over Centre's Aarogya Setu app; legislation with 'sunset clause' can curb potential misuse

As countries around the world are fighting COVID-19, old systems are being repurposed using new technology with one such system being that of contact tracing. It entails identifying those who are infected with disease, advising them to be under self-quarantine and tracking down all those whom they have been in contact with to prevent the disease from further spreading.

Ordinarily, this is done through the interview method, however, given the shortage of personnel, the rapid and unexplained pace of the virus's growth as well as the likelihood of inaccurate information given by any subject, technological solutions are being looked at across the globe.

The Indian government has addressed this by creating the Aarogya Setu app.

How does it work?

The app generates a unique ID for each user and it keeps track of all other IDs coming in contact with it and the GPS location and time of said contact.

The idea being that if the Bluetooth of two phones is connecting, if one individual is found to be infected then the other individual is at a potential risk of infection.

What are the concerns?

Given the sensitive nature of data involved and the mandatory prescription for using the app, concerns about privacy violations have been raised. The Supreme Court in the 2017 Puttaswamy judgment reiterated that the Right to Privacy is a fundamental right and laid down the proportionality test to assess any State restriction imposed on said right.

The proportionality test comprises these aspects: First, it must have a legislative basis and a legitimate aim must be pursued. Second, it should be a rational method to achieve the intended aim. Third, there must be no less restrictive means which can also achieve the intended aim (necessity). And fourth, the benefits must outweigh the harm caused to the right holder.

While independent arguments can be raised negating the fulfilment of each of these prongs, it is clear from the outset is that in the absence of any legislation governing this app, the criterion is not met as all these conditions have to be satisfied for the test to be fulfilled.

In addition, basic principles of data protection such as data minimisation, purpose limitation, transparency and accountability are not fulfilled. The inclusion of other services such as the PM-Cares Fund laughs in the face of the purpose limitation and scares many privacy activists of this evolving into another Aadhaar where the root purpose is needlessly clubbed with derived purposes.

The extensive personal information that the app secures is against the norm of data minimisation. In addition, the privacy policy of the app does not mention the relevant department with which the information may be shared.

Lastly, in the absence of any governing legislation, the terms of service and privacy policy play fast and loose with the data retention issue.

On to the technology, there is a possibility of false alarms as proximity does not indicate probability. Bluetooth would exchange the Unique IDs even if two people walk past each other within a certain range, while maintaining all necessary precautions, as well as people who may be sitting across different rooms and different floors. If one is found to be infected, all the concomitant user IDs would be incorrectly identified as potentially being infected.

How can this be addressed?

In the absence of a data protection legislation, there is a necessity to ensure that the government at the very least passes a legislation and if not an ordinance, which works in consonance with the principles laid down in the Puttuswamy judgment as well as those stated by Sri Krishna Committee Report on Data Protection.

Any legislative instrument should have a definite sunset clause, giving a prospective time period for how long the data acquired will be placed on the government cloud servers and of its subsequent deletion.

In doing so it would ensure that the element of parliamentary accountability is brought into effect. In the interim period, a judicial oversight committee should be formed as has been done by the government in South Africa.

Furthermore, if the raucous response (however delirious) by the masses to the prime minister's addresses is reflective of anything, is that unlike other countries there is an immense degree of faith in the Central leadership in India.

For the app to work it must be adopted 50 to 70 percent of the relevant population, thus transparency is key for having continued faith in the governments initiatives.

As contact tracing techniques will be critical in ensuring that the virus's resurgence is curtailed when the lockdown is eased, thus what the application also provides is an opportunity to have a new conversation on the usage of data.

One approach could be with the government having an open dialogue focusing on the usage of this app for public health, patients and lastly citizens. All essential aspects but each of a different nature.

Public health would focus on why this app needs to be used; its relevance in ensuring that finite resources that are being used most effectively in dealing with this pandemic.

From the patient's perspective, contact tracing could help patients in ascertaining how to address issues such as seeking care and ensuring access to health care providers. This would help them in addressing their worries in terms of how to deal with the virus.

Finally, the citizen perspective is relevant in having community-level strategies as has already done by the identification of different zones (Green, Orange and Red).

On a micro level this could help in collective curve flattening with the GPS information being collected used to develop community strategies. However, the caveat being that the personally identifiable information that the app presently collects is not clubbed with it. Instead the app should only state that a COVID-19 patient was there.

With respect to the Bluetooth technology, app developers could incorporate a user interface which would state that one is within a range of device XYZ, whether this is an infection range (Y/N). In the event of any false alarms, they can simply be clicked away. Better yet, the app design could invite people to add a nickname and a photo so that contacts could see who they are.

Conclusion

A judicial inquiry in this issue seems unlikely at this stage and if the Supreme Court's verdict in the Anuradha Bhasin (Kashmir lockdown) case is anything to go by, it's clear that they are strongly advocating for the separation of powers doctrine in national security matters, by ensuring that the executive carries out a constitutional review of its actions.

The app is here to stay and likely to be critical in policy decisions.

While the Indian government has had a dodgy history when balancing between privacy and national security, this is an opportunity to show their belief in the rule of law even in the midst of a pandemic by engaging in some innovative thinking.

Firstpost