On April 2, the Government of India released ‘AarogyaSetu’ App (Sanskrit for ‘Health Bridge’), aimed at combatting the spread of COVID-19 via contact tracing, connecting health services to the people of India and disseminating relevant information to its users.
To register on the app, a user is required to provide his/her name, contact number, age, sex, profession, travel history. This registration information is then hashed with a digital unique ID (DiD). The app uses GPS and Bluetooth feature to collect location data of the user at 15-minute intervals and to identify if the user has been in proximity to an infected person. This information collected is stored in the appand uploaded to the online serveronly for confirmed or suspected positive cases.
Since its release, the government has been promoting the contact-tracing app. On May 1, the Ministry of Home Affairs released an order, mandating all employees (private and public) to download the app. Market speculation also suggests thatAarogyaSetu App will be pre-installed on smartphones once the lockdown restrictions are relaxed and manufacturing commences. In just a little over a month, the App has already witnessed 80 million downloads (interestingly, Whatsapp took over 5 years to cross the 70 million mark in India).
Given the nature of data being collected, the scale on which the app is being operationalised, and the possibility of the data mine that comes out of such an initiative, it is important to take a closer look at the relevant legal framework.
India currently doesn’t have a holistic data protection regime and this is likely to remain status quo pending the Personal Data Protection Bill, 2019 being passed by the Parliament, and the Bill attaining the force of law.
Data Privacy Concerns – A Comparative Analysis
On the other hand, TraceTogether’s policy clearly states that it is the Ministry of Health, which has access to the data collected. Similarly, Covidsafe’s policy restricts the access only to health authorities.
Lastly, TraceTogether and Covidsafe recognise the right of a data subject over their information and specifically require their consent before uploading the information onto the server. In contrast, AarogyaSetu uploads the information to the server without requiring such consent, simply if there is a likelihood of the user having contracted the virus.
The Need for Safeguards
(The author is a Mumbai-based lawyer with experience in fintech and data protection advisory. Views expressed are personal.)