On Monday, 11 May, the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’ was released by the government, to ensure secure collection of data by the controversial app, and regulate how such data can be shared to achieve its purpose of assisting the fight against COVID-19.
It is meant to set out how the National Informatics Centre (NIC) will collect and share the data that the Aarogya Setu app can generate:
With so much personal data at stake, this obviously creates some serious concerns from a privacy perspective. The Protocol is meant to address these concerns.
But does the Protocol succeed in addressing the concerns raised by experts regarding the app? Is it actually enough to satisfy the fears that the data collected by this app could be shared indiscriminately and used for surveillance? And does it create any mechanism for people to raise grievances?
“The protocol published by this empowered group tries to make the right noises, but is unfortunately very far short of the privacy safeguards required to justify the imposition of a mandatory app during this pandemic on Indians,” says Raman Chima, policy director at Access Now, the global digital rights think tank.
“The protocol is not a binding legal regulation; it is in effect a voluntary declaration by one group set up by the Union Government,” Chima explains. “It does not draw authority from any law passed by Parliament; it does not even claim to be issued under the legal authority of the Disaster Management Act.”
Rahul Matthan, partner at law firm Trilegal and one of India’s leading technology law practitioners, however, believes that while the lack of a foundational law does mean it cannot be made mandatory for people to download and use the app, this does not invalidate the safeguards that the Protocol imposes on data-sharing.
“The empowered group which developed this Protocol has the legal backing to set up a data sharing protocol which has to be followed when it comes to the data of those who have chosen to download the app,” he says.
But leaving this question of the lack of a foundational law aside (which remains relevant to the debate over whether the app can be made mandatory, of course), does the Protocol provide sufficient protection to the data of those who use it?
Other experts, however, are not so convinced, with most of them pointing to the lack of a mechanism for enforcement, in case the Protocol is violated, and your information misused.
Examples of this include if a government department shares your information with a private company without this being necessary, or shares information with a research organisation which wasn’t properly anonymised, or if a private company which received information correctly forwards this on to others (say, giving your health and contact data to an insurance company or advertiser).
The first problem here comes from the terms and conditions of the app itself. Senior advocate Sajan Poovayya, one of the key lawyers in the right to privacy case before the Supreme Court, notes that these include “a limitation of liability clause which states that the Indian government will not be liable for any claims in relation to unauthorised access to the user’s information or modification thereof.”
When coupled with India’s general lack of a data protection law, and the absence of any specific law for the usage of Aarogya Setu, this means a person would very likely be barred from filing any complaint.
Supreme Court advocate Vrinda Bhandari, who works with the Internet Freedom Foundation on legal interventions filed by them regarding digital rights in India, points out that even if this could be gotten around, there is still no complaint mechanism specified under the Protocol, even though it says violations of it “may” be an offence under Sections 51-60 of the Disaster Management Act.
Chima says that because of the Section 60 problem, if an individual citizen wants to make a complaint that the Protocol has been violated, you can’t approach the police or an ordinary court, “you would be limited to only challenging actions before the high courts or Supreme Court.”
Leaving aside the enforcement question, the experts are also not convinced that the privacy safeguards are enough, especially when sharing it for research purposes.
“The protocol also promotes flawed technical approaches, in emphasising ‘hard anonymisation’,” argues Chima. “Technical and legal literature over the last decade have shown the flaws and limits of anonymisation, and advancements in data sciences and machine computing makes it far easier to be able to identity, reconstitute personal information from 'anonymised' data.”
Even these standards for anonymisation are not yet defined, and are to be established by a special committee going forward.
Another aspect of the Protocol, which has been subject to strong criticism is the fact that it includes a ‘sunset clause’ for the protocol in Para 10. Under this, the Empowered Group will review the Protocol after six months, and unless it needs to be extended because the COVID-19 pandemic continues, the Protocol will cease to operate at that time.
However, as digital rights activist and Medianama founder Nikhil Pahwa points out, there is no sunset clause for the use of the app itself. “That there is a sunset date for the protocol, not the app, that creates further distrust, as for any data collected after the protocol ends, the protocol will not apply,” he explains.
Matthan takes a more optimistic view on this issue, arguing that the government “can’t have it both ways” – now that this Protocol has been introduced, it becomes the only way in which data collection and sharing in connection with the Aarogya Setu app can happen. Once the Protocol expires, data collected using the app cannot then be shared or used by anyone, even the government.
The Vidhi Centre for Legal Policy, which helped draft the Protocol, also argues that this sunset clause means the legal basis for data collection under the Protocol “will not outlast the pandemic to become a tool for surveillance of individuals”.
However, it is difficult to see how the language of the clause or the Protocol as a whole supports this interpretation, as no such statement is made about how this Protocol will be the sole way in which data collected from the app will be shared.
In the end, the continuing absence of a general data protection law, the lack of a law dealing with the app, the way it is being made mandatory continue to be problems, even when trying to assess whether the Protocol will be of help – a view also taken by Justice (retd) BN Srikrishna, who headed the government committee which drafted a Personal Data Protection Bill for India.
As he said in a webinar on Monday, the Protocol seems more like a “patchwork” that will “cause more concern to citizens than benefit.”