The Arayoga Setu mobile application has generated controversy given its propensity to violate the privacy of its users. The author traces the problems with the use of the application and calls for data protection before any such App can be made mandatory.
KERALA has unarguably been the most proactive state government in controlling the spread of the novel coronavirus. The first Indian state to report a positive case, it has successfully been flattening the infection curve. While Kerala’s COVID-19 fight has been exemplary, it came at an apparent cost – the privacy of its citizens. Is it worth it?
Kerala HC hears petition fearing data leak
A plea has been filed before the Kerala High Court, alleging leak of personal details of Covid-19 patients by hospitals treating these patients, to private players.
The petitioner, Himdad P. Aboobacker, stated that he was contacted by a private entity based in Bengaluru shortly after having given his contact number to a Kasargode hospital. In his petition, he alleged through this fact that hospitals treating Covid-19 patients were divulging information of these patients to private firms, violating their right to privacy.
Though the petitioner himself had not been affected by the virus, his counsel Advocate Mathew Kuzhalanadan said that he had aided a diagnosed Covid-19 patient through the admission process for treatment in a Kasargode hospital. Here, he was required to give his contact number to the hospital. He also stated that his friend who was admitted for treatment was called from the same number as well.
The Government Pleader on Tuesday told the court that given the serious allegations raised, he would obtain a report from the District Collector and file its statement. The bench, consisting of Justice Shaji P. Chaly and Justice Ashok Menon, adjourned the matter to May 11, where the state government is expected to file its reply to the contentions made in the petition.
Congress leader challenges mandatory use of Aarogya Setu
More recently, a Congress leader moved the Kerala High Court with a writ petition challenging the constitutionality of the Centre’s directive to make mandatory the use of the Aarogya Setu App. The petition highlighted two central government notifications which made the use of the mobile application compulsory, first for Central Government Employees, and later for all employees, both private and public. As per the directives, failure to use the application would attract penal consequences under the Indian Penal Code and the Disaster Management Act.
The much-criticised Aarogya Setu App, developed by the National Informatics Centre was released on April 2nd this year. Using the smartphone’s Bluetooth and GPS applications, it keeps a record of other app users the user came in contact with and alerts the user when any of its contacts tests positive for COVID-19. It also keeps a GPS log of the places that the device had been at 15-minute intervals. In light of these facts, the petitioner stated that the order mandating the installation of the app would severely dilute the principles of privacy and personal autonomy. In his own words:
“… mandating the use of the application, Arogya Setu takes away the right of a person to decide and control the use of the information pertaining to him. He is forced to give away data to a system which he may or may not approve of, thereby attacking his right of informational autonomy. Autonomy guaranteed by the Constitution of India also grants an individual freedom not to take part in activities he does not approve of.”
The petitioner further contended that users of the application were not informed of the persons and entities who would have access to their sensitive personal information. This violates the requirement of informed consent, which was stated by the Kerala HC itself as a precondition to collecting data.
The court has fixed the next hearing for May 12th, where the central government will file its response to the petitioner’s challenge.
This is not the first time Kerala has been on the receiving end in courts and otherwise since the pandemic. The Congress-led Opposition had attacked CM Pinarayi Vijayan, alleging that his government had breached the privacy of its quarantined citizens by contracting with US-based Sprinklr Inc., used to track and control the spread of the virus. After a brief heated political row, the Kerala High Court passed an order on 24th April, allowing the continued use of the software in a manner that would not jeopardise the right to privacy. The court specifically directed the state government to anonymise the collected data, to inform citizens that their data would likely be accessed by third parties, and to obtain their specific consent to that effect.
One petition alleges that government hospitals collecting data of COVID-19 patients were distributing them to private firms elsewhere, without their knowledge or consent. The other challenges mandatory use of an application that collects personal information of millions of citizens, with little transparency on the inner workings of the application itself. This brings the pressing issue of data privacy back into the limelight. The central and state governments are collecting, tracking, and aggregating data about individuals affected by the pandemic in order to contain the rapid spread of the virus. However benevolent the State may be in doing so, the right to privacy cannot be compromised.
Revisiting India’s data privacy law
To fully understand the contentions made by the petitioner, a look into India’s present framework governing privacy is necessary. Through this, one can also check whether the state government’s actions fit into this framework.
Our privacy jurisprudence has equal contributions from the judiciary and the Parliament. The Supreme Court in its landmark Puttaswamy judgement made itself undeniably clear on this matter, stating that the right to privacy was a fundamental right, inherent in the right to personal liberty under Article 19 of the Indian Constitution.
The Lok Sabha, through the Personal Data Protection (the “PDP”) Bill introduced in December 2019, sought to establish a regulatory framework for the collection and use of personal data. Section 3(21) of the Bill defines “health data” as data relating to the physical or mental health of the data principal, i.e. the owner of the data. It includes records regarding the state of health of the data principal and data collected in the course of registration for or provision of health services. Section 3(36) characterizes this data as “sensitive personal data”. Other provisions of the Bill specify the situations under which such data can be collected with and without consent, and the rules to be followed in doing so. However, the PDP Bill is yet to be enacted, and its rules and regulations cannot be enforced presently.
The relevant law currently in force in the Information Technology Act 2000 (the “IT Act”) read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the “SPDI Rules”). This law specifically provides for the protection of personal data in India. Like the PDP Bill, Rule 3(iii) of the SPDI Rules classifies personal information relating to the physical, psychological, and mental health of a person as sensitive personal data.
Rule 5 of the SPDI Rules spell out some guidelines to be followed by persons collecting personal data:
Legal Necessity – Sensitive personal data can only be collected for a lawful purpose connected with the functioning of the body corporate (defined in Section 43A IT Act) or its representative and that such collection is necessary for its purpose.
Citizens should be Informed – The data principal should be aware of the collection of the information, the intended purpose of the information, the intended recipients of the information and the name and address of the agencies collecting and retaining the information.
Obtain Consent – The body corporate or its representative must obtain consent from the provider of the sensitive information.
Protection against Misuse – The body corporate holding this sensitive data should use it for the intended purpose only, and should not retain the data for longer than is required for the intended lawful purpose.
Do desperate times call for desperate measures?
The debate at this juncture is between individual privacy and the larger public good; one an inalienable fundamental right, the other a matter of survival. The law carves out a clear exception in the otherwise inalienable right to privacy – a public health emergency. It does not prohibit the State from collecting the personal information of patients when such information would prove beneficial for the greater public good, which, today, is the fight against the deadly coronavirus.
But, this right to the State is not unfettered and must be controlled to prevent misuse. Rule 5(1) of the SPDI Rules explicitly requires consent as a precondition for collecting data. The Kerala HC itself in its ruling on Sprinklr held that citizens should be informed and their consent was taken before collecting and distributing their personal information.
Asking this of the government is not difficult either. Patients and persons accompanying them are required to furnish their contact details as standard protocol before being admitted and treated. Adding a checkbox asking patients to check if they consent to have their information collected, aggregated, and disseminated would be compliance with Rule 5 of the SPDI Rules. It would be as simple as reprinting the admission forms, to protect patients’ privacy alongside acting in the public interest.
As for the fears surrounding Aarogya Setu, the app should be accompanied with a user manual, clearly explaining how the software works, the data collected, and the entities having access to it.
Further, mandating the use of the application is not necessary. The app merely traces contacts and does not detect positive cases. The threats of mandatory use of the app outweigh its benefits. The application is not a sure-fire cure, and states should instead focus on increased testing and implementing social distancing through other measures.
The road ahead
The right to free movement is a fundamental constitutional right, which has been restricted in order to contain the coronavirus. Similarly, the government should be allowed to act in the best interests of its people, even if it means a temporary suspension of the right to privacy.
However, a pandemic need not mean a complete overhaul of fundamental rights. The State must do its best to retain as much of its people’s rights as is possible. Collecting and circulating patients’ personal information for achieving a legitimate goal is necessary; doing so without their consent and imposing penal sanctions is an unjustifiable infringement of their privacy. In its fight against COVID-19, the State needs to take that extra step to ensure that it does not place under lockdown, the fundamental right to privacy.
(Author is a second-year law student at National Law University, Delhi)
Note: This is an opinion piece, and the views expressed are the author’s own.