Four weapons have emerged in our fight against coronavirus. The World Health Organization (WHO) calls them testing, isolation, tracing and treatment. These weapons work at different stages and have limitations of their own. The only way to flatten the curve and save precious lives is to get ahead of the virus and prevent it from infecting the next person. At a stage where a person has already been diagnosed and has been an active spreader, testing can help segregate people requiring a differential degree of care and other quarantine measures. Isolation and social distancing translating into lockdowns have proved to be effective. In the absence of a vaccine, which appears to be months away on a very optimistic note, or an effective treatment, millions of innocent individuals will lose their lives. Amongst all these measures the only pro-active measure is rapid contact tracing followed by pre-emptive testing and treatment if required. In wake of limited utility of manual contact tracing, social distancing and violation of lockdowns, governments all across the world have been constrained to use technology for prospective contact tracing and establishing co-presence. Approaches range from use of aggregated telecom data to GPS location information and Bluetoothbased beacons.
The Indian government’s Aarogya Setu app works by collecting user location data locally from GPS/Bluetooth and collates it with an IT-enabled operations framework. The app asks for necessary functional permissions including access to data storage, device location and control over Bluetooth protocol. Compared with similar apps used in Singapore, Hong Kong and South Korea, Aarogya Setu follows the stringent Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules (“SPDI Rules”), 2011. If compared with other state government applications, Aarogya Setu adheres to much stricter standards of privacy, purpose and justification. A detailed report by the Internet Freedom Foundation (IFF) which compares Singapore’s TraceTogether, MIT’s Private Kit (Safe Path’s Project) and Aarogya Setu while raising concerns about each of these applications, explains that the Indian government app stores the location data locally and does not upload it until and unless a medical event occurs. The use of 256- bit AES, a strong encryption technology, ensures that sensitive personal information of the user remains intact.
Data is encrypted in transit as well as at rest. Personal information provided at the time of registration is encrypted and anonymised before being uploaded to the government cloud where it is stored in a secure encrypted server. Europe which has a very stringent GDPR (privacy and data protection) regime has permitted anonymised telecom data and other metadata to be used for prediction of possible infection spread. In fact, backchanneling/extralegal arrangements between government authorities and TSPs appears to be common in Europe. Belgian telecom operators are granting public authorities database access, while in Germany Deutsche Telekom is affording its Federal Disease Prevention Agency ‘regulated access’ to its location data. In comparison to the above surveillance technology-based approaches, Aarogya Setu appears to be minimally invasive, voluntary and designed with principles of privacy in mind. It also anonymises personal information of the user into a Unique Identity which is used for processing of medically significant events only. The legal framework of the Supreme Court’s judgement in KS Puttaswamy (Retd) and Anr v Union of India (2017), while developing jurisprudence on the fundamental right to privacy, also explicitly observed that when it comes to a public health epidemic, authorities may use health records, provided they ensure the anonymity of the patients. Restriction of right to privacy may be justifiable in the circumstances subject to the principle of proportionality and must be considered in relation to its function in society and be balanced against other fundamental rights.
The only check and balance for the right to privacy is that it does not harm the other individual or affect his/ her rights. Interplay of right to privacy with other rights and necessity of restriction would depend on the factual matrix of each situation. As we face an unprecedented pandemic where more than 200 thousand people have died and three million people have been confirmed Covidpositive, the right to health becomes a paramount obligation of the state. Compared to some of the other social rights, the right to health which includes the “prevention, treatment and control of epidemic, endemic, occupational and other diseases” has been articulated and recognised as an integral part of the Right to Life and its duty of the state to protect its citizens from any such infringement/violation. Even though the new draft data privacy bill in India is moving through the legislative process, the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 stipulates sensitive personal data or information and reasonable security practices and procedures for collecting and processing of such sensitive information. And in case of any breach shall be punishable under Section 43A of the Information Technology Act, 2000. Various measures have been pressed in service to save lives in an unprecedented pandemic. Testing, isolation, tracing and treatment have been tried out through ground personnel and volunteers. Use of advanced and mobile communication technologies can provide huge advantages and strategic gains for identification of hotspots and prevention of contagion. Aarogya Setu in addition to all the ground measures aids in a full spectrum response. While concerns have been expressed regarding contact tracing technology and apps used in various countries, a closer analysis of privacy policy, data handling and terms of service of the Aarogya Setu app appear to be in consonance with principles of privacy laid down in the Puttaswamy judgement as well as the SPDI rules under clause (ob) of sub-section (2) of Section 87 read with Section 43A of the Information Technology Act. Brijesh Singh is Inspector General of Police, Maharashtra, and Khushbu Jain is practising Advocate in the Supreme Court.