RIGHT TO PRIVACY IN REFERENCE TO AAROGYA SETU APPLICATION

ABSTRACT:

The Covid-19 pandemic has shrunk the world down. In India inspite of its high density population the Government of India took lots of initiative and steps to control the spread of the Virus. One such step was the Aarogya Setu Application which be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country and provide medical assistance to the citizens of the Nation. However the Application received a negative criticism due to the allegations of breach of privacy due to improper security measures in the technology resulting in infringement of privacy. The legal impact on privacy has been addressed in this article.

KEYWORDS: Aarogya Setu Application, Covid-19, Privacy.

AAROGYA SETU APPLICATIONFOR COVID-19

Aarogya Setu is an electronic application, by the Indian Government. It aims to protect citizens during the COVID-19 pandemic. The Application collects certain data which includes demographic, contact, self assessment & location data[1]. The Application also collects personal information like Name, Sex, Age, Profession and countries visited in last 30 days. The self assessment done through the Application will determine the potential risk of medical necessity due to COVID-19 to the user. The Application detects devices nearby which have installed the Application when they enter the Bluetooth proximity of the user’s phone. During this detection both applications will securely exchange a digital signature of the particular interaction, which includes time, proximity, location and duration. If any who came in contact with the particular person using the Application during the last 14 days, tests positive for COVID-19, the Application will calculate the risk of infection. The infection risk is analyzed by Indian Government, to aid suitable required medical interventions. The Application also uses GPS to trace the paths travelled by the infected persons[2].

SECURITY CONTROVERSIES

The Application contains several security measures such as Device Identification Number, Data Limitations, Anonymization, Limited Purpose of Usage, Advanced Encryption Standard. The source code of Aarogya Setu also was made open source[3]. Inspite of all such security, certain hacking experts[4], researchers[5], politicians[6] have seriously criticized the security vulnerability in the Application. The Government has denied such allegations but prepared the AAROGYASETU BUG BOUNTY PROGRAMME by stating “Despite the best measures taken, the presence of vulnerabilities may exist. When such vulnerabilities are found, Government would like to learn of them as soon as possible, allowing it to take swift action to fix them and thereby enhance the security. In addition to security, suggestions for code change for enhanced efficiency are also encouraged.”[7] The person finding such vulnerability was rewarded. But persistently the Aarogya Setu Application team asserted that no data or security breach has been identified.

RIGHT TO PRIVACY:

The inalienable fundamental right to privacy exists in Article 21 as well as other fundamental freedoms mentioned in Part III of the Indian Constitution.[8] Most popularly this right of privacy emanates from Article 21.[9] Article 21 states that no person shall be deprived of his life or personal liberty except according to procedure established by law[10]. Right to privacy is an integral part of the right to life.[11] The central theme is that privacy entitles to protection as a core of constitutional doctrine.[12] The right to be let alone is recognized under this Article.[13]

PUBLIC SAFETY:

The Supreme Court has observed that the right to privacy is subject to reasonable regulations made by the Government for protecting legitimate State interests or public interest.[14] The Aarogya Setu Application can be backed by the Epedemic Disease Act, 1897 where Central Government can empower any person to take any measures or prescribe any temporary regulations to prevent the spread and outbreak of the disease.[15] It is true that right to privacy cannot be forsaken in the interest of welfare entitlements provided by the State[16] but serving the interests of national security and public will not amount to violation of privacy.[17] The article 21 also contemplates once right to a healthy environment.[18]
So a comparison or balancing exercise of competing public interests and privacy rights has to be undertaken.[19] This right is not absolute and can be lawfully restricted for the protection of other’s health. When there is a clash between Right to privacy and Right which would advance the public morality or public interest, the later only would survive.[20]

MEDICAL PRIVACY:

Privacy also implies anonymity, where an individual seeks freedom from identification despite being in a public space.[21] Mobiles are not just another technological convenience, with all information it contains and reveals, holds the privacies of many lives.[22]  Individuals value the privacy of confidential medical information because of the large number of people who could have access the information and the potential harmful effects that may result from disclosure. The lack of respect for private medical information and its subsequent disclosure may result in fear jeopardizing an individual’s right to make certain fundamental choices that he has a right to make.[23].

The Aarogya Setu Application privacy policy express that the informations collected will only be used for Epidemic control purpose and this information is incapable of being used by other person[24]. National Informatics Centre is responsible for collecting, processing and managing response data of the application. NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. But the protocol also states that in the context of health response, such personal data may be shared with the Ministry of Health and Family Welfare, Government of India, Departments of Health of the State/Union Territory Governments/ local governments, NDMA, SDMAs, such other Ministries and Departments of the Government of India and State Governments and other public health institutions of the Government of India, State Governments and local governments.[25] Sharing of such medical data of individuals them to the above mentioned may result in misappropriation. There are huge possibilities of these data being used for purpose other than health response. The info Information about a person’s health is a vital element of private life.[26]

DIGNITY AND PRIVACY:

Information like Gender, occupation and location data of an individual which is being monitored are so vital in ensuring a person’s dignity.  A person may visit any place of his choice but monitoring such visits if not served its purpose will definitely affect the dignity of a person. Human dignity is an integral part of the Constitution. To live is to live with dignity. The right to privacy is an element of human dignity. [27] This right to live with human dignity must include protection of the health; the Central Government has no right to take any action which will deprive a person of the enjoyment of these basic essentials[28] It is the duty of the State to protect the human dignity and facilitate it by taking positive steps.[29]When dignity is lost, life goes into oblivion[30]

MANDATORY

The Application was initially intended to be Mandatory[31]. Former Supreme Court Judge B N Srikrishna, stated that mandating the use of Aarogya Setu Application“utterly illegal”.[32] But guidelines issued by the Government of India vide order No.40-3/2020-DM-I(A) dated 30th May, 2020 relating to the use of Aarogya Setu denoted that installation of the application is not mandatory for the employees of public and private organisations. The best efforts should be taken for installation of the application. The user has an option to delete the Application and a person need not even download the application if he feels the Application will violate his privacy. Even in Karmanya Singh Sareen And Anr vs Union Of India And Ors[33], when the privacy aspect of WhatsApp was questioned the court stated,

“We are, therefore, of the view that it is always open to the existing users of WhatsApp who do not want their information to be shared with Facebook, to opt for deletion of their account”[34]

CONCLUSION

Inspite of its several criticisms the point to be noted is that, mere possibility that security measures will fail, provides no proper ground for a broad-based attack on Government information collection practices.[35] A writ petition was filed in Kerala High court to declare the usage of Aarogya setu Application unconstitutional and violative of fundamental right to privacy enshrined under Article 19(1)(a) & Article 21 of the Constitution of India. But the High court dismissed the Petition because the Application was not mandatory.[36]The data breach occurs even in highly secured applications, the Government collects all this personal information inspite of its collections from Aarogya Setu Application and the usage is also not mandatory. Several citizens of our country as well as the Government has benefitted from the usage of this Application. So it entirely depends on the wish of an individual to use this App. But a widespread usage only can provide significant outcomes.


[1] Ministry of Electronics and Information Technology, The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, 1 ( 11th may 2020) https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf

[2] Aarogya Setu Privacy Policy, AAROGYA SETU,https://aarogyasetu.gov.in/privacy-policy/ ( Last Visited: 23rd September,2020)

[3] PIB Delhi, Aarogya Setu is now open source, PRESS INFORMATION BUREAU, (26 MAY 2020 8:18PM), https://pib.gov.in/PressReleasePage.aspx?PRID=1626979.

[4] Yuthika Bhargava, Hacker ‘sees’ security flaws in Aarogya Setu, THE HINDU, (MAY 06, 2020), https://www.thehindu.com/news/national/ethical-hacker-robert-baptiste-elliot-alderson-sees-security-flaws-in-aarogya-setu/article31515292.ece

[5] Moneylife digital team, Aarogya Setu Technology, User Privacy under Criticism; MIT Cuts the App’s Rating to Lowest Level,MONEY LIFE,( 22nd May 2020), https://www.moneylife.in/article/aarogya-setu-technology-user-privacy-under-criticism-mit-cuts-the-apps-rating-to-lowest-level/60420.html

[6]ET Government, Aarogya Setu Applicationmay meet Sprinklr fate, Rahul Gandhi raises security, privacy concerns,ET GOVERNMENT, ( May 02, 2020), https://government.economictimes.indiatimes.com/news/secure-india/aarogya-setu-app-may-meet-sprinklr-fate-rahul-gandhi-raises-security-privacy-concerns/75509337

[7] Ministry of Electronics and information technology, AarogyaSetu Bug Bounty Programme (for Android App), MYGOV ( 27th May 2020), https://static.mygov.in/rest/s3fs-public/mygov_159057669351307401.pdf

[8] Justice K.S.Puttaswamy(Retd) vs Union Of India And Ors 2017 SCC OnLine SC 996,

[9] State of Maharashtra v. Bharat Shanti Lal Shah (2008) 13 SCC 5

[10] India Const. art. 21

[11] In Ram Jethmalani & Ors. v. Union of India (2011) 8 SCC 1

[12] Supra note 3 at 2

[13] Directorate Of Revenue & Anr vs Mohammed Nisar Holia (2008) 2 SCC 370

[14] ibid,

[15] The Epidemic Diseases Act, 1897, ACT NO. 3 OF 1897, §21

[16] Supra note 3 at 2

[17] Uzun v Germany ( 2010) Applicationno 35623/05, IHRL 1838 (ECHR)

[18] Virender Gaur v State of Haryana (1995), 2 SCC 577

[19] Supreme Court of India Vs. Subhash Chandra Agarwal 2019 SCC OnLine SC 1459

[20] X’ v. Hospital ‘Z’, 1998 S.C.C. 296

[21] Bert-Jaap Koops et al., “A Typology of Privacy”, University of Pennsylvania Journal of International Law (2017), Vol. 38, Issue 2, at page 496

[22] Riley v California 573 U.S. 373 (USA)

[23] NM and Others v Smith and Others 2007 (5) SA 250 (CC) ( SA)

[24] Aarogya Setu Privacy Policy, AAROGYA SETU,https://aarogyasetu.gov.in/privacy-policy/ ( Last Visited: 23rd September,2020)

[25] Ministry of Electronics and Information Technology, The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, 1 ( 11th may 2020) https://www.meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf

[26] S and Marper v United Kingdom[2008] ECHR 1581

[27]Supra note 3 at 2,

[28] Bandhua Mukti Morcha v Union of India (1997) 10 SCC 549

[29] M Nagaraj v Union of India (2006) 8 SCC 212

[30] Dr Mehmood Nayyar Azam v State of Chhattisgarh (2012) 8 SCC 1

[31] BS We Team & Agency, Covid-19 ApplicationAarogya Setu mandatory for all employees, says Govt, BUSINESS STANDARD, ( May 02,2020), https://www.business-standard.com/article/current-affairs/covid-19-app-aarogya-setu-mandatory-for-all-employees-orders-mha-120050200435_1.html

[32] Apurva Vishwanath, Mandating use of Aarogya Setu Applicationillegal, says Justice B N Srikrishna, THE INDIAN EXPRESS, https://indianexpress.com/article/india/aarogya-setu-app-mandate-illegal-justice-b-n-srikrishna-6405535/ (Updated: May 13, 2020 11:37:10 am)

[33] 233 (2016) DLT 436

[34] ibid

[35] NASA v Nelson 562 U.S. 134 (2011) (USA)

[36] Shameer.P.S vs Union Of India WP(C).No.9923 OF 2020 (KER)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s