This post has been written by Megha Jain, a 1st year student at Hidayatullah National Law University, Raipur.
Introduction
In the middle of such threatening crisis that the whole world was and certainly is in terror, Indian government introduced an application ‘Aarogya Setu’ that assured to clear the doubt of nearby person being a Covid-19 virus carrier. Aarogya Setu is the Indian Covid-19 tracking mobile application developed by the National Informatics Centre and that comes under the government Ministry of Electronics and Information Technology (see here). The app already has nearly 90 million downloads and is available on both Google Play Store and Apple App Store (see here). While the application claims to detect Corona Virus on nearby places and persons, it uses GPS (location detecting database) as well as Bluetooth function to do so. Basically, if one is running the application on a mobile phone, the application will show if any nearby person have Corona virus or persons one has met in near past had symptoms of Covid-19.
How Aarogya setu hinders Right to Privacy?
The server allows the authority to have access to certain information of the application users like gender, age, health data, travel history, location, etc. Such information is sensitive and thus comes in the blanket of privacy issues. The authority, which is the Government, also claims that the information can be shared with anyone it wants. And the application uses Bluetooth and GPS itself makes it vulnerable to privacy and security issues. While the Government claims that the application is made with privacy as its ‘core principle’, tracking location and persons one has been contacted with itself is violation of privacy. The application remains silent on whom the information is shared with and for what purpose. In addition to the quietness on data handling, the application does not comply with the provisions of IT Act and rules.
Cyber law expert Pavan Duggal said, “The privacy policy also doesn’t give any clarity on how secure your data is. There is no mention of any cyber security parameters and it doesn’t explain how it complies with the IT Act 2000 and IT Rules 2011. The app still doesn’t tell us who all might be able to access my data in terms of governmental agencies. So, the chances of this data being used for monitoring people cannot be ruled out” (see here).
Making ‘Aarogya Setu’ Obligatory
It was launched by the Indian Government on 2nd of April, 2020 being voluntary at beginning but then mandating it slowly but surely.
On April itself, government employees were made obligatory to download the app in their smart phones. Healthcare personnel, police, defense and other personnel working in exposed areas have to by government order download the app.
People living in containment zones of Corona virus are required to keep the app on their phones to keep ‘100% coverage’ of Covid-19 positive cases.
Nonetheless, delivery executives like food delivery recruits (Zomato, Swiggy, etc.) are required to download the app around the end of April.
And in no time, 15 special train travelers, inter-state travelers using e-pass, near future train and airplane travelers, and many are already required to download the application.
With the possibility of the app pre-installed in smart phones and the app as a potential admit-pass for travelers, the app seems to stay longer than Corona virus in India.
Legal aspect of the Obligation : A Deep Analysis
The guideline to make the app mandatory is neither practical nor legally enforceable. The landmark judgement over the issue of government dealing with data and privacy is the case of ‘Justice K.S.Puttaswamy (Retd) and Anr. Vs Union of India and Ors.’ on 24 August, 2017, where the apex court of India declared Right to privacy as a fundamental Right falling under the ambit of article 21 (Right to Life and Personal Liberty). In the same case of 2017 itself, the court happened to give a comprehensive test to check whether any collection of data is appropriate or not, called the ‘Test: Principle of Proportionality and Legitimacy’ (see here). There are four principles to fulfil the test:
- The action must be sanctioned by law.
No law has been passed by the parliament to make the application mandatory. The order to enforce has been merely passed under National Disaster Management Act (NDMA) as an executive guideline. As the app deals with such sensitive data as well as a fundamental right is concerned, neither National Disaster Management Act nor Epidemic Diseases Act has the power to authorize the Government to limit fundamentals rights (Right to Privacy). Thus, it has no legitimacy as it does not meet up with the constitutional standards.
- The proposed action must be necessary in a democratic society for a legitimate aim.
It means only for a reasonable and indeed legal aim the government can limit the fundamental right. Again, if the action taken is for the interest of the whole nation, the Government fails to prove it. The aim is surely to minimize the spread of the virus but how precisely the data is necessary to do so is unknown. Justice DY Chandrachud, who was one of the nine judges in the case, had said that in case of a health epidemic like dengue, the government might be in a situation where they want to collect data to monitor and manage the epidemic. “In such a case, the government has to anonymize the data to use it,” Justice Chandrachud had written (see here).
- The extent of such interference must be proportionate to the need for such interference.
Government has to show the data acquired must be of use and proportionate with optimistic results got from usage of the app, in order to justify the limitation of Fundamental right. The government surely has not till yet shown any statistics as to how far the information is actually aiding. And even if it is necessary, tracing and Bluetooth feature is not the only way to curb the situation. In other words, it does not come under the domain of necessity.
- There must be procedural guarantees against abuse of such interference.
It means each step violating privacy must be safeguarded by checks, including grievance redressal systems. In the present scenario, who will be held accountable if there is breach or abuse of data? Because the government surely has not conveyed anything about accountability to the nation, nor has provided any guarantee regarding breach of data.
Conclusion
Thus, it is clear that making the use of Aarogya Setu mandatory even in certain areas that are in need of emergency sustenance is not legally valid. What is also worrisome is the app’s invasion of privacy as its policy aims to confuse than clarify. There is need of clarification in privacy area, anonymity of the users and assuredly legal backing to the obligation. And, the forthcoming rules that are going to make the application even more compulsory have to be implemented legally in order to sustain.
