Aarogya Setu and Privacy Concerns

27 May 2020

Introduction

Aarogya Setu is a mobile application launched by the Government of India on April 2, 2020. As per the terms of service of the Aarogya Setu Application (“ASA”), the intention is to provide a service to notify, trace, and suitably support a registered user regarding the COVID-19 infection. The press release1 issued by the Ministry of Electronics and IT explains the functioning of the application in the following manner

The App, called ‘Aarogya Setu’ joins Digital India for the health and well-being of every Indian. It will enable people to assess themselves the risk for their catching the Corona Virus infection. It will calculate this based on their interaction with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence.

Once installed in a smart phone through an easy and user-friendly process, the app detects other devices with Aarogya Setu installed that come in the proximity of that phone. The app can then calculate the risk of infection based on sophisticated parameters if any of these contacts is tested positive.

The App will help the Government take necessary timely steps for assessing risk of spread of COVID-19 infection, and ensuring isolation where required.”

Over the ~40 day period since the launch of the ASA, there has been tremendous buzz regarding privacy concerns emanating from its use. The concerns can broadly be categorised under two buckets:

  • Application design and privacy-related concerns, and
  • The Government’s push to make the application mandatory

In this article we shall deal with both buckets and seek to elucidate the concerns and position of law under each.

Aarogya Setu Design and Privacy Concerns

To contain the spread of the deadly COVID-19 virus the following measures have been prescribed by the World Health Organisation Of the measures mentioned above, contact tracing is a core disease control measure employed by the health representatives of the Government for preventing further spread of COVID-19. Contact tracing is part of the process of supporting patients with suspected or confirmed infection. In contact tracing, public health staff work with a patient to help them recall everyone with whom they have had close contact during the timeframe while they may have been infectious. Public health staff then warn these exposed individuals (contacts) of their potential exposure as rapidly and sensitively as possible. To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection. They are not told the identity of the patient who may have exposed them

ASA is an attempt in digital contact tracing as it seeks to take advantage of smartphone technology to determine contact between an infected patient and a user of the application. The Indian Government aims that with the popularity of the ASA it shall be able to analyse the spread of the pandemic, identify hotspots to improve Aarogya Setu Design and Privacy Concerns policy decisions and thus implement real-time response mechanisms to restrict the spread of the disease.

The application is seen as an important tool against the fight of COVID-19 and aims to protect the health of people residing in India by alerting them about the spread of the virus and the possibility of contraction of the disease. Thus, the government discharges a duty to protect the health of the citizenry and residents. However, this is done at the expense of intrusion into the privacy of an individual. Considering these aspects, it is important to note that ASA’s use has to find a harmonious balance between the two rights.

While it is laudable that the Government has sought to adopt technology which helps it understand the nature of the pandemic in a much better manner, it is to be noted that the absence of a comprehensive data protection regime has raised concerns for an individual’s right to privacy. Since the recognition of the Right to Privacy as a Fundamental Right under Article 21 of the Constitution of India2, it has been the need of the hour that India implements a robust data protection legislation to safeguard the interests of its residents. To this effect, the Government has been working on a Draft Personal Data Protection Legislation, a framework Bill of which was introduced in the Parliament on December 11, 2019.3 The Bill introduced a rights and duty-based approach for individuals and entities collecting personal data respective.

Core Privacy Principles Outlined in the Data Protection Bill

The Personal Data Protection Bill, 2019 (“the Bill”) provides the framework of a robust data protection regime in India by incorporating global best practices. The Bill seeks to create a rights and duties-based framework within which individuals who are sharing their data are empowered with rights to have better control over the data shared by them, and the entities Core Privacy Principles Outlined in the Data Protection Bill collecting and processing such data are to comply with certain prescribed duties to ensure proper use and handling of data. This entire process is to be overseen by a new regulatory body envisaged under the Bill.