On 14 April 2020, during his speech on the extension of the lockdown in India, Prime Minister Narendra Modi urged citizens to download the Aarogya Setu app to supplement the state’s efforts in battling the COVID-19 pandemic. Its download was once pitched as a voluntary step taken by citizens, but a directive now makes this mandatory and failure to do so attracts criminal penalty. The ‘success’ of contact tracing apps in countries such as Singapore and China has been cited as a reason for the introduction of this app in India.
The pertinent questions which have been asked on the efficacy of contact tracing apps, and of the balancing of the right to privacy and the right to health are equally valid here. Most epidemiologists and health experts have emphasised on the importance of contact tracing in containing the speed of spread. However, for effective contact tracing we need to engender trust and respect human rights. Frameworks for contact tracing must be evidence-based and, more importantly, align with constitutional thresholds to the right to informational privacy. In this context, it is important to highlight the Indian Supreme Court’s holding in its landmark judgment K.S. Puttuswamy v. Union of India (the ‘privacy judgment’) where the apex court underscored the state’s obligation to ‘preserve the anonymity of the individual’ in order to ‘legitimately assert a valid state interest in the preservation of public health’.
The privacy judgment lays down five criteria which any technology must satisfy. First, it must have legitimate basis. Second, it must pursue a legitimate aim. Third, it should have rational nexus to the aim. Fourth, there must not be any less restrictive ways to achieve this aim. Fifth, it must outweigh the harm caused to the right owner. In the instant case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data collected by this app about the health and movement of a substantial number of the population could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.
In addition to lacking legislative basis, the app deviates from international best practices for contact tracing apps and fails to comply with data protection standards on these counts:
- Lack of consent. The use of the app cannot be considered voluntary after the Home Ministry’s directive. Therefore, there is no scope for people in certain zones to refuse consent or opt-out.
- Lack of Transparency. Unless there is publically available information about what processes and techniques are followed for aggregation and anonymization of the personal data collected by the app, it is impossible to ignore the justified worry of re-identification of the personal data collected.
- Lack of Algorithmic Accountability. The Terms of Service of the app exempts the government from any liability arising out of the misidentification of an individual’s covid-19 status. This is highly problematic as an individual can potentially lose their income and freedom of movement with little recourse in the event of a false positive.
While the success of the app is yet to be seen, it is pertinent for states to remember that any special legal or executive order to derogate people’s fundamental freedoms including the right to privacy is subject to the constitutional framework detailed above. The executive’s insistence on citizen’s downloading the app comes on the heels of a problematic, proposed personal data protection bill, and worrying instances of the use of facial recognition technology and drones. It is vital that states remember that digital rights cannot be revoked, even during a global pandemic.