By Shilpa Santhosh

Abstract

The notable 2017 Puttaswamy judgement on privacy being declared as a fundamental right, under Article 21 of the Constitution has been instrumental in how citizens viewed their rights. The Right to Privacy falls under Article 21 of the Constitution, under the Right to Life and Personal Liberty. Keeping this in mind, in 2020, the Government of India launched the Aarogya Setu application to simplify the methodology of contract tracing of COVID positive patients and to monitor the vaccination rates. Aarogya Setu requires the user to mandatorily link their Aadhar ID and live location. The live location and details of the biometrics of the citizens were stored in cloud memory by the Government of India. In the first week of 2023, the Government of India released a notification claiming to have deleted all data relating to contract tracing and that the very feature had been disabled in the app. This poses a lot of questions; from the ethicality of the Aarogya Setu app – to collect and store enormous chunks of personal data – to making the usage of the app compulsory. With this article, I wish to investigate the legality of the Aarogya Setu app and how the legal tenants have influenced in formulating this application, under the umbrella of health policy.

The Need for Aarogya Setu

Aarogya Setu was launched on 2nd April 2020, by the Government of India to aid in the fight against the newly discovered virus. Aarogya Setu remains the most downloaded and reviewed m-health application in Google Play Store. The application helps in contract tracing using Bluetooth and GPS signals of the registered user and nearby registered users.

The application has details of the emergency contact numbers concerned with that particular state, along with the COVID-19 statistics. E-passes can also be generated through the application. Aarogya Setu fought misinformation during COVID-19 lockdowns, as the most accurate Covid data and precautionary methods of staying safe were displayed on it.

Besides providing a technical platform to generate e-passes for intra and inter-state travel, the application itself pioneered to act like a safety pass where the Government and various other private organisations had made it mandatory for their employees to download it. The attendance registered in various workspaces depended on the “Green” indicator of the self-assessment section. Food delivery applications like Swiggy and Zomato had also made the compulsory usage of Aarogya Setu for all its employees. The application also provided a window to book COVID-19 vaccination slots when the vaccine policy was rolled out.

As much as the application was a saving grace for India during the pandemic, the application posed questions of legality and ethicality. Having collected enormous chunks of personal data, and storing it all in one server poses several questions regarding privacy and data security. The sudden introduction and implementation of the application also pose questions regarding its legal basis.

The Legal Aarogya of “Aarogya Setu”

In the momentous judgement of the Puttaswamy case, the right to privacy was declared as a fundamental right, a violation of which would have serious repercussions. Even after a ruling like such, Aarogya Setu does not follow the legal tenets that were laid down by the Puttaswamy judgement to protect the privacy of its citizens. 

When taking the Puttaswamy judgement as the standard of review, it pronounces power for the state to collect and store data, provided there are justifiable reasons for it. On top of that, the judgement also lays down three important criteria pertaining to safeguarding one’s privacy that the policy must adhere to. Any policy that infringes on personal liberty or life must meet the following criteria:

i.  legality, which postulates the existence of law.

ii. need, defined in terms of a legitimate state aim.

iii.    proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.

The adoption and implementation of the Aarogya Setu application without passing concrete legislation suggest the failure of the policy to adhere to the Puttaswamy proportionality test. The lack of a concrete legal document to substantiate the very use of the application poses various opportunities for the negligence of privacy as sensitive and private information could be misused.

Violating the second tenet of the Puttaswamy proportionality test, Aarogya Setu fails to explain and define how the data collected would be used and the external organisations that are involved. The vague explanation proposed by the Government of India does not clear the air on the need and purpose for the application, besides contract tracing.

Aarogya Setu also fails the third proportionality test, as the extensive data collection goes beyond just “contract tracing”, hence falling back on the third tenet of the Puttaswamy legality check.

Looking through the lens of the Information and Technology Rules of 2000, health data is defined as sensitive personal data under Section 43A, and Rule 5(1) states that health data can be collected and processed by body corporates only with the consent of the individual. The compulsory usage of the application, along with its enforcement on government and private employees, violates the legal provisions established by the IT Rules. The lack of consent, coupled with stringent measures to use the application, makes Aarogya Setu a digital evil. 

Aarogya Setu’s tryst with privacy fell when the application collected the personal data of millions of people and stored them collectively in one server for 2.5 years, where such personal data can only be stored for a maximum period of 6 months. This feature primarily violates the Data Minimisation Policy as it collects chunks of personal data and stores it for extended periods. The issue of storing huge blocks of data in one server posed several data security threats, coupled with the breach of time as well. 

Conclusion

Despite failing to adhere to the existing laws and lacking encryption when it comes to data privacy and security, citizens of India completely followed the Government’s mandate to use the application, voluntarily willing to share personal data with agencies of the state. This poses the question – ‘whether we value our private data or trust our agencies of state too much?’

To privacy or not to privacy, that’s the real question!

About the Author

Shilpa Santhosh is a public policy postgraduate at the Jindal School of Government and Public Policy. As an aspiring policy analyst, she’s keenly interested in health policy, urban governance & planning,  human rights, and gender development.

Image Source: https://thelogicalindian.com/news/government-makes-arogya-setu-app-open-source-for-developers-21356