The Karnataka High Court, on Monday, 25 January restrained the Central government and the National Informatics Centre (NIC) from sharing the data of Aarogya Setu tracking application users without obtaining their informed consent.
In a significant order, the two-judge bench prima facie found that no informed consent was taken for sharing user data and also noted that the Central government will not deny any services to a citizen only on the ground that the user has not installed Aarogya Setu.
Anivar Arvind, a public interest technologist and Software Freedom Law Centre India's (SFLC.In) advisory board member, had filed a petition in the Karnataka High Court challenging the voluntary-mandatory imposition of Aarogya Setu and invasion of privacy rights in the absence of specific laws governing data collection and processing by it.
After 18 hearings of the matter, the bench comprising Chief Justice Abhay Oka and Justice Vishwajit S. Shetty had reserved the order. Aravind was represented by Senior Advocate Colin Gonsalves and counsels from SFLC.in.
The bench pronounced its order on 25 January. It prima facie held that there was no informed consent taken of users for sharing response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020.
On 2 April 2020, the NIC, which falls under the MEITY, launched the Aarogya Setu App in order to help with contact tracing of COVID-19 in India. It has since been downloaded by over a 160 million users.
No Denial of Services For Not Having Aarogya Setu: Court
“This is an important order ensuring user rights and consent as baseline for what one should run on their personal computing devices,” Aravind said. “I hope this will make an impact in a larger landscape where we are seeing a trend of more and more apps pushed for availing citizen rights in a post pandemic phase,” he added.
The Bench also noted that the Central government will not deny any benefit or services to a citizen only on the ground that the user has not installed Aarogya Setu.
In addition to this, the Bench noted that the informed consent is limited to collection of information as provided in the privacy policy. As of now, the Bench has refrained NIC and Union of India from sharing data without informed consent.
Prasanth Sugathan, Legal Director, Software Freedom Law Centre, India (SFLC.in) said, "The action of the government in providing for data transfer to third parties and the mission creep of the Aarogya Setu app due to the features added were problematic and the Hon'ble High Court has rightly interdicted the hovernment.”
“The government should take steps to ensure that all the data collected including personal data is destroyed,” Sugathan added.
Speaking with The Quint after the order, Aravind said the country is increasingly seeing the tendency of tracking technology even if it is made for good intentions changing into policing technology in a fast pace.
“We have seen this happening at many places including in Singapore, where the very first contact tracing app was developed (with much more privacy protection than Aarogya Setu.).”
This petition was more a timely intervention for a judicial review around a social graph collecting app pushed as mandatory when pandemic started. I am happy that court addressed some of the data collection and sharing concerns in this interim verdict .Anivar Aravind
Govt Ignored Its Own Vital Safeguards on Aarogya Setu: RTI
The Quint had reported on 30 October that responses to RTI queries revealed that the Government of India has failed to implement measures to safeguard and secure data of millions of Indians collected by the controversial COVID-19 tracing app, Aarogya Setu.
Two days after the Ministry of Electronics and Information Technology (MEITY) and National Informatics Centre (NIC) were pulled up by the Central Information Commission for evasive answers about the app’s creation, an RTI reply revealed that the government had failed to implement key provisions of the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’.
These revelations, including a lack of audit mechanisms and any procedure for anonymisation of data, raise serious questions about the government’s attitude towards protection of the data and privacy of millions of Indians, and the trust that can be imposed in digital health initiatives like this.
The Protocol governs the collection of data by the app and data sharing of personal/non-personal data collected through it. It lays down penalties and obligations for sharing data with government agencies, third parties, and research institutions.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)