Devansh Kaushik

The Aarogya Setu in its current form vitiates Right to Privacy under Article 21. A “Data Trust” would be an appropriate policy intervention to satisfy the test under Puttaswamy, as an enduring yet flexible procedural safeguard, thus reconciling privacy and public health during a crisis.

This is 11th piece in our COVID19 Series

Introduction

Consider the following views – “No system of mass surveillance has existed in any society that we know of to this point that has not been abused.” (Edward Snowden). “If the people cannot trust their government to do the job for which it exists – to protect them and to promote their common welfare – all else is lost.” (Barack Obama). The quotes are of two people quite at odds with their views on privacy. Yet, I seek to locate this article on the Aarogya Setu App, in the context of both these views.

Throughout the world, there currently exists a ‘state of exception’ in governance. In face of an unprecedented health crisis, the citizenry has willingly gone into a literal lockdown, consenting to sweeping restrictions on its freedoms and privacy, which mere months ago would have been unacceptable. The Indian government is now urging people to voluntarily download a surveillance application which continuously monitors an individual’s movements and records the people he/she comes in contact with. The choice being presented is between privacy and health. Yet, activists and watchdogs voice concerns, pointing towards the short step between this crisis response and institutionalized surveillance of individuals.

In this article, I argue that that a false dichotomy between Privacy and Health has been created around Aarogya Setu (hereinafter “The App”). Protection of Privacy and Public Health surveillance, are both legitimate claims which should be reconciled through appropriate policy interventions. While the existing statutory framework in India is lacking in effectively governing the App, the government is bound by constitutional limitations as per the interpretation of Right to Privacy under Article 21 by the Supreme Court. I propose “Data Trusts” as an appropriate data-governance model for this purpose.

The Context: Not Unprecedented

Throughout history, it has been in times of crisis that countries have seen government overreach which ended up creating a crisis on its own. False dichotomies created to justify executive overreach are not unprecedented. The United States saw it post-9/11, with the Patriot Act, while India saw it with surveillance systems such as NETRA and CMS coming up post-26/11.  Then a similar dichotomy between ‘Privacy versus Security’ had been created.

For most of the populace, the App is as of now non-mandatory, though it is being made progressively compulsory for govt. employees  as of now.  But if one considers the precedent of Aadhaar and the manner in which it was implemented, and some of app’s upcoming features such as E-Passes, it is only a matter of time that exiting the state of lockdown becomes contingent on it. There are indications of the app being extended to feature phones, becoming compulsory for availing services, travelling, adhering to quarantine, accessing rations, medicines etc. Such a “mission creep” has already been observed in China with grave consequences on civil liberties.

The Present Legal Framework

With the Personal Data Protection Bill, 2019 still pending before Parliament, India currently lacks a comprehensive data protection regime. The only other relevant legislation is the Information Technology Act, 2000, along with the IT (Reasonable Security Practices, Procedures and Sensitive Personal Information) Rules, 2011. However, their applicable provisions have limited scope, are more tailored towards compensating individual breaches of privacy by body corporates. They do not lay down any framework for a state intervention.

The statutory framework is thus non-existent. But there do exist constitutional limitations. In Puttaswamy, a 9-judge bench of the Supreme Court recognised the Right to Privacy as a part of the Right to Life and Personal Liberty, under Article 21 of the Constitution. This right can thus be encroached only by procedure established by law, which has to be just fair and reasonable, as held in Maneka Gandhi v. UOI.

In the same judgement, Justice Chandrachud (writing for 3 other judges) laid down a 3-fold test for a legitimate encroachment on Privacy- (1) Legality – There must be a law in existence to justify the encroachment; (2)  Legitimate Aim – the intervention must be for fulfilling a legitimate state interest; (3) Proportionality – the encroachment should not be disproportionate to the purpose. Justice Kaul in his concurring opinion went further to add a fourth element -Procedural Safeguards, to prevent abuse of the state intervention.

The court also expressly addressed the position during a public health crisis. It observed that if the State preserves the anonymity of the individual, it could legitimately assert a valid state interest in the preservation of public health to design appropriate policy interventions (emphasis supplied). More importantly, it also cited several cases discussing how an invasion into people’s privacy vis-a-vis health records can lead to tremendous discriminatory outcomes.

Testing the App

The App collects information through self-assessment tests filled by the users, Bluetooth contact and locational data. The information is anonymised through a Device Id (DiD) hash and is uploaded to the government server when the user tests positive or is deemed likely to be infected (by the self-assessment test).

While the personal information is not to be retained after a fixed time period, the same does not apply to anonymised and aggregate data. It can be shared with any persons engaged in carrying out medical and administrative interventions, as per the app’s privacy policy. Its terms-of-use however completely waive government liability in case of a breach and prohibits anyone from reverse-engineering the app to view its source code. These restrictions raise accountability concerns.

The App exists in a legal limbo. It is not backed by any law, ordinance or regulation, though it is run by the National Informatics Centre under the Ministry of Electronics and Information Technology. The ‘Legality’ standard under Puttaswamy is thus failed. While there does exist a legitimate aim i.e. – preservation of public health, the proportionality of the measures being envisaged under the app can be challenged. The fourth standard of procedural safeguards is also violated as there is broad discretion conferred on the government for using the data, without any accountability mechanism.

The App and its policies in their current form, thus clearly violate Right to Privacy under Article 21. This requires a policy reform. It is pertinent to note that conventional checks on executive overreach are impaired in present circumstances, with Parliament adjourned mid-session, and a judiciary still transitioning to virtual hearings and hearing limited matters.

The False Dichotomy between Health and Privacy

The App draws inspiration from similar contact tracing apps successfully deployed in Singapore and South Korea. The utility potential of such data analytics cannot be denied. It can potentially track infections, identify hotspots, guide containment and testing efforts, and assess success of interventions. Even taking into account the comparatively limited smartphone permeability in India, such broad-sourced data should provide some guidance to policy makers.

It is equally true that the nature and quantum of data collected can potentially be abused to target individuals. There is sufficient research to show even vast anonymous datasets can be re-purposed and re-identified. Communities and specific classes of people can be targeted using aggregated data.  There are already indications of testing of AI and data science analytics, with the involvement of the private sector in India, which exacerbates concerns. Not to mention that the knowledge of a person being infected can invite social stigma and discriminatory outcomes, as has already been observed.

The question that arises here is that is there an unavoidable trade-off? Is creating this dichotomy, in order to get compliance from the citizenry, actually the best policy for the government?

For the government response to the outbreak to succeed, it is essential that its policies should inspire public confidence. For successful contact-tracing, at least 56% of the populace need to use the contract tracing app. Public cooperation is further needed for self-isolation and the self-assessment tests. The data-subjects need to trust the system in order to drive voluntary adoption. If they fear victimisation and privacy violations, they will not participate. Surveys have also found a positive correlation between public trust in government and a country’s ultimate effectiveness in combating the pandemic, across the world. If the recent attacks on health workers are taken as any indication, the government’s efforts are already viewed with a degree of suspicion by sections of the populace, who feel targeted.

Data Trusts as a Suitable Data-Governance Model

There is plenty of literature calling for various reforms surrounding the app, such as inserting a sunset clause, open-sourcing the code, data minimisation etc. However, I argue that this piece-meal reactionary approach, is insufficient for an evolving regime such as the Arogya Setu. It does not address the fundamental issues of lack of trust and allowing permissible government discretion, during a crisis.

The current data governance model is individual consent-based, which is the convention, yet inappropriate in the present context. This is because the imbalance of power between a person and the state, is greater than it would be with any other private entity. Individuals hardly have a choice to negotiate on the manner of data-collection and usage. This approach also puts the burden on the individual to actively enforce his rights by approaching courts. A layperson would also be unable to fully comprehend the implications of big data technologies on aggregated data, which vitiates informed consent. Individuals may anyways not be the best decision-makers to balance self-interest with abstract public good.

Therefore, there is a need of a fiduciary, to act as an intermediary. I thus propose “Data Trusts” as an appropriate data governance model for the app. It is a recent approach originally applied in the context of private entities. A “data trust” acts like any other trustee, and sets the terms of data collection, usage, and access, in a way that balances privacy and responsible use of technology. It is an anticipatory approach which is flexible enough to adapt to changes and advance public interest. The terms of the trust may be tailored to a particular data-set or intended purpose.

It can be implemented as follows in the present case (under a valid legislation/ordinance to fulfill the legality standard under Puttaswamy)-

• A small body would be created with members would be drawn from all branches of state – legislature, executive and judiciary. Fourth Branch Institutions such as the NHRC and even civil society groups can also be roped in. The composition would be such that the government would be in the minority. For instance – a 5-member body composed of 2 senior-most judges of the Supreme Court, the Leader of the opposition and 2 government members.
• The data collected would be controlled by this body. It would exercise oversight over its use and would have the authority to order its erasure.
• All government proposals for data processing/extraction from the server would have to be put before the committee for scrutiny. For any measure to be implemented, a majority approval would be required, which would necessarily require concurrence from the opposition and judiciary members.
• The government would thus have to show legitimate need to use the data for any purpose or for transferring it to any agency. The judicial involvement would ensure neutrality and adherence to legality, while presence of public representatives would allow the people to indirectly influence the use of their data. The deliberations of the committee can also be made public for transparency.

Conclusion

Privacy is as much of a vital aspect of the right to life, and ergo, of public interest as health. However, it would be a false trade-off to sacrifice either, even when faced with a pandemic. The present statutory regime and the conventional individual consent-based model of data-governance both fall short of reconciling these two public interests.

The Aarogya Setu in its current form violates the Right to Privacy under Article 21. A “Data Trust” would be an appropriate policy intervention to satisfy the test under Puttaswamy, by acting as an enduring yet flexible procedural safeguard, while still allowing for quick decision-making as required during a crisis, thus reconciling privacy and public health.

Such a model of data governance is necessary to protect long term public interest and ward off authoritarian surveillance. The response to any public crisis should be democratic and built on trust. The app and this outbreak are no exceptions.

The Author is a BA.LLB (Hons.) Student at NLSIU, Bengaluru.