own privacy policy, and the orders mandating its use. There is no legal framework that regulates the use of the app and the data collected. The privacy policy states that personal data collected using the app is limited, is used only for the purpose of contact tracing and COVID-19 response efforts, and will be deleted in a timely manner.

However, the app and its privacy policy leave many questions unanswered – the first being, which government agencies manage the app, and have access to the data to begin with. The MoHFW is central to the COVID-19 response, and ostensibly should have access. However, the app is run by the NIC, and the orders mandating the app are issued by the Ministry of Home Affairs.

There is no clear process for deletion of an account on the app, or timeline for winding up the use of the app. Transparency and accountability measures are limited to official statements about the app’s security and privacy policies, and there are no clear means for oversight of any kind.

At a time when many other countries are moving towards limiting the data collected and processed by contact tracing apps, Aarogya Setu’s reach is expanding beyond contact tracing support. The app is being used to self-certify health status, issue health advisories, and provide telemedicine services. Officials have suggested that it could be used to issue curfew passes, and become a one-stop shop for all COVID-19 related government services. Some have gone so far as to suggest that the app can act as a base for a national health stack – a centralised registry of electronic health records proposed by the Niti Aayog in 2018.

While each of these services may independently be useful, the mixing of objectives muddles the purposes for which personal information on the app is collected, the limitations on storage of such data, as well as the parties that need access to such information. Without clear legal frameworks, such extensive and mandatory use of Aarogya Setu may set us down the path of weakened privacy protections for health and location data for years to come. This kind of function creep also signals potential for pervasive extra-legal surveillance.

 (The writer is Director, Centre for Communication Governance at National Law University Delhi)