It is now mandator for people in containment zones as well as government and essential service workers to download the Aarogya Setu app for obtaining information related to the pandemic. But there is a growing concern among citizens with regards to the immense amount of data and information that the app demands and extracts, and the legal ramifications of the same.
Privacy law in India, read in the light of the recent KS Puttuswamy judgement, regard Privacy as being central to the dignity of an individual and an integral part of the Fundamental Right of Life and Liberty. There are three conditions that a law needs to fulfill for it to pass the privacy safeguards test. First, it must be a legitimate governing law. Second, it must have a defined aim and thirdly it must take measures proportionate so as to the aim to be achieved.
Anonymity in collection of data for purposes of research and policy making is an established practice and does not violate privacy safeguards. Therefore, a medical scientists working for the government may collect data from hospitals to further research so long as the data is anonymous and indiscriminate. Therefore, the Aarogya Setu app can collect data as far as the data remains anonymous in nature. Although the guidelines of the app ensures anonymity, concerns still exist because the app asks for your geolocation to be linked with your age, sex, phone number and profession.
Another caveat in this discussion is that most applications which require personal data or information obtain said information on a consent basis. Every app asks for permission from the user to access their data in whatever capacity required. But the Aarogya Setu app is fundamentally different, as its mandatory nature does not ask for consent, and thus the absence of a consensual sharing of information might deem the law violative prima facie.
In a recent twitter thread by French ethical hacker Elliot Alderson, it was revealed that it was remarkably easy to gain access to the information collected by the application including geolocation and personal details.
Moreover, the application guidelines contain the line “agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof.” Therefore, the government holds no accountability or liability if the information lands into the hands of a third party app or a bad actor who may misuse it.
It is clear that the invasive nature of the Aarogya Setu app raises grave concerns of privacy, and it must be seen with suspicion and skepticism. During a pandemic of this magnitude, it is relatively easy for the government to exploit the worried and paranoid population, and this application can become an effective tool for the government to get access to information which may compromise the privacy of millions of citizens.
It is incumbent on the courts to regard this matter as being of utmost importance and must limit the excesses of the app which violate existing Privacy jurisprudence in India.