On the 30th of January 2020, the World Health Organization (WHO) declared the COVID-19 outbreak a public health emergency of international concern. In response, many countries have launched contact-tracing apps to help contain the spread of the virus. The intrusive nature of these technologies and the vast amounts of sensitive data they generate have raised serious concerns about privacy. The Indian government’s app is called Aarogya Setu [Bridge to Health], and it has not escaped the privacy controversy.
Following its release on the 2nd of April 2020, Aarogya Setu took a mere 13 days to become the world’s all-time fastest to reach 50 million users. It has now been downloaded more than 100 million times. The app requires personal details such as the user’s name, gender, profession, smoker status, and travel history, as well as biometric information. This information is then stored in a centralized government database. Even more controversially, the app uses GPS to track infected individuals’ locations and then shares this data with both other users and the government. It also connects infected individuals’ GPS data to the personal information held in the government database. The potential for invasion of privacy and an unacceptable level of government surveillance is clear.
Dr. Michael Ryan, executive director of the WHO’s health emergencies programme, has warned that the right to privacy after the collection of personal data while tackling this pandemic cannot be overlooked. The right to privacy is enshrined in Article 21 of the Indian Constitution, but many fear that India’s response is proving Dr. Ryan’s concerns justified. Indeed, there is no express legal framework to manage and protect the public’s personal information, and what little legislation that does exist is subject to inconsistent application and enforcement.
Perhaps as a result of this, Aarogya Setu lacks transparency in both its scope and functioning, and there has been no proper elaboration of its privacy agreement or Terms and Conditions (T&C). Moreover, while the government initially only encouraged people to install the app, it is now mandatory for public sector workers, people living in containment zones, and those wishing to travel by plane. Some private companies have also obliged their employees to download it. This in effect forces people to accept T&C which may violate their right to privacy.
There are several major issues with the app’s T&C. First, they allow for the collection of the maximum data possible and its storage in a database accessible for the government to use as it pleases. The extensive data collection also increases the likelihood of harm in the case of a breach, especially since much of the information is sensitive and includes health records. Additionally, while there is a data retention policy which states that user data will be automatically deleted every 30 days, there is no mechanism to audit and verify that the policy is followed. Finally, the government accepts no liability for data breaches or inaccurate information provided by the app, even if they lead to harm. These issues create a loophole where in fact the “bridge” is perhaps less to health and more for an unaccountable government to invade or risk the privacy of its citizens.
In the past, Indian courts have ruled that the security of health records is a major privacy concern. By law, there are only limited circumstances in which the confidentiality of these records may be undermined. If the information is used outside these purposes, it amounts to an infringement of the right to privacy. The practice of mass-surveillance under the guise of public health is not one of those circumstances. It must, therefore, be avoided. It is necessary for Aarogya Setu immediately to be refined and for the T&C to be elaborated in more detail to provide transparency and government accountability. This is fundamental to avoid compromising the privacy of the app’s users and to maintain public support for the government’s efforts to contain the virus.
Unprecedented public health measures are clearly necessary to confront the COVID-19 emergency. But there need not be such an extreme trade-off between health and privacy. In its current form, Aarogya Setu risks creating another crisis through the breach of privacy of millions of people. The government must take immediate steps to guarantee this right and ensure the personal data of its citizens are protected.
Note: This article gives the views of the authors, and not the position of the Social Policy Blog, nor of the London School of Economics.