While announcing extension of the lockdown, Prime Minister Narendra Modi had urged everyone to download the ‘Aarogya Setu’ (“the app”), an application developed by the Government of India as a measure to combat the severe respiratory syndrome COVID-19.
- phone number;
- profession; and
- countries visited in last 30 (thirty) days.
It further states that instead of storing the information itself, it creates a Digital ID (“DiD”) unique to each person. Hence when two people with the app on their phone come in contact with each other, the information will get stored on the other person’s device for a period of 30 (thirty) days and will be stored on the government’s servers as well. If a person has not tested positive for COVID-19, the information from the government’s server will get deleted in 45 (forty-five) days.
II. Privacy and other concerns
a. Aarogya Setu is not an open source app
An open source programme is where the developer shares the source code for people to evaluate the application. Therefore, it is difficult for people to rely on whether the data is anonymised or that the application actually functions as has been advertised to the users.
If the app was made open source, any code developers could point out a bug or fix it. This would have also ensured transparency.
b. Collection of Data
The data collected at the time of registration has been listed above. The primary principle of any data collection is that it should be limited to what is essential for the purpose of providing services (as is also provided by the upcoming Personal Data Protection Bill, 2019). The government has stated it will create a DiD from the data provided and use location and bluetooth to identify COVID-19 cases. There is a lack of clarity on the kind of data collected by the government, e.g. sex and profession of a person. This is in complete contrast with a similar app created by the Government of Singapore called ‘trace together’ where the data stored is limited to a mobile number which then creates an ID for every phone number collected. Therefore, the Government of India should clarify the purpose of collecting each detail of the user.
The data retention time, for those users who have not been tested positive for COVID-19, on other user’s devices is 30 (thirty) days and 45 (forty-five) days on government’s servers. This data retention time is far exceeding the incubation period for COVID-19 which is 14 (fourteen) days, as declared by the World Health Organisation (“WHO”). Therefore, it shall be noted that the retention of data is beyond the period of incubation.
c. Retention of Data
The clause states that the data which has been collected at the time of registration shall be retained till the account of a user is active “or” as required by any law in force. The issue is with the vaguely structured language of the clause. The laws of India are not yet adequate to safeguard its citizens’ personal data. Therefore, to collect such information, and not deleting it after the said purpose of providing services has been fulfilled, raises a concern over how long shall the data actually be retained by the government. This allows the government to turn the data collected into a permanent architecture instead of deleting it after the purpose has been served. Moreover, this is also in contradiction to
the upcoming Personal Data Protection Bill, 2019 which clearly states that the data shall be removed once the purpose of processing the data has been fulfilled.
d. Storage of data on other devices and on the government server
Further, by virtue of the government having access to the devices itself, it is unclear as to whether the government also has access to other information like contacts or any other details that might be stored on the device.
e. Third party transfers
government should have been more specific about the third-party transfers and transfer such data to ANY third party only after obtaining specific consent before such transfer, in order to uphold the spirit of privacy. Moreover, any medical and administrative intervention may also be carried out by private entities which may be involved in research sciences pertaining to COVID-19 or any medical agency which is helping the government with infrastructure required for COVID-19. Therefore, the government holds the power to broaden the scope of third-party transfers at any point in time.
f. Limitation of liability
Lack of such assurance calls for a severe reconsideration on the introduction of the app to the general public and for it to be recalled until all such questions with regards to the citizens’ privacy have been answered.
On a positive note, the government has designated the grievance officer who is the Deputy Director General of National Informatics Centre.
Shivani Agarwal practices corporate and commercial law and is the founder of W-Investment (winvestment.wordpress.com). She closely follows developments in cryptocurrencies and blockchain laws. Her areas of work include banking laws, restructuring and project and finance.
Samaksh Khanna is the Co-founder of W-Investment (winvestment.wordpress.com), a blogging platform for mainly exploring the usage of blockchain in law and research on cryptocurrencies. He closely follows privacy laws and digital assets laws.Disclaimer: The views or opinions expressed are solely of the author.