The Application Infringes Privacy

Privacy is of paramount importance in the days of technological advancements as any person can gain access to the personal information of a person online and know about them.[i] In the case of Kharak Singh v. State of Uttar Pradesh[ii], the supreme court held that the term life in right to life, is more than mere animal existence. It extends to all aspects/ limbs/ faculties which make life enjoyable. By forcing people into getting tracked all the time, it is taking away their privacy as well as it puts a hurdle in their enjoyment of life.

In Maneka Gandhi v. Union of India [iii], gave a new turn to the interpretation of Art 21 and held that right to life apart from being a physical right includes right to live with human dignity as well. Mandating the use of the app,for public sector employees takes away that right from a person and hence, mocks the spirit of a democratic country.

In Bandhua Mukti Morcha v. Union of India [iv], Bhagwati J. observed, the right to live with dignity derives its root from the directive principles of state policy (Article 39, clause (e) and (f)) and therefore, it must include conditions of freedom and dignity and also states that no state has the power to take this away from its citizens.

The use of the app must not be achieved by force, but only by implementing a trustworthy system that would respect people's privacy and must be voluntary in nature.The duty has been given to the head of the organisation to ensure all employees download this app [v]. Voluntariness enhances the trust in government.

To invade the privacy of an individual, there needs to be a legitimate state aim. However, we should keep in mind Maneka Gandhi's [vi]judgment which made it clear that the procedure established by law to take away a fundamental right must not be arbitrary. The order mandating the use of the application, Aarogya Setu for public employees, takes away the right of a person to decide and control the use of the information about him.

He is forced to give away data to a system that he may or may not approve of, thereby attacking his right of information autonomy. Autonomy guaranteed by the Constitution of India also grants individual freedom not to take part in activities he does not approve of.

Data Is Not Secured

The most concerning thing is the fact that the app tracks the location and bluetooth which has been deemed avoidable because it can create false positives or incorrect data, for example- If a man is on the first floor and the other one is on the second, the Bluetooth would show they're together, even though they're on different levels of the building.

The Aarogya Setu App allows the uploading of the user's data to a server [vii]which is owned by the government, and it is supposed to provide data to people who would be carrying out administrative and medical functions. Although the data has been encrypted, unless there's a very strong encryption framework for both data as well as network security, it'd be subject to vulnerability. The exchange of information between devices adds to the vulnerabilities of the app and the possible points of attack for malicious actors.

The response data that contains personal information may be shared with various institutions/ departments/ authorities of the government[viii], therefore, there is no clarity as to which Government Department would be accessing the data, which will lead to concerns of possible State overreach.

Compulsory Instructions To Use The Application For Public Sector Employees Go Against The Ratio Propounded In Justice K.S Puttaswamy And Anr. Vs Union Of India.

The most important case with respect to data protection is Justice KS Puttaswamy (Retd.) & Anr. v. Union of India & Ors which overruled M.P. Sharma [ix]and Kharak Singh [x]judgments and held that right to privacy is a fundamental right. Under the aforesaid judgment, for the invasion of the right to privacy, there is a need to fulfill the threefold criteria.

Threefold Criteria Standard For Determining Whether A Violation To Fundamental Right Of Privacy Is Justified Or Not, Has Four Checks:

1. Legality:

   The law must originate from the legislature and should not be imposed without a law that backs it up. .The government's action of making it mandatory came from The Disaster Management Act, [xi] which has an umbrella clause where it permits the government to issue guidelines and directions in situations like this but the clause is a very generic one, it doesn't specify the conditions, circumstances, manner, limitations under which the government can infringe the fundamental rights of citizens.
   
   The puttaswamy judgment states that the right to privacy can be taken away by a state only when it has a legitimate purpose and therefore, the President should pass an ordinance with respect to this[xii].The NDMA cannot be such a law because it is highly generic in nature and is likely to be misused. A law that authorises the violation of rights and it must be explicit, detailed, specific, and must mention the extent, basis and safeguards with respect to such infringement.
   
   

2. Legitimate State Aim/ Necessity:

   In the present case, the legitimate aim and the need could be- firstly, to identify the Covid-19 suspect and secondly, to do contact tracing of the suspected person, which in the present time can be said to deal with the epidemic. To achieve the aim, there must be a large smartphone base consisting of at least 60-70% of the population,But according to the India Internet 2019 report by IAMAI and Nielsen[xiii] smartphones lie significantly below this benchmark range.
   
   Thus, there is no concord between the aim which the State considers as legitimate and the policy which is implemented, thereby failing the second test. Effective contact tracing is only possible if: there exist large-scale testing capacity and less spread. The results would be possible if each and every citizen of India downloads the app and uses it.
   
   

3. Test Of Proportionality:

   The T and C [xiv] clearly states that the government can neither be held liable for inaccurate identification of infected persons, and nor in the event of any unauthorized access to the [user's] information or modification thereof. This raises the suspicion as to why the government can't guarantee the correctness and security of information released by it.
   
   More surprisingly clause 2(a), which provides that the information obtained from the individual will be used by the government only in anonymized, aggregated dataset' for statistical visualization to manage COVID-19. However, that personal information can be shared to other necessary and relevant persons to carry out other necessary medical and administrative interventions'. After the deletion of the app, an individual's data would be automatically deleted after 30 days, but what would happen to the data that has already been stored in the server is unclear.
   
   
   • Essentially, this app clearly comes without convenient procedural safeguards. Moreover, the current provisions also fail to preserve harmony between the two angles of dignity- privacy and autonomy on one hand, and the ability to live a dignified life, on the other. Thus, the whole policy framework of this app is nothing but a mere illusion, which completely fails the proportionality test.

Other Concerns Related To The Application With Respect To The Privacy Judgment

1. .Concern: Data Minimisation:
   The goal must be to gain maximum benefit with minimum information collection. Justice The app must collect data that is absolutely necessary for carrying out the functions of the app. No analysis explains why location is collected every 15 minutes or during Self Assessment for contact tracing.Justice Chandrachud in the privacy judgment also stated that Personal data collected by data controllers should be adequate and relevant for the purposes for which it is possessed and the same was stated in the Report of the Group of Experts on Privacy' [xv]as well. The app also asks for a person's profession, which seems avoidable. Necessity must be observed while collecting data for contact tracing.
   
   
2. Concern: Anonymisation:
   The policy states that the data will be anonymised but it doesn't mention the standards of anonymisation. Proper anonymisation techniques are required to prevent the re-identification of the user's data Heath data comes under the area of sensitive information and as Puttaswamy judgment mandates the health data should be used only after it's anonymised.
   
   
3. Concern: Storage of data:
   The storage of the data creates ambiguity concerning the time frame for which it will be stored and 45 and 60 days period is too long and unnecessary for the retention of data. Timelines should be as per medical relevance and realistic.As per the Report of the group of privacy experts' [xvi]Justice Chandrachud observed that the personal information that is retained should be destroyed as per the identified procedures. It is imperative that the data is purged in time to prevent the risk of security.

Conclusion
As it's evident from the above points the Aarogya Setu app doesn't conform to the threefold criteria that need to be fulfilled to justify the invasion of the right to privacy, moreover, this app violates the privacy of individuals. We need to make sure that rights and technology should go hand in hand. It should always be remembered that it is rights which help us to live with dignity and fulfill our potential. Such coercive and forcible derivation of personal information from an individual is unheard of in a democratic and republic nation and it is a characteristic of a dictatorial system. Therefore, the app should not be mandatory for any group of people.

End-Notes:

1. Corey Ciocchetti, Just Click and Submit: The Collection, Dissemination and Tagging of Personally Identifying Information, 10 VAND. J. ENT. & TECH. L. 553, 556 (2007-08)
2. AIR 1963 SC 1295.
3. 1978 AIR 597
4. 1984 AIR 802
5. Ministry of Home Affairs, New Guidelines on the measures to be taken dated 1.05.2020, GOVERNMENT OF INDIA (Jun. 24, 2020, 6:40 PM), https://www.mha.gov.in/sites/default/files/MHA%20Order%20Dt.%201.5.2020%20to%20extend%20Lockdown%20period%20for%202%20weeks%20w.e.f.%204.5.2020%20with%20new%20guidelines.pdf.
6. 1978 AIR 597.
7. Aarogya Setu Privacy Policy 1(c).
8. The Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 6(a).
9. 1954 AIR 300
10. 1963 AIR 1295
11. The Disaster Management Act 2005 10
12. INDIAN CONST. art 123
13. Dr. Amitayu Sengupta, India Internet 2019, 15 IAMAI 6 (2019)
14. National Informatics Centre, Aarogya Setu Terms & Conditions, GOVERNMENT OF INDIA (Aug 16, 2020, 03:40 PM), https://aarogyasetu.gov.in/terms-conditions/
15. Planning Commission of India, Report of the Group of Experts on Privacy, (Oct.16, 2012), https://www.dsci.in/content/report-group-experts-privacyconstituted-planning-commission-india