The Global covid-19 outbreak has resulted in an unabated and unprecedented health crisis all over the world. The right to health in eventuality became a contested right worldwide in the backdrop of the present pandemic situation. The Right to Health has been read into Right to Life guaranteed under Article 21 of the Indian Constitution in various cases. It has been held in Paschim Bangal Khet Mazdoor Samity & Others v. State of West Bengal & Others  that the primary duty of government in a welfare state is to secure the welfare of the people and it is the obligation of the government to provide adequate medical facilities for its people. Further, while ensuring the right to health of people, the state is required to provide an efficient medical infrastructure along with affordable treatment to people.
This right to health in contrast to other rights places an obligation upon the state to ensure uniform protection of this right to all its citizens. In pursuance of this and for enforcing this duty, state in the present context, launched the Arogya Setu App which in actuality serves as an intrusive contact tracing mechanism to keep a track of patients and curb any sort of health emergency that can possibly arise in the country. Though the launching of this App appears to be an effective over the counter method to deal with the sudden pandemic situation, it has raised various issues with respect to the personal information including medical history; biometric information, etc. as allegedly having a tendency of infringing the various rights including Right to Privacy of an individual.
What is Arogya Setu?
Arogya Setu is an application (in brevity, ‘the App’) developed by the National Informatics Centre (that falls under the Ministry of Electronics and Information Technology) and is designed to detect Covid-19 spread. It was launched on the 2nd day of May 2020 and keeps track of nearby Covid infected persons by forming a user database to create a network of information that can alert citizens and the government of potential victims of the coronavirus at any given moment. According to the Ministry of Electronics and Information Technology, the estimated downloads of this app have crossed 100 million so far. The app tracks down its user location and further uses proximity data to check if a person is in the proximity of the infected person or not. Though the intention of the government appears to be good, the App suffers from certain serious drawbacks. The App is said to be violative of a range of rights including right to privacy and also has raised security concerns as it collects the user’s data such as your age, travel history, etc along with your location and stores it on the server in an unaccounted for manner.
Issues surrounding Arogya Setu
The data collection by this App has triggered a series of questions including: whether the data collected thereof is secured with government agencies? Whether the right to health of the public at large prevail over an individual’s right to privacy? Whether the right to privacy could be waived by the state to secure the right to health? These queries need immediate attention of the government when the App itself is argued to be the subject of varied sorts of security issues.
The NITI Aayog claims that the app deletes the data in 45 days from its server, if the user is not at risk, and in case if a user is at the risk of the virus, the data gets deleted in 60 days. But this does not include anonymized aggregated data, which is a privacy concern because there exists the possibility of de-anonymizing such data. Further, it is also not clear, whether the aforesaid deletion of data includes the deletion from the server or just of the device.
Also, the app links its user’s data to the phone number, which is not truly anonymized either. In addition to that, the App does not have any option to delete the account or data. Unlike Singapore’s Trace Together app, India’s Arogya Setu is not open-sourced which means that it has not been audited by an independent researcher. Niti Aayog also mentioned that there is an intention to make the app open-sourced but did not provide any specifics on that. As of now, the data is being stored on the amazon web server and is using google’s solution. Therefore it is hard to say that the access to such data is only with the government of India. Using such infrastructure is not a security risk but ideally, the data should be stored on the server which is hosted by the government of India. All these concerns show the risk factor involved in the working of App and with regard to the misuse of data collected thereof. Due to lack of technological developments, the government has not given commitment to ensure the data to be protected and hence the crucial personal information of people has been subjected to a very serious risk.
Conflict between Individual Privacy and Public Health
Apart from the risk factors involved in working of the App and security concerns with respect to chances of data being misused, another important aspect that needs to be considered is the individual’s right to provide his personal information via this App to the government as well as the chances of data being used for any other purpose than the purpose for which the individual has consented. Since, the right to privacy involves the right to choose, whom to provide a particular personal information and dissemination of such information thereof. This very right of choice making is being infringed by this App when the App was made compulsory to be installed by all the central government employees and the staff working in the government departments. In such a situation, the doctrine of reasonable restriction could be argued so as to justify the intrusion in right to privacy of an individual in order to attain the larger public interest. But, reasonableness of these restrictions depends upon the effective working of the App by taking all the security of an individual’s personal information into consideration. Here, the conflict has arisen between the right to wealth at one hand in the pandemic situation and right to privacy of an individual at other. This conflict calls for either legislative or judicial intervention.
Further, the aforesaid conflict becomes difficult to resolve for the want of explicit recognition of data protection laws in the country. By a nine-judge bench it has been held in the landmark case of Justice K.S. Puttaswamy (Retd) v. Union of India  that the right to privacy is a fundamental right guaranteed under Article 14, 19, and 21 of the Constitution of India, the concept of privacy remains a newer concept and has not gained a legislative framework till date. In the absence of a data protection legislation, the data collected during pandemic through this App is a matter of grave concern. The United State’s legislative framework provides explicit Rules  to provide national standards to protect medical records and other personal health information of an individual. These rules provide for the appropriate safeguards to protect the privacy of an individual. The rules thereof also set conditions and limits on the uses and disclosures that may be made of such information without authorization by the patient. India is also required to lay down legal policies and safeguards to ensure an individual’s autonomy in a similar line with the United States of America.
Even in the absence of an explicit legislative framework for data protection, right to privacy cannot be denied to an individual as fundamental rights are crucial for the democratic structure of our country. So, there is a need of identifying a midway to ensure the right to health of the public at large and right to privacy of an individual in cases like the ongoing pandemic situation. Nevertheless, the right to health needs to be protected and guarded but, the measures taken for this purpose are also subject to constitutional mandates and have to qualify the constitutional validity. It is no doubt for the larger public interest, certain individual rights may be restrained to attain the larger public interest goals but, such restrictions have to be critically analyzed in practical scenarios and not in theory when the manifest violation of fundamental rights appear in a given situation.
Thus, disclosure of a person’s health information is crucial to the right to privacy as it may lead to a certain kind of discrimination as well as stigmatization. On the other hand, providing blanket protection to all the information concerning health may negatively impact the conduct of public health research and practice. In such a situation the balancing of interest is required to be done by considering the right to privacy of an individual at one hand and tracking and surveillance of the spread of disease to enforce the right to health on the other. What needs to be considered here is the proportionality of relaxations with regard to provisions of privacy to ensure the major aim of public health.
- 1996 SCC (4) 37, JT 1996 (6) 43.
- (2017) 10 SCC 1.
- Health Insurance Portability and Accountability Act: Privacy Rules.
- Daniel Watenberg and W. Douglas Thompson, Privacy Versus Public Health: the impact of current confidentiality Rules, (March 2010), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2820076/ (Last visited December 31, 2020).
BY RICHA GUNAWAT | SYMBIOSIS LAW SCHOOL, PUNE