In India, the unfolding COVID-19 pandemic has gone through two-waves, registering over 3.1 crore cases and killing over 4.2 lakh people.[i] It has collapsed the economy and overburdened the healthcare system. In an effort to contain the volume and pace of transmission, the Government of India launched its contact-tracing application, Aarogya Setu, on 2nd April, 2020. However, unlike its global contemporaries, this App additionally serves as an informational tool, self-assessment tool, and situational awareness tool.[ii] These manifold purposes alter the type and manner of data collection, thereby raising privacy concerns. These concerns are particularly important during a pandemic, where urgency may confer wide administrative discretion, leading to mass surveillance or usage of collected data beyond this pandemic. This discussion is particularly important since, in a year of its release, it has become the world’s most downloaded contact-tracing app, and generated significant controversy.[iii]
Currently, there is no statute that deals with state liability for privacy infringement. But in KS Puttaswamy v. Union of India [“Puttaswamy”],[iv] the Supreme Court [“SC”] recognized the right to privacy as a fundamental right, enforceable against the state. It established a four-fold test for its infringement: legality, legitimate goal, proportionality, and procedural safeguards. Using this test, I will argue that while the requirements of legality and a legitimate goal have been satisfied, the privacy infringing act is disproportionate and without adequate procedural safeguards.
Testing Features of Aarogya Setu against the Constitutional Standard
The right to privacy entitles the individual with the autonomy to make personal life decisions (positive aspect), and restrains the state from unwarranted interference (negative aspect). In Puttaswamy, the SC explicitly recognized the need to protect both these aspects, even during epidemics.[v] Thus, notwithstanding the circumstances, the features and operation of the app must be consistent with the right to privacy. Notably, the first three prongs of the above-mentioned test are necessary conditions.
The infringement of personal privacy by the state must be through a valid and existent law. The government has not passed any legislation or promulgated any ordinance specifically for the app. Therefore, the question is whether it has the power to do so under any existing legislations. So far, the government has invoked the Epidemic Diseases Act, 1897, and the Disaster Management Act, 2005 to justify its actions in containing COVID-19.[vi]
The 1897 Act empowers the central government to frame regulations during epidemics if the existing law is insufficient. However, this conferral is authorized in the limited context of inspecting vessels at ports, and detaining people for the same. Thus, there is no power to curtail the right to privacy under this Act.
The 2005 Act empowers the central government to take all such measures as it deems necessary or expedient for the purpose of disaster management. The term disaster, under Section 2(d), does not ordinarily extend to epidemics. However, on 14 March, the Home Affairs Ministry declared the coronavirus outbreak as a “notified disaster”, thus bringing it within the fold of Section 2(d).[vii] Therefore, releasing an app to contain COVID-19 would be within the powers of the government within the Act.
However, the sweeping powers under this Act make direct and collateral privacy breaches more susceptible. Considering this, the government must consider framing a specific law. Even the BN Srikrishna Commission had recommended the existence of a specific law. However, the government has evaded this by carving out an exception for health emergencies in Personal Data Protection Bill, 2019 [“the Bill”].
Unfortunately, the government has treaded in the opposite direction. They had originally declared the installation of the app to be mandatory.[xi] However, on backlash, they have obligated employers to ensure compliance on a “best efforts” basis instead.[xii] In practice, the government, and many private players due to the threat of non-compliance, have still insisted on mandatory usage of the app, without passing any specific legislation.[xiii]
- Legitimate Goal
In Justice K. S. Puttaswamy v. Union of India (II),[xx] the SC held that there are three necessary conditions for a privacy restricting measure to be proportionate: firstly, it must be a suitable means of furthering the legitimate goal (rational connection stage); secondly, there must not be any less restrictive, but equally effective alternative (necessity stage); thirdly, the measure must not have a disproportionate impact on the right-holder (balancing stage).
- Rational Connection Stage
The app collects information to trace and inform people who have crossed paths with an infected user.[xxi] Furthermore, it prepares anonymized and aggregate datasets,[xxii] such as reports or heat maps, which helps in situational awareness and performance assessment. Thus, the app is a suitable means to the goal of containing COVID-19.
While the App does have a rational connection, its efficiency is questionable. Reportedly, the App has been unable to pick up details about people on“two sides of a shopping mall or even on two sides of a wall”.[xxiii] This can be tied to the weakness of Bluetooth technology as regards contact tracing.[xxiv] Despite this lower efficiency, it is still valuable given the persistently escalating case burden in the country. This is because even limited efficiency allows substantial health-related and economic cost savings.[xxv]
- Necessity Stage
There are three features that warrant analysis: usage of GPS, manner of Bluetooth usage, and extent of collected data.
- Usage of GPS
To trace contact between users, the app uses both Bluetooth and GPS.[xxvi] Critics have contended that the application’s use of GPS is redundant, thus violative of proportionality.[xxvii] They argue that Bluetooth is adequate to register contact between user’s devices, as shown by Singapore’s TraceTogether.[xxviii]
While the sole usage of Bluetooth is certainly “less restrictive”, it is not an “equally effective alternative” as GPS serves the unique purpose of preparing anonymized and aggregated datasets.[xxix] These are in-turn used to guide policymaking in, inter alia, understanding hotspots and planning relaxations.[xxx] It must be remembered that while Aarogya Setu may serve as a contact-tracing application, it is not necessary for its goal to be limited to that. As argued earlier, the government’s intended goal is much broader- to contain the pandemic. Therefore, using GPS does not violate proportionality.
- Extent of Information Collected
Apart from location, Bluetooth ID, and result of the self-assessment test, the app collects a user’s name, age, phone number, sex, profession, and countries visited in the last 30 days.[xxxi] These six pieces of information are then hashed with a unique digital ID, and uploaded on the server.[xxxii] The predominant concern has been regarding the collection of data on sex and profession. However, these concerns are unfounded since this collection serves a role in dataset analysis and policymaking. Given our limited and dynamic understanding of COVID-19, the data on sex helps understand the gendered implications of this virus, if any. The data on profession could aid in a phased-out relaxation of the lockdown.
- Manner of Storing Unique Digital ID Bluetooth Usage
In Aarogya Setu, the Unique Digital ID (“DID”), which contains the user’s personal information, is uploaded onto servers without any obfuscation.[xxxiii] This is a downgrade from earlier requirement of hashing such ID in static form, which itself was quite susceptible to third-party privacy breaches.[xxxiv] This is unlike TraceTogether, where the DIDs of the users are random, and changed every 15 minutes.[xxxv] This obfuscation protocol is much more effective and less restrictive in data collection and security. Therefore, the app’s manner of storing DIDs violates proportionality.
In essence, while the usage of GPS and extent of information collected are not disproportionate, the manner of storing DIDs certainly is.
- Balancing Stage
Most alarmingly, the app has a disproportionate impact on the user. This is because of the unfair data retention, no notice of security breaches, and effectively no liability on the government. I will elaborate on each in turn.
- Unfair Data Retention
- No Notice of Security Breach
While the government has utilized the highest security standards in storage and uploading of data,[xl] the user has no right or means to know if a breach of his/her data has occurred. Obtaining knowledge of a breach is the first step for a user to mitigate the ensuing disproportionate impact. Therefore, not providing or denying access to this knowledge compounds the disproportionate impact.
- Limited Government Liability
- Concerns with the anonymization of and access to collected data
In de-identified form, the collected can be shared with ministries/departments at any level or disaster management authorities or public health institutions so long as it for formulation/implementation of critical health response.[xliv] NIC is required to document the agencies/persons, time, and categories of data shared.[xlv] However, this is only ‘to the extent reasonable’,[xlvi] thus providing a scope for evasion of this obligation. These concerns are well-founded given instances like the Jammu & Kashmir administration sharing such data with law enforcement agencies.[xlvii]
While the Protocol establishes an obligation to anonymize the data, it has so far merely formed a committee to establish these anonymization protocols,[xlviii] without anything actually being done. The continued usage of appropriate anonymization protocols is important since the App has the potential to create a social graph of users by tracking their contact.[xlix] When combined with the government’s existing database, this significantly expands their surveillance powers.
- Procedural Safeguards
Notably, this prong is not binding in law. Nevertheless, it is persuasive as it provides a normative lens to view state interference in personal privacy. Furthermore, Justice Kaul had proposed this prong to only echo the central requirement under Article 21 of checking abuse of state interference through a “procedure established by law”.[l] However, in a technological paradigm, mere assurances in law against state abuse are inadequate.
Conclusion and Way Forward
The app and its features infringe the fundamental right to privacy, as they fail to satisfy the necessary and balancing condition of proportionality. Although there is legality to the app, the government must consider enacting a specific law to address the large scale impact and legal ramifications. The government’s legitimate goal, though presently valid, is unclear due to undefined features on the app and several future plans. Most importantly, the infringing action violates proportionality as it is not the least restrictive means, and has a disproportionate impact on the user. Thus, the app’s features must be amended to meet global standards. Lastly, the government must make appropriate amendments to the source code for greater transparency.
*Ankit Kapoor is a third-year BA-LLB (Hons.) student at the National Law School of India University, Bangalore.
[i] ‘Coronavirus Cases’ (WorldOMeter, 24 July 2021) <https://www.worldometers.info/coronavirus/country/india/> accessed 24 July 2021.
[ii] Aditi Agarwal, ‘India government releases COVID-19 contact tracing app’ (Medianama, 2 April 2020) <https://www.medianama.com/2020/04/223-aarogya-setu-coronavirus-contact-tracing-app-launched/> accessed 24 July 2021.
[iii] Praphul Singh, ‘India’s Aarogya Setu becomes world’s most downloaded contact-tracing app’ (WION, 16 July 2020) <https://www.wionews.com/india-news/indias-aarogya-setu-becomes-worlds-most-downloaded-contact-tracing-app-313748> accessed 24 July 2021.
[iv] (2017) 10 SCC 1.
[v] KS Puttaswamy (n 4)  (DY Chandrachud J).
[vi] Gautam Bhatia, ‘An Executive Emergency: India’s Response to Covid-19’ (Verfassungsblog, 13 April 2020) <https://verfassungsblog.de/an-executive-emergency-indias-response-to-covid-19/> accessed 24 July 2021.
[vii] FP Staff, ‘Coronavirus Outbreak: The Disaster Management Act explained’ (Firstpost, 26 March 2020) <https://www.firstpost.com/health/coronavirus-outbreak-disaster-management-act-provides-legal-backing-for-punitive-measures-allows-govt-to-access-emergency-funds-all-you-need-to-know-8190161.html> accessed 24 July 2021.
[ix] Vidhi Desk, ‘Aarogya Setu’s Data Access and Knowledge Sharing Protocol, 2020’ (Vidhi Center for Legal Policy, 11 May 2020) <https://vidhilegalpolicy.in/blog/aarogya-setus-data-access-and-knowledge-sharing-protocol-2020/> accessed 24 July 2021.
[xi] Danny Cyril D Cruze, ‘Aarogya Setu now mandatory for employees in India’ (Livemint, 2 May 2020) <https://www.livemint.com/news/india/aarogya-setu-now-mandatory-for-employees-in-india-here-s-how-to-register-11588408846545.html> accessed 24 July 2021.
[xii] ET Bureau, ‘Mandatory to best effort basis: Aarogya Setu app rule eased for companies (The Economic Times, 18 May 2020) <https://economictimes.indiatimes.com/tech/internet/mandatory-to-best-effort-basis-aarogya-setu-app-rule-eased-for-cos/articleshow/75794985.cms?from=mdr> accessed 24 July 2021.
[xiii] Tanisha Ranjit, ‘Aarogya Setu: Mandatory or not? We traced it for eleven months through our Tracker’ (Interner Democracy Project, 22 April 2021) <https://internetdemocracy.in/2021/04/aarogya-setu-mandatory-or-not-we-traced-it-for-ten-months-through-our-tracker> accessed 24 July 2021.
[xiv] Internet Freedom Foundation, Privacy prescriptions for technology interventions on Covid-19 in India (IFF Working Paper No 3, 2020) para 2.4-2.6.
[xv] Aditi Agarwal, ‘Aarogya Setu will include telemedicine, greater personalisation’ (Medianama, 22 April 2020) <https://www.medianama.com/2020/04/223-aarogya-setu-upcoming-features/> accessed 24 July 2021.
[xvi] Kashish Aneja & Nikhil Pratap, ‘Implement Aarogya Setu, but only through law’ (The Hindu, 21 April 2020) <https://www.thehindu.com/opinion/op-ed/implement-aarogya-setu-but-only-through-law/article31391708.ece> accessed 24 July 2021.
[xvii] ‘E-pass feature on Aarogya Setu app is now live, here’s what it brings’ (The Times of India, 20 April 2020) <https://timesofindia.indiatimes.com/gadgets-news/e-pass-feature-on-aarogya-setu-app-is-now-live-heres-what-it-brings/articleshow/75250100.cms> accessed 24 July 2021.
[xviii] ANI, ‘No Glitches, COVID-19 Vaccine Registration Only On Co-WIN Portal, Arogya Setu App: Empowered Group Chairman’ (NDTV, 2 March 2021) <https://swachhindia.ndtv.com/no-glitches-covid-19-vaccine-registration-only-on-co-win-portal-arogya-setu-app-empowered-group-chairman-57003/> accessed 24 July 2021.
[xx] (2018) 1 SCC 809  (AK Sikri J).
[xxiii] Rashme Sengal, ‘Mere paas app hai: Four months later, how good is Aarogya Setu?’ (National Herald, 29 August 2020) <https://www.nationalheraldindia.com/india/mere-paas-app-hai-four-months-later-how-good-is-arogya-setu-app> accessed 24 July 2021.
[xxiv] ‘Hindsight is 20/20: Assessing outcomes from Aarogya Setu’ (Internet Freedom Foundation, 8 March 2021) <https://internetfreedom.in/the-past-and-future-of-aarogya-setu/> accessed 24 July 2021.
[xxv] Saurav Basu, ‘Effective Contact Tracing for COVID-19 Using Mobile Phones: An Ethical Analysis of the Mandatory Use of the Aarogya Setu Application in India’ (2020) 30(2) Cambridge Quarterly of Healthcare Ethics <https://www.cambridge.org/core/journals/cambridge-quarterly-of-healthcare-ethics/article/effective-contact-tracing-for-covid19-using-mobile-phones-an-ethical-analysis-of-the-mandatory-use-of-the-aarogya-setu-application-in-india/8A902BBEF6722241E28458BB70FC1195> accessed 24 July 2021.
[xxvii] Amber Sinha, ‘Aarogya Setu App Could Work, But At What Cost?’ (The Quint, 15 April 2020) <https://www.thequint.com/voices/opinion/modi-corona-lockdown-extension-aarogya-setu-app-contact-tracing-covid-patients-data-privacy> accessed 24 July 2021.
[xxviii] Jason Bay, Joel Kek, et al, ‘BlueTrace: A privacy-preserving protocol for community-driven contact tracing across borders’ (Government Technology Agency, 9 April 2020) <https://bluetrace.io/static/bluetrace_whitepaper-938063656596c104632def383eb33b3c.pdf> accessed 24 July 2021.
[xxxiv] Anand Venkatanarayanan, ‘How The Aarogya Setu App Handles Your Data’ (Bloomberg Quint, 17 April 2020) <https://www.bloombergquint.com/coronavirus-outbreak/covid-19-how-the-aarogya-setu-app-handles-your-data> accessed 24 July 2021.
[xxxviii] Richa Rashmi, ‘Aarogya Setu: Bridging Health & Well-being as India Battles Coronavirus’ (News18, 20 April 2020) <https://www.news18.com/news/opinion/aarogya-setu-bridging-health-well-being-as-india-battles-coronavirus-2585051.html> accessed 24 July 2021.
[xxxix] Alex Hurn, ‘Anonymised’ data can never be totally anonymous, says study’ (The Guardian, 23 July 2019) <https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds> accessed 24 July 2021.
[xli] Terms of Service, Aarogya Setu Application, cl. 6.
[xlii] Internet Freedom Foundation (n 14) para 3.2.
[xliii] Harsh Walia & Supratim Chakraborty, ‘India: Data Protection Laws and Regulations 2021’ (ICLG, 6 July 2021) <https://iclg.com/practice-areas/data-protection-laws-and-regulations/india> accessed 24 July 2021.
[xliv] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(b).
[xlv] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(c).
[xlvi] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 6(c).
[xlvii] Bisma Bhat, ‘Breach of Privacy? JK Admin shared user data collected through Aarogya Setu App with Police’ (FreePressKashmir, 20 March 2021) <https://freepresskashmir.news/2021/03/30/breach-of-privacy-jk-admin-shared-user-data-collected-though-aarogya-setu-app-with-police/> accessed 24 July 2021.
[xlviii] Aarogya Setu Data Access and Knowledge Sharing Protocol 2020, cl. 7-8.
[xlix] Kritti Bhalla, ‘Aarogya Setu For Citizen Surveillance? A Delhi HC Order Gives Rise To Privacy Fears’ (Inc42, 16 April 2021) <https://inc42.com/buzz/as-feared-aarogya-setu-turned-into-citizen-surveillance-app-in-delhi-hc-order/> accessed 24 July 2021.
[l] Vrinda Bhandari, Amba Kak, Smriti Parsheera,, & Faiza Rahman, ‘An Analysis of Puttaswamy: The Supreme Court’s Privacy’ (2017) 11(1) IndraStra Global.
[li] HT Correspondent (n 19).
[lii] ‘Four months on, Aarogya Setu is still not open-source. WHY and WHEN is what the nation really wants to know!’ (Internet Freedom Foundation, 19 August 2020) <https://internetfreedom.in/aarogya-setu-should-be-open-source-now/> accessed 24 July 2021.
[liii] Gaurav Vivek Bhatnagar, ‘Centre Apologises for ‘Irresponsible Submissions’ Regarding Aarogya Setu Before CIC’ (The Wire, 8 December 2020) <https://thewire.in/government/centre-irrespinsible-submissions-aarogya-setu-rti-response> accessed 24 July 2021.
[liv] ‘A look at Aarogya Setu through the Right to Information lens’ (Internet Freedom Foundation, 27 May 2020) <https://internetfreedom.in/aarogya-setu-through-the-right-to-information-lens/> accessed 24 July 2021.
[lv] ‘Govt officials to justify denial of information about Aarogya Setu in secret hearing before CIC’ (Internet Freedom Foundation, 23 November 2020) <https://internetfreedom.in/cic-legal-notice-aarogya-setu-show-cause-hearing/> accessed 24 July 2021.
[lvi] ‘Delhi HC issues notice to govt in petition challenging denial of RTI regarding Aarogya Setu’ (Internet Freedom Foundation, 19 January 2021) <https://internetfreedom.in/delhi-hc-hearing-aarogya-setu/> accessed 24 July 2021.
[lvii] Internet Freedom Foundation (n 14) para 3.2.