No Aarogya Setu Data Sharing Without Consent: K’taka HC to Centre
Centre cannot deny any services to a citizen on the ground that the user does not have Aarogya Setu, the Court daid
The Karnataka High Court, on Monday, 25 January restrained the Central government and the National Informatics Centre (NIC) from sharing the data of Aarogya Setu tracking application users without obtaining their informed consent.
In a significant order, the two-judge bench prima facie found that no informed consent was taken for sharing user data and also noted that the Central government will not deny any services to a citizen only on the ground that the user has not installed Aarogya Setu.
Anivar Arvind, a public interest technologist and Software Freedom Law Centre India's (SFLC.In) advisory board member, had filed a petition in the Karnataka High Court challenging the voluntary-mandatory imposition of Aarogya Setu and invasion of privacy rights in the absence of specific laws governing data collection and processing by it.
After 18 hearings of the matter, the bench comprising Chief Justice Abhay Oka and Justice Vishwajit S. Shetty had reserved the order. Aravind was represented by Senior Advocate Colin Gonsalves and counsels from SFLC.in.
The bench pronounced its order on 25 January. It prima facie held that there was no informed consent taken of users for sharing response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020.
On 2 April 2020, the NIC, which falls under the MEITY, launched the Aarogya Setu App in order to help with contact tracing of COVID-19 in India. It has since been downloaded by over a 160 million users.
No Denial of Services For Not Having Aarogya Setu: Court
“This is an important order ensuring user rights and consent as baseline for what one should run on their personal computing devices,” Aravind said. “I hope this will make an impact in a larger landscape where we are seeing a trend of more and more apps pushed for availing citizen rights in a post pandemic phase,” he added.
The Bench also noted that the Central government will not deny any benefit or services to a citizen only on the ground that the user has not installed Aarogya Setu.
Prasanth Sugathan, Legal Director, Software Freedom Law Centre, India (SFLC.in) said, "The action of the government in providing for data transfer to third parties and the mission creep of the Aarogya Setu app due to the features added were problematic and the Hon'ble High Court has rightly interdicted the hovernment.”
“The government should take steps to ensure that all the data collected including personal data is destroyed,” Sugathan added.
Speaking with The Quint after the order, Aravind said the country is increasingly seeing the tendency of tracking technology even if it is made for good intentions changing into policing technology in a fast pace.
“We have seen this happening at many places including in Singapore, where the very first contact tracing app was developed (with much more privacy protection than Aarogya Setu.).”
This petition was more a timely intervention for a judicial review around a social graph collecting app pushed as mandatory when pandemic started. I am happy that court addressed some of the data collection and sharing concerns in this interim verdict .Anivar Aravind
Govt Ignored Its Own Vital Safeguards on Aarogya Setu: RTI
The Quint had reported on 30 October that responses to RTI queries revealed that the Government of India has failed to implement measures to safeguard and secure data of millions of Indians collected by the controversial COVID-19 tracing app, Aarogya Setu.
Two days after the Ministry of Electronics and Information Technology (MEITY) and National Informatics Centre (NIC) were pulled up by the Central Information Commission for evasive answers about the app’s creation, an RTI reply revealed that the government had failed to implement key provisions of the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’.
These revelations, including a lack of audit mechanisms and any procedure for anonymisation of data, raise serious questions about the government’s attitude towards protection of the data and privacy of millions of Indians, and the trust that can be imposed in digital health initiatives like this.
The Protocol governs the collection of data by the app and data sharing of personal/non-personal data collected through it. It lays down penalties and obligations for sharing data with government agencies, third parties, and research institutions.
(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)
Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.