The latest order from Ministry of Home Affairs (MHA), which makes it compulsory for all private and public sector employees to use the Aarogya Setu app, has raised red flags on not just privacy protection but also on the legality of the order. The order puts onus on employers to ensure 100 per cent compliance among employees. Any violation of the directive is penalised under Disaster Management Act, provisions of IPC and other legal provisions (including Epidemic Diseases Act in the current context).
Internet Freedom Foundation (IFF), a digital liberties organisation, recently sent a representation to the Prime Minister's Office co-signed by 45 organisations and over 100 individuals expressing concerns over violation of privacy of workers and transparency, among other issues. The letter was also sent to Ministry of Home Affairs, Ministry of Electronics and IT.
Backed by the government, the Aarogya Setu app has been rolled out by the National Informatics Centre. It has over 50 million downloads so far, according to Google Play Store .
Legality of the order
Legal experts believe that the move to make the app mandatory has no legislative backing. "The Union Government's attempt to make Aarogya Setu mandatory has not been done in any way that is legally known," says Alok Prasanna Kumar, Senior Resident Fellow at Vidhi Centre for Legal Policy. While the instructions to employers are vague and unclear, the same cannot be a base to impose criminal or civil liability on employers or employees for non-compliance. Further, given that Aarogya Setu is available only on smartphones and 60 per cent Indians do not have one, it is unclear on whom the obligation is being imposed, he adds.
While privacy concerns around data collection and data management are important, the provision to make it mandatory can only be imposed by an authority of law. "These aspects can be addressed once it's clear what is the legal base behind making the app mandatory for citizens," says Kumar.
Internet For Freedom points out the same concern, especially in the context of health data, while citing Supreme Court's verdict on right to privacy in 2017. "The judgement in Puttaswamy (Privacy) emphasised on the need for a data protection legislation to ensure that personal data was not used to discriminate against individuals on the basis of their health status. The Court further went on to note that the government may collect and process health data of individuals during epidemics to design appropriate policy interventions but such data must be anonymised."
With neither a data protection law in place nor a legislative backing to make the app mandatory, the corollary to it is again the concerns around transparency and security and data management.
Lack of transparency and security concerns
Minister for Information and Technology Ravishankar Prasad took to twitter, saying that the app was globally appreciated. "Aarogya Setu is a powerful companion, which protects people. It has a robust data security architecture."
While the government says the intention of the Bluetooth-based app is to protect and prevent the spread of COVID-19, Bengaluru-based advocate and a signatory to IFF representation, Vinay K Sreenivasa points out that the self-assessment feature defeats the purpose and is 'counter-productive'. "The app relies on users to update symptoms if a carrier is asymptomatic. It gives a false sense of security . From a public health point of view, it is disastrous," he says. He further adds that people might bring their guard down in public places with the false sense of security that app might provide, which is dangerous.
Data researches point out that 'consent mechanism', a crucial part of data protection, has been thrown out of the window. IFF representation makes an important mention around the lack of algorithmic liability. "The Terms of Service for Aarogya Setu exempt the government from any liability arising out of mis-identification of an individual's COVID-19 status. Therefore, individuals are left at the mercy of opaque algorithms which perform risk assessment and do not have any remedy in case of false positives. If gig and platform workers were falsely identified as high risk individuals by Aarogya Setu's algorithm, they would be required to self-isolate and lose their income and freedom of movement," reads the representation.
Srinivas Kodali, an independent researcher working on data and governance, points out that since the source code of the app is not publically available, it is difficult to verify the purpose for which the app is used. "Countries like Singapore have done it, where the app, its source code and the protocols that they are using have been made publicly available. Why can it not happen in India?" he questions.