-by Vini Singh

The COVID-19 pandemic has swept the world. The fast-spreading infectious disease has compelled almost every government to impose severe measures. Many of these measures have had a substantial impact on fundamental freedoms. India is no exception. The government has had to impose a strict nationwide lockdown to slow down the spread of the virus.

Many more restrictions are likely to become a part of our lives until the time the disease is contained. And, many of these will probably be in the digital sphere given the heavy reliance on technology for contact tracing of infected individuals and for storage of health-related data. Technology giants like Google and Apple have already started developing apps for contact tracing via Bluetooth emissions. Some governments are already using indigenously developed applications for this purpose. For example, Singapore uses an app called TraceTogether to trace movements through Bluetooth. China is also using a similar technology where people are required to scan a QR code before they can use public facilities like riding a subway. The QR code is calculated based on the past movement history of the person in question. Likewise, South Korea anonymises the movement and health data and informs people if they might have come into contact with an infected person so that they can get tested. They use both GPS and Bluetooth for tracing. Norway’s Smittestopp also uses both Bluetooth and GPS for contact tracing. India’s Aarogya Setu which has become one of the highest downloaded apps in the world also relies on Bluetooth and GPS. The use of the app has also been made mandatory by all public and private employees by an executive decree issued under the National Disaster Management Act.

While some of these apps rely on a centralised database model in which contact tracing is done by a centralised computer server, most countries are opting for a decentralised model to protect privacy. The decentralised model allows the phones to download database, match contacts and send alerts. Aarogya Setu, however, follows a centralised model. The app keeps the record of all other Aarogya Setu users detected nearby and collects location information at 15-minute intervals. This data is stored on the phone, however, it gets uploaded on the server once a person is declared positive or declares symptoms of COVID-19 in a self-assessment form. As per its privacy policy, the app collects other sensitive personal information apart from health data such as name, gender and profession which is linked to a unique digital id (DID). There is no maximum limit on the retention of this information as it can be retained so long as a law mandating the retention remains in force. The location and health data is retained in the app for thirty days and if uploaded in the server, then would be retained for 45 days for people who have not been tested positive and 60 days for those who have been tested negative. However, this does not apply to visualisations generated or health reports generated by medical professionals during the course of treatment.

Given that people carry their phones with them all the time as if it were a limb, tracing and mapping location is already extremely intrusive. Recently, in Carpenter v. U.S. the United States Supreme Court held that tracing a person’s location using cell location data without due purpose and in absence of a warrant was an unreasonable restriction on the right to privacy. Earlier, in U.S. v Jones too the U.S. Supreme Court had found location tracking via GPS without a warrant to be a violation of privacy rights. The Indian Supreme Court has also found constant surveillance to be an unreasonable restriction on privacy in Govind v. M.P. and PUCL v. UOI. Usage of the app would, therefore, amount to staying inside a panopticon.

While the government has made the usage of this app mandatory so far only for public and private sector employees, the judiciary is not far behind in abuse of power during the pandemic. Recently, the Jharkhand HC had mandated the download and use of the app as a condition for granting bail to a former BJP MP. Even the NOIDA police are collecting fines for the offence of not downloading the app. None of these restrictions on privacy is reasonable as per the test formulated by the Supreme Court in its Privacy judgment.

The test requires the restriction to be imposed under the law for a legitimate state interest. Although protecting life and health is a legitimate interest, there is no legislative backing and any guidelines regarding the app apart from the vague privacy policy. And, even though contact tracing through the app may have a rational relation to the objective of protecting the health and life of people, it is not necessarily the least restrictive measure that could have been adopted. It hardly makes any sense to store location data for 45 or 60 days as the case may be for detecting disease with the incubation period of 14 days. Furthermore, there is no reason to store health data generated by medical professionals regarding the patient for an indefinite period as it is sensitive personal information. The same reasoning applies to the indefinite storage of personal information like name, age, sex etc. in an identifiable manner since it’s linked to the digital id.

Furthermore, security concerns have been raised with respect to the storage of data by ethical hackers which makes this indefinite retention of data extremely problematic. Considering that it may be impossible to avoid the usage of technology to deal with such situations, it is time to strengthen the privacy and digital rights framework, particularly information self-determination and the right to be forgotten.

The views are personal.

Image Courtesy: Cashify


Vini Singh is Assistant Professor & Doctoral Research Scholar, National Law University Jodhpur. She is a graduate (B.A.LL.B, 2012) from Hidayatullah National Law University, Raipur and holds a Masters of Law degree (2013) from University College London.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s