Updated: Jul 4
Author: Prakhar Vashisth, Vivekananda Institute of Professional Studies
As the country manages to keep steady over the COVID-19 pandemic, there is an expanded obligation on governments to productively manage this general well-being crisis, in a way that is least prohibitive towards the social liberties of its residents. The use of technology as a part of disaster-response cannot be dismissed, but the regulative lacunae in India concerning the use of such technology means one must continue with caution.
The Indian government is working to combat the unprecedented epidemic caused by COVID-19. On April 3, 2020, the Ministry of Human Resource and Development sent a notification to students, educators, and citizens to download the 'Aarogya Setu App'. It is a contact tracing application created to assess the spread of Covid-19. It estimates the risk based on the user's communication with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence.
The Indian Prime Minister requested that every Indian citizen download the mobile application on April 14, 2020; the government has been pressuring its population to download the Aarogya Setu application on their mobile phones. In just thirteen days, it became the world's fastest downloaded app, with 50 million downloads. However, it is crucial to mention that our country only has 60% of the mobile phone subscribers. According to statistics, India has around 449 million mobile internet users out of a population of 1.35 billion people.
Working of the App
To begin, the user must download and install the "Aarogya setu" programme. For Android users, the app is accessible on Google Play, and for IOS users, it is available on the App Store. After installation, the user must register by giving his or her mobile phone number. Continue with the registration by entering the one-time password in the application. The user's registration is only complete after he or she fills out several questions that ask for personal information. In addition, the user will be required to reveal their history. Finally, the user must complete his or her self-assessment exam by answering health-related questions based on his or her willingness to volunteer.
This programme will notify you if you have come into contact with someone who has tested positive for Covid-19, even if it was accidental. The warnings also provide information on how to self-isolate as well as where to seek help and support if symptoms arise. If the nearest user has been tested positive, the software locates the nearest mobile phone with the app loaded and analyses the danger using AI algorithms.
Issues raised against the App
The existing law's provisions, which include the Information Technology Act of 2000 and the Information Technology (Reasonable security practices and systems and sensitive individual information or data) Rules of 2011, are insufficient to address the current situation. One of the major disadvantages is that it only applies to business organisations and not to the government. The right to privacy is enshrined in Article 21 of the Indian Constitution and is enforceable against the government; nevertheless, we do not have a separate legislation.
Support groups claimed that the legislature is utilizing the application for mass surveillance because of the non-availability of any enactment around privacy. Legal specialists focused on the requirement for a person's Data Protection law to back the government's judgment to make the application obligatory. Retired Supreme Court Judge B.N Srikrishna, who chaired the advisory council that drafted the first draft of the Personal Data Protection Bill, described the administration's drive for its use as illegal. Especially with an expanding user base, the chance of information being imparted to the outsiders was perhaps the greatest reason for concern.
An ethical hacker named Elliot Alderson has recently confirmed that breaking through the application's protection features is not at all difficult. He obtained the information from the app’s server, discovered movements in India, ascertained who was infected with COVID-19, and conveyed these points to the Government of India. Anyone interested can know who is infected in a city of his choice, within the country. Unconcerned, on May 6, 2020, the government responded to Elliot Alderson with a message that asserted “no private data of any user is shown to be at risk”. The app collects a vital amount of private and delicate data, which does not conform to the data minimization principle.
Furthermore, by examining the app's cryptic terms of service, the government may be able to use it to restrict people's freedom of movement. The government has made it mandatory for employees to have this application on their mobile phones. This means that if an employee does not download the app, he or she will be denied access to the workplace. This would have a significant impact on individuals, particularly the most vulnerable members of society, and would deprive them of their entitlement to basic utilities.
"Privacy" is a unique concept that has been endeavored to be clarified however, has still not been characterized thoroughly. With the adjustment in time and cutting edge innovation, the idea of privacy has seen serious transformative stages. Thinking about the Indian situation, said idea has not been explicitly referenced as a key right.
The first case in which it was disputed whether privacy is a fundamental right or not was M.P. Sharma v. Satish Chandra 1954 SCR 1077 in which it was decided that the right to privacy is not a fundamental right. In the case of Kharak Singh v. State of Uttar Pradesh 1964 SCR(1) 332, this was also reiterated. However, after eleven years, the Supreme Court held in Gobind v. State of Madhya Pradesh AIR 1975 SC 1378 that the right to privacy is inherent in Article 21 and backed by individual freedom. The experimental COVID-19 tracker application has been attacked based on several concerns including security, data protection, and legal concerns.
Due to the absence of a comprehensive data protection legal framework in India, the only reliable criteria are the standards propounded in the case of Justice KS Puttaswamy (Retd.) & Anr. v. Union of India & Ors, under this judgment, for intrusion of right to protection there is a need to satisfy the criteria laid down in this judgment:
1. Legality: Despite the lack of an Aarogya Setu Regulation or Law, we may infer its legality from Section 35 of the Disaster Management Act of 2005, which provides the Central Government broad authority to take actions it deems necessary.
2. Authentic state aim: In this situation, the authentic point might be, first and foremost, to identify the Covid-19 suspect and, second, to maintain touch with the assumed individual, who is now dealing with the epidemic. Aarogya Setu App is the state's arrangement that has brought us to this point. To fully comprehend the argument, a large mobile phone base of 60-70 percent of the population is required, but this is not the case.
In essence, this software appears to lack appropriate procedural protections in terms of monitoring and the inaccuracy of the data collected to keep track of sick persons. Furthermore, current regulations fail to maintain a balance between the two components of dignity, namely, privacy and liberty on the one hand, and the desire to live a decent standard of living on the other.
It can be very well concluded that the Government's aim behind the application's introduction may be acceptable, as to monitor the spread of the virus-infected persons but the government’s weak record on secrecy, the absence of clarity, and the inadequacy of data protection laws have led to serious problems.
The App appears to be in violation of data protection and privacy regulations, and the government must correct this as soon as possible. In addition, the administration must define how GPS and Bluetooth operate for contact tracking in a way that does not violate personal rights. The right to privacy cannot be completely eroded in the face of such a public catastrophe. Governments must find a medium ground to protect individuals' health and privacy rights.