The Ministry of Electronics and Information Technology (MeITY) and the National Informatics Centre (NIC) have developed an application, Aarogya Setu. The app aims to aid India’s fight against the novel coronavirus. It acts as a Covid-19 tracker and helps the government in the contact tracing of the virus. Pre-Arogya Setu, this task was done manually.
The application has also been in the limelight for being the fastest app to touch the milestone of 50 million downloads (in just 13 days). The government pushed the application to its various agencies and informally to most business enterprises, to achieve this feat. The government initially rolled out the app on an entirely voluntary basis but later switched its stance to voluntary-mandatory. With the recent extension of lockdown (lockdown 3.0) all employees in both the private and public sectors have been mandated to install the app. The same is provided by point 15 of the ‘National Directives for COVID-19 Management’. The pattern of change does have an eerie ring to Indian citizens, an eerie ring of the ‘Aadhaar Scheme’, and its subsequent privacy implications.
The Arogya Setu app comes with a plethora of privacy and legal issue. Before moving on the primary focus of this article, i.e. the rampant privacy violations of the app let us take a quick look at its legislative genesis. The legislative framework for the government’s fight against the novel coronavirus has been the National Disaster Management Act, 2005. The Act contains an umbrella clause authorizing the issuance of guidelines and directions aimed at combating disasters.
However, Part III of the Indian Constitution necessitates that even before the discussion of whether an infringement of a right is justified or not, there must exist a statue that permits it. Such a law has to be precise and unambiguous with respect to the rights that it seeks to infringe, the bases of infringement, the procedural safeguards, among other things.
The National Disaster Management Act, 2005
The reason why the National Disaster Management Act, 2005 (NDMA) ceases to be the Act that can allow the government to infringe upon a citizen’s Right to Privacy, as recognized as a right under Article 21 Right to life in the Puttuswamy Judgement because it stays silent regarding the circumstances and manner under which the government is authorized to limit or infringe upon the Right to Privacy.
Mr. Gautam Bhatia writes that there could, hypothetically, be one single umbrella legislation that stipulates that “the government may do anything that it believes is reasonable to achieve the public interest,” if the NDMA was accepted as the basis. Such an absence of a sound legal anchoring to the Arogya Setu app, i.e. the absence of an enabling ‘Arogya Setu Act’, leads us down a path that gives absolute power to the executive and thus impacts the cornerstone of the world’s largest democracy. The absence of an enabling statute also causes more privacy concerns as the app does not come with a sunset close – opening the door to government surveillance in a post-pandemic India.
A similar thought process was applied by the judicial minds in the Kerala High Court in the recent case of Kerala Vydyuthi Mazdoor Sangham, wherein the Hon’ble High Court declined to allow the government to cut salaries of government employees without specific legislation authorizing the same. It a constitutional mandate that there must be a statute that authorizes the executive to commit an act to preserve the rule of law. It is not simply a procedural task that can be overlooked.
The Proportionality Test
India does not have a Data Protection Act yet. Hence, we look upon the Puttuswamy judgment by the Hon’ble Supreme Court to ensure that the Right to Privacy of millions of Indians is not infringed upon. The Puttuswamy judgment has laid down the Proportionality test to decide whether there has been an unjust breach of the Right to Privacy. In order to satisfy the proportionality test, the usage of any privacy breaching app must satisfy five prerequisites:-
- The app must have a legislative basis
- It must pursue a legitimate aim
- It should be a rational method to achieve the intended aim
- There must not be any less restrictive alternatives which can also achieve the intended aim
- The benefits must outweigh the harm caused to the right holder
Whether Aarogya Setu app satisfies the Proportionality Test
The Aarogya Setu app fails to fulfil the very first condition of having a legislative basis, as explained above. However, when looking at the end goal, the Aarogya Setu app is designed to combat Covid-19. This is a legitimate aim and the app does pass the second criteria.
A turn for the worse is taken for Aarogya Setu when it comes to meeting the third condition. Analysts have always questioned the efficiency of contact tracing applications. A recent Brookings paper shows us that contact tracing is effective where there exists large-scale testing capacity which, unfortunately, has not been the case in India; there is a high risk of false positives and false negatives, something that gets worse as the population size increases and the absence of complete smartphone penetration can defeat the very purpose of the app.
Regarding the last point, the paper also enlightens us about the Metcalf Law which shows, in USA, where there is a smartphone penetration of 81% the app shall only capture 61% of the exposure provided everyone with a smartphone install the app. One can only imagine the result for a developing nation like India where the smartphone penetration stands at 39%.
Availability of less restrictive ways
It becomes a slippery slope when dealing with the third and fourth criteria of the proportionality test. Are there less restrictive ways? Yes. The apps developed by the Singapore government – TraceTogether – acts as a stellar example of the same. The app utilizes only Bluetooth and doesn’t mandate the sharing of such personal details. It does not track the users’ GPS pings. The app offers a right to have the entire data wiped off from government servers. The Aarogya Setu app seems to be a rash act by the government. The entirety of its code taking only a mere two weeks to write and compile. Moreover, the code is not open-sourced. The public cannot verify that the code is not one that collects unnecessary data – TraceTogether uses open-sourced code.
The rationality of technology utilized
One may question the rationality of many aspects of the technology utilized by the app. After all, we are in uncharted waters. This is the first time where technology has played such a prominent role in combating a pandemic. For example, Bluetooth systems merely measure proximity. They do not consider factors like the individuals that may be separated by walls. These walls may be porous enough for a Bluetooth signal to penetrate. Nor do the systems account for when individuals take safety measures, such as the use of personal protective equipment (PPEs).
The fifth condition poses a very important question before us all. Do the benefits derived from the Aarogya Setu app outweigh the harm caused to its user? The answer is a subjective one. The present author is of the opinion that yes, privacy must take a backseat during a pandemic. However, the current model of the app is not one that the author is willing to endorse with high opacity and ambiguity in its terms of usage which does not even clear which government bodies have access to the data and which agency has the final oversight of the app.
Involvement of big data companies
It is pertinent to note that governments are assisted by big data companies to overcome technological shortfalls. This is a huge red flag especially when we look at the usage of data by the Kerala government. The Kerala government has joined hands with ‘Sprinklr’ a US-based company that specializes in data analytics to help with the government’s fight against Covid-19. However, Spinklr is the very same firm that aided in the 2016 presidential campaign of Donald Trump. Analysts viewed the firm in a negative light relating to privacy concerns. This is the very same firm that now has access to sensitive health-related data of millions of Indians.
The present author is in no way against the effective utilization of technology in combating a global pandemic. On the contrary, he actively encourages the same. However with proper safeguards to protect the privacy of the peoples of various nations. The present author recommends that the framework of the Aarogya Setu app should incorporate the following changes:-
- Make the code of the application open-sourced. This would ensure that ethical hackers and privacy activists can verify that the app does not unnecessarily collect data.
- Enact specific legislation pertaining to the application which contains a sunset clause. This shall ensure that the government does not have a mass surveillance tool in a post-pandemic world
- Simplify the terms of usage of the application. All ambiguity regarding which all government agencies have access to the data should be cleared. Further, suitable justifications for each agency that has access to the data must be provided.
- The governments should allow users the option of opting out of the app, i.e. make the app voluntary. Non-installation of the app should involve a penalty. Moreover, the application must also allow the existing users to delete all their personal data at will.
- The government must uptake safeguards when big data companies come into the picture of assisting the administration. The government must localize the data. If the companies utilize sensitive data for targeted advertisements, the government should be held accountable for the same.
The government directive that mandates the installation of the Aarogya Setu app for all employees suffer from serious legal flaws. The application seems to fail the proportionality test on multiple grounds. Relevantly, the absence of anchoring legislation authorizing the government to compromise the Right to Privacy for the betterment of society.
However, the present author firmly believes that the inculcation of technology in combating the pandemic is moving in the right direction. In the near future, the government shall make the necessary changes required to deal with the privacy violation aspect. A future where our nation could efficiently combat a pandemic without endangering the privacy of any of its citizens.
Libertatem.in is now on Telegram. Follow us for regular legal updates and judgments from the court. Follow us on Google News, Instagram, LinkedIn, Facebook & Twitter. You can also subscribe to our Weekly Email Updates. You can also contribute stories like this and help us spread awareness for a better society. Submit Your Post Now.