Does Govt’s New Data Protocol Address Concerns Over Aarogya Setu?

The Quint speaks to experts on both sides of the divide about whether we still need to worry about the app.

Updated
India
7 min read
Aarogya Setu app, which has been flagged for major privacy concerns of profiling and surveillance, is being made mandatory for an increasing number of people.
i

On Monday, 11 May, the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’ was released by the government, to ensure secure collection of data by the controversial app, and regulate how such data can be shared to achieve its purpose of assisting the fight against COVID-19.

Empowered Group 9, set up by the National Disaster Management Authority to look after technology and data solutions to the coronavirus crisis, has created this protocol.

It is meant to set out how the National Informatics Centre (NIC) will collect and share the data that the Aarogya Setu app can generate:

  1. demographic data (name, mobile number, age, profession, gender, travel history);
  2. contact data (who the user has been in close proximity to);
  3. self assessment data (regarding their health and symptoms); and
  4. location data (the user’s geographic position).

With so much personal data at stake, this obviously creates some serious concerns from a privacy perspective. The Protocol is meant to address these concerns.

What Does the Protocol Do?

  • Under the Protocol, response data (whether containing personal data or de-identified data) can be shared with the health ministry of the central government, health departments of state governments, central and state disaster management authorities or public health institutions like the ICMR. The data is to be shared only where necessary to come up with a health response.
  • Data collected using the app is not ordinarily to be shared with third parties, whether other government agencies or private parties, but this can be done if it is “strictly necessary to directly formulate or implement appropriate health responses.” These third parties will not be allowed to re-use the data for any other purpose or share the data with anyone else.
  • Finally, the Protocol allows data which has undergone ‘hard anonymisation’ – ie where an individual cannot be identified using any means to trace their identity from the data – to be shared with universities or other research institutions registered in India, subject to approval from a special committee.

But does the Protocol succeed in addressing the concerns raised by experts regarding the app? Is it actually enough to satisfy the fears that the data collected by this app could be shared indiscriminately and used for surveillance? And does it create any mechanism for people to raise grievances?

Does the Protocol Have Any Legal Basis?

“The protocol published by this empowered group tries to make the right noises, but is unfortunately very far short of the privacy safeguards required to justify the imposition of a mandatory app during this pandemic on Indians,” says Raman Chima, policy director at Access Now, the global digital rights think tank.

The key failing here, according to him, is the fact that there is still no legal basis for the usage of this app, despite which it continues to be made mandatory for more and more people and purposes.

“The protocol is not a binding legal regulation; it is in effect a voluntary declaration by one group set up by the Union Government,” Chima explains. “It does not draw authority from any law passed by Parliament; it does not even claim to be issued under the legal authority of the Disaster Management Act.”

Rahul Matthan, partner at law firm Trilegal and one of India’s leading technology law practitioners, however, believes that while the lack of a foundational law does mean it cannot be made mandatory for people to download and use the app, this does not invalidate the safeguards that the Protocol imposes on data-sharing.

“The empowered group which developed this Protocol has the legal backing to set up a data sharing protocol which has to be followed when it comes to the data of those who have chosen to download the app,” he says.

Does This Protocol Mean Users’ Data is Safe From Misuse?

But leaving this question of the lack of a foundational law aside (which remains relevant to the debate over whether the app can be made mandatory, of course), does the Protocol provide sufficient protection to the data of those who use it?

Matthan, who advised the government on how to design the Aarogya Setu app while safeguarding people’s privacy concerns believes that the strong privacy policy, which users sign up to when they use the app, ensures their data is protected.

“The privacy policy specifically says what can and can’t be done. Most importantly is the purpose limitation, and when you look at 2(e), it says you cannot use a person’s data except for the core purposes set out in the privacy policy. It is an extremely explicit purpose limitation, you will find no vague wording: ‘including’, ‘such as’, ‘like’ and so on.”
Rahul Matthan, partner at Trilegal

Because of these safeguards built into the privacy policy of the app itself, Matthan believes that the Protocol, when taken together, provides sufficient protection.

Other experts, however, are not so convinced, with most of them pointing to the lack of a mechanism for enforcement, in case the Protocol is violated, and your information misused.

Examples of this include if a government department shares your information with a private company without this being necessary, or shares information with a research organisation which wasn’t properly anonymised, or if a private company which received information correctly forwards this on to others (say, giving your health and contact data to an insurance company or advertiser).

The first problem here comes from the terms and conditions of the app itself. Senior advocate Sajan Poovayya, one of the key lawyers in the right to privacy case before the Supreme Court, notes that these include “a limitation of liability clause which states that the Indian government will not be liable for any claims in relation to unauthorised access to the user’s information or modification thereof.”

When coupled with India’s general lack of a data protection law, and the absence of any specific law for the usage of Aarogya Setu, this means a person would very likely be barred from filing any complaint.

Supreme Court advocate Vrinda Bhandari, who works with the Internet Freedom Foundation on legal interventions filed by them regarding digital rights in India, points out that even if this could be gotten around, there is still no complaint mechanism specified under the Protocol, even though it says violations of it “may” be an offence under Sections 51-60 of the Disaster Management Act.

“In the absence of such a mechanism, it may prove impossible to actually make a complaint regarding a breach of the Protocol by a government department or by a third party with whom personal data is shared, especially because courts can only take up such complaints if they are made by the government, not the individual affected, according to Section 60 of the Act.”
Vrinda Bhandari, Supreme Court advocate

Chima says that because of the Section 60 problem, if an individual citizen wants to make a complaint that the Protocol has been violated, you can’t approach the police or an ordinary court, “you would be limited to only challenging actions before the high courts or Supreme Court.”

Does the Protocol Do Enough?

Leaving aside the enforcement question, the experts are also not convinced that the privacy safeguards are enough, especially when sharing it for research purposes.

“The protocol also promotes flawed technical approaches, in emphasising ‘hard anonymisation’,” argues Chima. “Technical and legal literature over the last decade have shown the flaws and limits of anonymisation, and advancements in data sciences and machine computing makes it far easier to be able to identity, reconstitute personal information from 'anonymised' data.”

Even these standards for anonymisation are not yet defined, and are to be established by a special committee going forward.

Bhandari is also concerned that the Protocol’s provisions on sharing data with third parties and research organisations has not been fully thought through. “The privacy policy of the Aarogya Setu app itself does not explicitly permit sharing of personal data with third parties and research organisations,” she says.

“The new Protocol, on the other hand, allows sharing of personal data with any third party under para 7(b) for formulating a health response, and anonymised data with research organisations, the wording for which is not as restricted as the privacy policy. In both respects, it therefore goes beyond the app’s privacy policy, which should not have been possible.”
Vrinda Bhandari, Supreme Court advocate

Matthan believes that this shouldn’t necessarily be an issue, as the Protocol has to be read together with the privacy policy – as the data can only be collected for those explicitly limited purposes, this means the Protocol has to be understood to include those same limitations.

The Sunset Clause Controversy

Another aspect of the Protocol, which has been subject to strong criticism is the fact that it includes a ‘sunset clause’ for the protocol in Para 10. Under this, the Empowered Group will review the Protocol after six months, and unless it needs to be extended because the COVID-19 pandemic continues, the Protocol will cease to operate at that time.

However, as digital rights activist and Medianama founder Nikhil Pahwa points out, there is no sunset clause for the use of the app itself. “That there is a sunset date for the protocol, not the app, that creates further distrust, as for any data collected after the protocol ends, the protocol will not apply,” he explains.

Chima also raises his concerns over this, noting that this problem will affect data which is collected during the next six months as well – so, what about such data collected five months from now, what restrictions will apply to it?

Matthan takes a more optimistic view on this issue, arguing that the government “can’t have it both ways” – now that this Protocol has been introduced, it becomes the only way in which data collection and sharing in connection with the Aarogya Setu app can happen. Once the Protocol expires, data collected using the app cannot then be shared or used by anyone, even the government.

The Vidhi Centre for Legal Policy, which helped draft the Protocol, also argues that this sunset clause means the legal basis for data collection under the Protocol “will not outlast the pandemic to become a tool for surveillance of individuals”.

However, it is difficult to see how the language of the clause or the Protocol as a whole supports this interpretation, as no such statement is made about how this Protocol will be the sole way in which data collected from the app will be shared.

In the end, the continuing absence of a general data protection law, the lack of a law dealing with the app, the way it is being made mandatory continue to be problems, even when trying to assess whether the Protocol will be of help – a view also taken by Justice (retd) BN Srikrishna, who headed the government committee which drafted a Personal Data Protection Bill for India.

As he said in a webinar on Monday, the Protocol seems more like a “patchwork” that will “cause more concern to citizens than benefit.”

Published: 
Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!