Background

In current times of the pandemic of Covid-19, countries across the world have presented contact tracing apps as the solution to smoothly sail out of present crisis. While privacy professionals and lawyers have expressed their dissatisfaction about these contact tracing apps due to lack of a privacy compliant ecosystem in place, it seems that these apps have nonetheless become the flavour of the season. In such a run-up, India is not behind and has to its credit “Aarogya Setu” – a contact tracing app of its own (Aarogya Setu/ the App).

The App was developed to enable people to assess for themselves the risk of their catching the Corona Virus infection by means of an algorithm calculating their interaction with others, using cutting edge Bluetooth technology, algorithms and artificial intelligence. Once installed in a smart phone through an easy and user-friendly process, the app detects other devices with AarogyaSetu installed that come in the proximity of that phone. The app can accordingly calculate the risk of infection based on sophisticated parameters if any of these contacts has tested positive. Users who do not have access to a smartphone can use the App through the interactive voice response system (IVRS) mode.

The purpose of this study is to understand the privacy concerns spelled out by the App, compare the same with practices across different countries and understanding the need for legislative action concerning the privacy issues.

The App: an analysis of the privacy policy

The original privacy policy of the App was released on 02 April 2020. The privacy policy of the App was revised on 12 April 2020 but notified to users on 17 April 2020. The new privacy policy sets out the details of the:

• personal information collected;
• the manner of collection;
• by whom the personal information is collected;
• use/ purposes for which it is used;
• the duration of retention of such personal information;
• the rights of individuals whose personal information is collected;
• the security features of the App;
• restriction on disclosure and transfer of personal information collected; and
• mechanism for grievance redressal.

Personal information collection, manner, by whom?

A notable feature of the App is that once an individual registers himself/ herself on the App, it collects certain personal information (like name, age, sex, profession, location etc.) and stores it on a server operated and managed by the Government of India.

This information stored on the Server will be hashed with a unique digital id (DiD) that is pushed to your App. The DiD will thereafter be used to identify you in all subsequent App related transactions and will be associated with any data or information uploaded from the App to the Server. Each time you complete a self-assessment test the App will collect your location data and upload it along with your DiD to the Server.

The App continuously collects your location data and stores securely on your mobile device, a record of all the places you have been at 15-minute intervals. Therefore, the App will not function properly if the device is switched off/ in airplane mode; if Bluetooth and GPS services on your device are turned off; or if you revoke the App’s access.

Purpose limitation: to be used only in response to the Covid-19 crisis

Following are the limitation to the purpose specified with respect to the App:

• to generate reports, heat maps and other statistical visualisations;
• to provide general notifications;
• to inform the user, or those have come in contact with, of possible infection;
• to share with such other necessary and relevant persons as may be required in order to carry out necessary medical and administrative interventions;
• to evaluate, whether a disease cluster is developing at any geographic location; and
• to map the places visited over the past 14 days in order to identify the locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur (only if tested positive).

Data retention

As per the privacy policy, all personal information collected will be retained for as long as the account remains in existence and for such period thereafter as required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.

All traced personal information shared between users, risk assessment tests and location information will be retained on the mobile device for a period of 30 days from the date of collection. All personal information uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.

Persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.

Exceptions to data retention

By way of an exception it has been provided that anonymized/ aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets, the medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment will be retained.

However, it is to be noted that this clause conflicts with the Order No. 2(10)/2020-CLeS dated 11 May 2020 which provides that in any circumstance, such data shall not ordinarily be retained beyond 180 days from the date on which it was accessed.

Rights of individuals

As per the privacy policy, an individual who is a registered user of the App has the right to access his/her profile and a right to correct and erase any registration information (including personal information) supplied in the first place by such individual.

Key communications by the Government of India

• Ministry of Home Affairs order dated 01 May 2020
  Under the captioned order, under two instances, the use of the App was made mandatory by the Government:
  • for all employees, both public and private. The head of the respective organisation being made responsible for ensuring “100% coverage of this app among employees”; and
  • in areas demarcated as Containment Zones (areas with significant risk of infection) within Red and Orange Zones. Local authority being made liable to ensure that there is “100% coverage of Aarogya Setu app” among the residents.
• Ministry of Electronics and Information Technology order dated 11 May 2020
  The Ministry of Electronics and Information Technology, Government of India, issued an Order No. 2(10)/2020-CLeS dated 11 May 2020 which notifies the “Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020” (Protocol).
  This Protocol is issued under the Authority of Chairman, Empowered Groups 9 constituted by Central Government under the Disaster Management Act 2005 and shall be in force for 6 months from the date of issue.
  The Protocol seeks to provide clarity on the following:
  • Principles for collection and processing of response data;
  • Principles for sharing of response data;
  • Obligations of entities with whom response data is shared;
  • Principles for sharing of response data for research purposes;
  • Violations; and
  • Sunset Clause
    The Protocol goes beyond what is provided in privacy policy and term of service but falls short to effectively address the data privacy issues of the App. It is also pertinent to note that the Protocol is in the nature of a direction for compliance and does not hold any binding value per se. However, it must be noted that as per Clause 9 of the Protocol, any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable.

• Ministry of Home Affairs order dated 17 May 2020

Under the captioned order, the use of Aarogya Setu was removed from its earlier status of being mandatory in certain prescribed situations. However, the captioned order now iterates that employers “on best effort basis should ensure” that the App is installed by all employees with “compatible mobile phones”. Unlike the previous order dated 01 May 2020, the captioned order will not hold employers responsible for failing to do so. Separately, the captioned order iterates that district authorities “may advise individuals” to install the App.

• Guidelines issued by the Ministry of Railways dated 20 May 2020

The Ministry of Railways is seeking to commence with a few passenger trains with effect from 01 June 2020 and has asked passengers to install the Aarogya Setu mobile application mandatorily prior to commencing their train journey. The guidelines issued by the railways for the special trains running between major cities of the country were made on the respective website of various railways networks (like Southern Railway, Western Railways) and also published on the website of Press Information Bureau, the Government of India. In that communication, it was carried out that- “All passengers must download and use the Aarogya Setu application”. However, it was a late-night tweet by the railway ministry that made it mandatory. The tweet is reproduced as follows: “Indian Railways is going to start few passenger trains services. It is mandatory for passengers to download Aarogya Setu app in their mobile phones, before commencing their journey.”

• Issuance of e-Pass under the App for ease of travel

Through a new update that featured on the App on 15 April 2020, a tab titled “e-Pass” was listed under the head of coming soon. The e-pass is showcased with a QR along with a unique six-digit alphanumeric ID that will contain all the necessary information about the user and the type of service he/she is related to. This includes- company name, supply chain partner, e-pass valid till date, location and nature of work. The new e-Pass feature is currently live and is aimed towards displaying the e-Pass issued to a user from the state governments on his/ her App so that the user can present the App as a pass at the checkpoints while commuting to work during the lockdown.

• Claims of ethical hackers

On May 6, Robert Baptiste (‘Elliot Alderson’ on Twitter), a French cybersecurity analyst claimed that he could access data of positive cases through the App. The Government of India issued a prompt response on the same day through the App’s Twitter handle and the excerpts of the same are reproduced below:

“No personal information of any user has been proven to be at risk by this ethical hacker. We are continuously testing and upgrading our system. Team Aarogya Setu assures everyone that no data or security breach has been identified”.

The concerns over privacy issues came to the surface once again when on 14 May 2020, a Bengaluru-based software engineer breached the App’s defences in less than four hours. He apparently hacked the App to find a way to not install it on his phone after the government made it mandatory.

Key privacy concerns and recommended best practices to address them

• Ambiguity around legal basis: The appropriate legal basis of processing of personal information must be identified. The same could be consent (as opposed to popular belief- not recommended since consent can be as freely withdrawn as given), necessity or proportionality etc. provided it is clearly documented for the App.
• Non- adherence to the principle of data minimization
  • The personal information collected includes detail of the individual’s profession- which has no direct relation with the effective use of the App
  • Proximity data should be used (as opposed to location tracking)
• The location data is collected in periodic intervals of 15 minutes, for which no explanation or requirement has been provided by the Government
• The “anonymised data” collected is not defined. This becomes all the more critical in the light of the fact that as per the policy can be stored by government for indefinite period

Ambiguity over employing data protection by design and default: 
Re-identification of individuals should be prevented and the information should reside on the user’s terminal equipment (as opposed to a central server). It is essential that it can be demonstrated that whilst the development of the App, data protection by design and default were employed. It is only under the Protocol that it is clarified that the contact and location data shall by default remain on the device on which the App has been installed post collection of such data. However, it is yet to be seen if this is only lip-service and an after- thought; or is in fact the default position of the App.

Voluntary adoption v/s mandatory adoption:
Contract tracing apps can only be legitimised by relying on a voluntary adoption by its users. There should be no disadvantage to those who decide not to or cannot use such apps. Until the MHA order of 17 May 2020, the use of the App was made mandatory in situations discussed in detailed in the preceding paragraphs.

Data Protection Impact Assessment:
A DPIA should have been first be carried out as this new technology consists of systematic and large-scale monitoring of location and/or contacts between individuals. It is not very clear that the Government of India has undertaken such a DPIA.

Controller Identification:
In line with the general principle of accountability, the controller of the App should be clearly identified. Whilst the Protocol mentions that the National Informatics Centre (NIC) shall be responsible for collection, processing and managing personal information (response data) by the App, there is no clarity on whether NIC is the data controller and the only one at that in the sense of general principles of data protection.

Purpose Limitation:
The purposes must be specific enough to exclude further processing for purposes unrelated to the management of the COVID- 19 pandemic (eg commercial or law enforcement purposes). Although the Protocol seeks to crystallise the parties to which the personal information collected can be shared and for the exact purposes; however, the language of the Protocol is full of indecisive phrases like – “to the extent reasonable”.

Retention:
As a general rule, all personal data obtained from the App should be erased or anonymised after the COVID-19 crisis ends. However, as discussed in the preceding paragraphs, there is still ambiguity over the retention policy under the App.

Data sharing – Orwellian state?
As per the Protocol, the personal information (response data) may be shared by the NIC with inter alia, the Ministry of Health and Family Welfare, Departments of Health of the state / union territory governments / local governments, other public health institutes of the Government of India, state governments and local governments etc. Therefore, this wide scope of data sharing creates a scope whereunder there are increased chances of surveillance.

Audit
The source code of the App should be made publicly available to ensure transparency, accountability and scrutiny [As on 27 May 2020, the App has been made open source].

Contact tracing apps globally vs Aarogya Setu.

To combat the pandemic, governments across the globe have developed and launched contact tracing apps. We have highlighted the key features of select Apps below:

• Trace Together is the covid tracing app of Singapore runs on Bluetooth technology. The app follows principle of limited data collection, provides for data destruction and is transparent.
• COVIDSafe of Australia which also runs on Bluetooth technology. The app follows principle of limited data collection, provides for data destruction but lacks transparency.
• NHS COVID-19 App of UK also runs on Bluetooth technology. The app follows principle of limited data collection and is transparency. However, reportedly lacks data destruction.

All of the above apps belong to countries that have a data protection legislation in place. From a preliminary study it transpires that these apps may not satisfy all the criteria as laid down by their data protection legislation and will have to be aligned with the general data protection principles.

In so far the App is concerned, it appears that data protection principles are not factored and incorporated in the design of the App (privacy by design) and hence, there is a need for the NIC to address this issue.

The dire need for a data protection legislation

“Legislation is one of the most important instruments of government in organising society

and protecting citizens. It determines amongst others the rights and responsibilities of individuals and authorities to whom the legislation applies.” – Prof. Herman de Jager

Presently, India does not have a specific legislation for protection personal data of individuals. Instead, the Information Technology Act, 2000 (the Act) contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically).

Subsequently, India’s IT Ministry adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules). The Privacy Rules distinguish both ‘personal information’ and ‘sensitive personal information’ and provide that corporate entities collecting, processing and storing personal information, including sensitive personal information are required to comply with certain specified procedures.

On August 24, 2017, a Constitutional Bench of nine judges of the Supreme Court of India in Justice K.S.Puttaswamy (Retd.) v. Union of India [Writ Petition No. 494/ 2012] upheld that privacy is a fundamental right, which is entrenched in Article 21 encompassing the right to life & liberty in the Constitution of India. This led to the formulation of a comprehensive Personal Data Protection Bill 2019 which is currently before the Joint Parliamentary Committee for consultation, deliberation and discussion.

In light of the above, it is patent that there are numerous benefits of having a data protection legislation in place to guide a nation in how to protect the personal data of individuals. These guiding factors maybe transparency, accountability, ensuring rights of the individuals, listing out organizational measures and the compliances to be undertaken, to name a few. In the current context of having contact tracing apps, it becomes all the more important to have a data protection legal framework.

For example, the PDPB 2019 personal data broadly includes inferred or derived data within its ambit, thus expanding the ambit of data subject access rights. However, under the privacy policy of the App, the rights of access, correction and erasure of registered users are restricted to only such personal information that has been supplied by them.

Thus, in absence of a legislation, compliance with the privacy principles is not enough. The absence of a national or applicable law that posits data protection principles, provisions and organizational measures, does not permit denial of the basic tenets and continued provision of basic minimum rights of personal data protection and privacy, which must be ensured to all individuals at all times.

Finally, it must be borne in mind that the adoption of contact tracing apps will put to test the balance between state surveillance and user privacy. The need of a data protection legislation is very telling in the current times and speaks for itself.

By Tripti Dhar