Abstract

One of the major concerns for all countries presently dealing with COVID-19 pandemic is to strike a balance between the privacy rights of the citizens and public health surveillance, which is being done through Aarogya Setu in India, which is needed in the larger interest of the society. Public health Surveillance system although with good intention has to respect the privacy of the people. The Hon’ble Supreme Court of India has recognized right to privacy as a part of right to life under the Article 21 of the Constitution of India in the Puttaswamy judgment.

In the absence of a comprehensive data protection framework in India, this paper analyses Aarogya Setu’s application and its privacy policy on the touchstone of the proportionality principle laid down in the Puttaswamy judgement, and through the lens of the Personal Data Protection Bill, 2019. It highlights how the Privacy Policy and Terms of Service results in a risk of establishing a surveillance framework that may outlast the need of the hour.

 “Privacy has both positive and negative content: The negative content

restrains the State from committing an intrusion upon the life and personal

liberty of a citizen. Its positive content imposes an obligation on the State to

take all necessary measures to protect the privacy of the individual.”

– Dr. Justice D.Y. Chandrachud

 Keywords: Aarogya Setu, Data, Constitution, Privacy, Corona

 Introduction

The British Mathematician, Clive Humby once famously observed that, “Data is the new oil.” Metaphorically, he explained that data is a resource, just like oil. It is useless in its unrefined form but becomes of enormous value once it is refined. Similarly, a lot of information can be extracted from data just as energy can be extracted from oil.

As society tussles to stay on top of the Corona Virus Disease (COVID-19) pandemic, there is a huge responsibility on governments to effectively deal with this public health crisis, in a manner that least hampers the freedom of its citizens. The use of technology under such circumstances cannot be denied, but the regulatory lacunae in India with respect to the use of such technology calls for the need to proceed with caution.

Contact-tracing applications have been considered as a key way to maximise efficient and localised decision making in regards to the outbreak of COVID-19. Such applications have been adopted in several countries including India, which recently launched its ‘Aarogya Setu’ application. Many people are sceptical that these technological interventions, employed as extraordinary measures in the pandemic, may become a tool for the government through which they can intrude in our lives. The main concern for the use of technology in battling such public crises is the infringement of the privacy of citizens. In a trade-off between combatting a public health crisis affecting all, and securing the privacy of a few, the scales tip in favour of the former. However, this is not a zero-sum situation. Even in such emergencies, the authorities must ensure that privacy is not disproportionately infringed.

This paper deals with various angles related to the app, beginning with the legal framework surrounding the app. The app was brought under the National Disaster Management Act, 2005 (NDMA) by constituting a special executive committee for development of the app. The various controversies regarding the law behind the app and the constitutional bargain has been discussed further in the paper.

The app deals with various privacy concerns and each of the concern has been dealt in detail in the paper. The major drawback for India regarding the introduction of a contact tracing app is the lack of personal data protection bill and issues regarding the same have also been discussed. Justice BN Srikrishna, who chaired the committee for drafting of the Data Protection Bill also termed the compulsory use of the app as “utterly illegal” and pointed that the app was not brought under a proper law and therefore any protocol, guideline regarding the same is illegal.

Such an app is not only introduced in India but in other countries as well. The important aspect when discussing a global pandemic, it is necessary to discuss the international perspective regarding the contact tracing app and the data privacy laws. Therefore, an international scenario regarding such apps and the viewpoint of international experts and analysts regarding the Aarogya Setu App has also been mentioned.

What is Aarogya Setu?

The app Aarogya Setu means ‘bridge to health’ in Sanskrit. This contact tracing app was developed by the National Informatics Centre (NIC) of the Indian Government which lets one know of his interaction with another individual who could have tested positive for COVID-19 through a Bluetooth and Location generated social graph. Previously, it was used known by the name of ‘Corona Kavach’ app which was upgraded to the present form.

Aarogya Setu, the official Indian open-source COVID-19 “Contact tracing, Syndromic mapping and Self-assessment”,[1] was launched on 2 April 2020, for both Android and iOS users. “The app was developed by the NIC, which comes under the Ministry of Electronics and Information Technology (MoEIT).[2] There doesn’t appear to be any particular legal framework that governs the app apart from a privacy policy and terms of service that have been updated a number of times.

The app notifies you if you have come in close proximity of a person, even unknowingly who tests COVID-19 positive. These alerts also advice on how to self-isolate and on how to access help and support in case of development of symptoms. The MoEIT estimated the downloads of this app to have crossed 10 crores.

The app contains many sections which provide our status (regarding the proneness to the risk), COVID-19 updates, a self-assessment test, and an E-pass (if applied and made available). It also tells us how many Corona positive cases are present in a radius of 500m, 1 km, 2 km, 5 km, and 10 km from the registered user.

The application also saves this data and informs the administration about suspects’ movements.[3] In the Privacy Policy of the Aarogya Setu Application, Clause 1(d)[4] clearly states that the application will collect locational information of a user at every fifteen-minute interval. The application will also store the data about the places which the users visit. It further clarifies as to when this data will be uploaded to the server.

Though the government claims that all the data will be anonymised before storage, there is a debate among experts with regard to the technique used for the process. Data anonymisation is requisite in order to protect the identity of the users. However, the policy is silent in this regard.

The Right to Privacy

The concept of the right to privacy is a much more modern concept than that of the privacy itself. In Olmstead v. United States,[5]Justice Louise Brandeis categorically argued that the most valued right by civilised men was the right to privacy. In similar terms, Winfield has denoted the right to privacy as the absence of unauthorised interference with a person’s seclusion of himself or his property from the public. This definition on the ground of unauthorised interference also manifests the legal appreciation of the individual personality.[6]

Given the value laid on the role of privacy in moral and legal argumentation, it is expected that assertions on this rightare emblazoned in a prominent position in the legal documents of any nation or international arena. Under the modern legal structure, privacy is a combination of a person’s psychological needs and fundamental rights. However, in India, the right to privacy isn’t expressly mentioned under any specific legal statute. Though, the judiciary has played a significant role in this respect.[7]

India is a signatory to the Universal Declaration on Human Rights (UDHR) and the International Convention on Civil and Political Rights (ICCPR). Both of these documents recognise privacy as a fundamental right.[8] However, India does not have any particular law or statute guaranteeingthe right to privacy to its citizens. In order to fill this lacuna, courts in India have tried to implement a right to privacy in favour of its citizens through two ways – first, by declaring right to privacy as a constitutional right, read as part of the right to life and personal liberty, and a common law right to privacy which is present under tort law.

In reality, the right to privacy isn’t a very strictlyenforced right in India and there are variousexceptions to this right which have been carved out by the Courts. In the sphere of technology and communication relating to information, privacy has been secured through the Information Technology Act, 2000[9] (IT Act). Though this Act has been developed quite a lot, it fails to secure privacy in the cyberspace,strictly. Currently, the misuse of technology and invasion of the privacy of the individuals are of major concern. Thus, there is a requirement to recognise the term ‘privacy’ and its positionin the Constitution. Along with that, there is a growing need to understand how far privacy is protected in the field of information technology.

In accordance with the international law, under the constitutional framework, privacy is identified as a fundamental right and its protection is mandatory in India. Thus, under exceptional situations, the appropriate authority has the power to give overriding effect to public grievance upon privacy of the individual. By upholding the current situation inBhabani Prasad Jena v. Convenor Secretary, Orissa State Commission for Women,[10] the Supreme Court held that when there is a clear conflict between the right to privacy of a person to not submit themselves to forcible medical examination, and a duty of the Court to determine the truth on the basis of that medical examination, the Court must use its discretion only after balancing the interests of the parties. There must be due consideration of what is right for arriving at a just decision.

The Constitution of India includes Right to Privacy under Article 21, which is a requisite of Right to life and personal liberty.The very first instance of the argument about whether privacy is a fundamental right, was in the case of M.P. Sharma v. Satish Chandra[11], where it was decided that the right to privacy will not be considered a fundamental right. The same was held in the case of Kharak Singh[12]. But after about eleven years, another case came up before the Supreme Court, Gobind v. State of Madhya Pradesh[13], it was decided that the right to privacy is inferredfrom Article 21, on the touchstone of personal liberty.

A historic turn was taken in the history of right to privacy, associated with the case of  K.S Puttaswamy[14], in which, the judgement was passed by the top court that right to privacy is a fundamental right and will not lose its significance/status amongst the Golden Trinity of Article 14 (Right to Equality), Article 19 (Right to Freedom) and Article 21 (Right to Life and Personal Liberty).

With the constant evolution of the digital world, the government has been vigilant and particular in protecting the privacy of the data of its subjects. Since this right is emerging as one of the most crucial rights of this era, it is imperative for the governments to secure the rights of privacy as a lot of personal data is being obtained by both governmental and non-governmental organisations for various purposes.

History of Data Protection in India

As much as we use the internet, we create our digital footprints, which can hamper the expression of dissent and no democracy can afford that. An individual has the right to control one’s life while submitting personal data for any facility or service. The hallmark of freedom in a democracy is having the autonomy and control over our lives. Thus, it has been debated, that any app which tracks your location and notes who you have been in contact with, is a clear violation of privacy. There is widespread agreement that digital surveillance may be an efficient way to contain COVID-19, and at the same time, the ramifications of surveillance could lead to suspension of liberties.

India has a terrible history of data protection since the only provisions related to data protection are Sections 43A and 72A of the IT Act[15], supplemented by the Information Technology Rules, 2011[16]. Section 43A attaches civil liability for any breach, to a body corporate dealing with ‘sensitive personal information or data’, defined in Rule 3 to include health condition, among many others. Section 72A makes intentional disclosure of ‘personal information’ obtained under a contract, for wrongful loss or wrongful gain, punishable with imprisonment and fine. Rule 2(i) defines ‘personal information’ to mean information that relates to any natural person, which can identify such person. In addition, the disclosure of personal information given in confidence is considered an unfair trade practice under section 2(r) of the Consumer Protection Act, 2015.

The prominent ruling on privacy by the Supreme Court in Puttaswamy’s case[17] says, there should be a four-step process for the government to limit one’s privacy. Firstly, it must be coming from a law. Second is the necessity principle, i.e., for the achievement of a legitimate state aim. Third is the proportionality principle i.e., there must be necessary nexus between the aim and methods employed by the state. The fourth is safeguards i.e., each step violating privacy must be safeguarded, alongside grievance redressal systems. The Court also said if the person does not want to let the government process their data, they should have ‘opt-in and opt-out condition’.

However, the app has not deployed any opt-out measure, i.e., it lists nothing concretive pertaining to the deletion of the recorded data.

Health Data Protection Legislation in India

The continuous proliferation and evolution of new technologies expose the Electronic Health Records (EHR) of consumers, to an inordinate risk. Conceivably, it is the Digital Health Data (DHD), containing the personal health information of patients, which is vulnerable to serious risks of privacy and security.[18] While the use of DHD was promising enough to revolutionise the healthcare system in India, in addition to the personal information supplied voluntarily, online behaviour tracking is on the verge without informed consent of consumers.[19]

The porous interface between right to privacy and the need for medical treatment makes personal health data protection, a prime concern. A patient’s personal health information from his first admission/attendance at the hospital, to his final laboratory tests is entered and stored online at the point of care over the patient’s lifetime. The information is readily available and accessible by all healthcare providers in charge of the patient, however, the extent and nature of data collection is totally unprecedented. Not to forget, the potential risks which can arise when this information is pooled with other sources like drug companies, leading to manipulative marketing, data breaches, discriminatory profiling and re-selling of personal information in lieu of online trading activities.[20]

In 2015, The Ministry of Health and Family Welfare (MoHFW) published a note establishing a National Electronic Health Authority (NEHA) to ensure promotion and development of e-health ecosystem in India. Acting on the same vision and mission, the Ministry, in March 2018, ratified the draft of Digital Information Security in Healthcare, Act (DISHA) in public domain. The intention behind DISHA was to establish NEHA and other health information exchanges, including the State Electronic Health Authorities (SEHA), standardising the process of DHD collection and to ensure the much needed privacy and security of DHD.

India’s current regulatory approach to this issue has been to draft its own data protection law, i.e. Data Protection Bill. The much awaited bill, which started its journey full of controversies, was expected to be approved by the end of 2019, however as one would say, India’s first attempt to nationally legislate a promising mechanism for data protection seems to be moving two steps forward and six steps backward.[21]

Till date, there is no statute in India which safeguards the healthcare data. India took the first step when the MoHFW proposed DISHA in March 2018. DISHA expects to be an enactment focussed on data protection, secrecy, and security. DISHA aims to appoint administrative specialists, both at the central and state level, to deliver the rights and obligations as given under the said legislation.

At the central level, the setting up of a NEHA was proposed, which would be the topmost authority dealing with setting standards, issuing guidelines, and regulating the collection, organisation, and transfer of the health data. At the state level, the SEHA will be answerable for guaranteeing that the necessities of DISHA are followed by the institutions.[22] DISHA is going with the consent-based approach, giving major rights to the owner of the data, where he can decide what should, and can be done with his personal data.[23]

Another draft that was proposed was the Personal Data Protection Bill, 2019 which would create the first cross-sectoral legal framework for data protection in India. This bill also deals with protecting the personal data of the individual. This bill is concerned with many other forms of data, one of them being, the health data. The health data comes under the head of ‘sensitive personal data’.[24] As the name itself suggests, the data of such special nature must be treated with utmost care and caution. The authorities under this regime have a duty to protect the data and the principal-agent giving the right to access, erase, and correct the personal health information.[25]

Both the bills were introduced for protecting the personal healthcare data, however, these legislations have not been implemented yet. The reason being, the increasing concern regarding security as the principle of privacy; this principle has been developed over a period of past few years. In line of this, the Apex Court propounded that ‘The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21’.[26]

The present legal provisions dealing with such protections clearly provide that at whatever point a corporate body has or manages any delicate individual information or data, and is careless in keeping up security to protect such information or data, which in this way makes a wrongful gain or loss to any individual. And at that point of time, such body corporate will be subject to pay damages.[27] However, the major drawback is that it deals with only ‘corporate bodies’ and it not sufficient enough to cover the entire data dominion.

The Proportionality Principle and Personal Data Protection Bill, 2019

Due to the lack ofacomprehensive data protection legal framework in India, the only authoritative standards are the principles propounded in the Puttaswamy judgement[28]. Nonetheless, the Personal Data Protection Bill, 2019 (PDPB) is analysed for the application through the proposed legal provisions.

In Puttaswamy, the Supreme Court recognised data protection as an vital part of information privacy. It stated that any infringement of such privacy must fulfil three requirements, namely – the existence of a valid law, a legitimate state interest in pursuing that course of action and that the infringement of privacy must be proportionate to the objective sought. Any means of achieving state interest would be considered proportional if it was the least-restrictive means to achieve that goal and did not have a disproportionate impact on the right holder.

The PDPB comprehensively lays down the rights and duties of the Data Principals, Data Fiduciaries, and Data Processors. It holds the Data Fiduciary accountable for compliance with the Bill, which contains detailed provisions for consent of the Data Principal for data processing, data retention, purpose of collection of data, and transparency in the processing of data. Thus, the Aarogya Setu application can be considered a proportionate infringement of the right to privacy of individuals if it is sanctioned by law as a means of securing a legitimate objective and follows the principles of data protection.

Privacy Concerns Surrounding The Aarogya Setu App

Arnab Kumar, the head of the project had stated that the app was built in accordance with the standards of the draft data privacy bill, which is currently in the country’s parliament, and access to the data it collects is strictly controlled.[29]Such data ‘is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.[30] However, when the app was first introduced and even now, political leaders, experts and human rights organisations have expressed several criticisms and highlighted a number of privacy concerns.’ Some of which are as follows:

1.      Mandatory usage of the App

Experts have noted that India is currently the only democratic nation in the world that had made itscoronavirustracking app mandatory for a significant portion of its population for some time.[31]

The Internet Freedom Foundationpointedout: “Critically, India lacks a comprehensive data protection law, surveillance and interception laws, or any meaningful proposals for meaningful reform.[32] In domains like disaster relief most apps which are purported as ‘contact tracing’ technologies, they often devolve into systems of movement control and lockdown enforcement.”

The Prime Minister’s Office had made the use of the app mandatory for all private and public sector employees. Food delivery start-ups like Zomato and Swiggy have also made the app mandatory for all its staff.

The word ‘mandatory’ has been dropped but was ‘mandatory’ for a long period during which the app was pushed into the lives of millions through different ways.

2.      Using Bluetooth and Global Positioning System (GPS)

Aarogya Setu makes use of the phone’s Bluetooth and GPS which ‘stores both location data and requires constant access to the phone’s Bluetooth,’ to track the user’s movement, making it more invasive than other such apps.[33]

On 11 May 2020, the MoEIT published a notification- the Aarogya Setu Data Access and Knowledge Sharing Protocol.[34] This allowed it to collect demographic, contact data, self-assessment and location data of individuals infected by the virus or those who come in contact with the infected persons.

The app also does not specify exactly which government departments will have access to the database, the protocol only says that data can be shared with the Indian government, and “other necessary and relevant persons as may be required”[35]. All the agencies with whom the data is shared must use it only for the purpose for which it has been specified and delete it after 180 days. There is also a concern that health surveillance, which is a necessity in a pandemic, can soon evolve into ‘mass surveillance’.[36]

Minimum standards of transparency is a must where people’ personal information is at the hands of government so-termed as anonymous datasets.

3.      It is not an Open Source

Until recently, Aarogya Setu app was not an open source, it means that the code for the app was not available to the public despite government’s policy. Baptiste Robert, ethical hacker and cyber security researcher, who famously goes by the name Elliot Alderson has said that if the government force the citizens to install an app by the law, the least they can do is to open source its code. Since the app is not an open source its flaws cannot be reviewed and corrected by third parties.[37]

Making the source code public enhances transparency and this also improves security as the code is open to community for audit.[38] The app primarily collects personal data from user cell phones and these are an immense repository of personal data of users and sometimes, of a user’s contacts and acquaintances. In this scenario, keeping the source code of such an app exclusive is not advisable.

Further, even though the Copyright Act, 1957[39] enables the lawful possessor of the program to reverse engineer the lawfully obtained computer program, clauses of Aarogya Setu application restricted it.

Contrast this with Singapore’s ‘Trace Together’ app and the contact tracing app used by United Kingdom’s National Health Services, were both open sourced.

On 26 May 2020, the MoEIT announced that the software has been made open source for android version and was open for review and collaboration.[40] A few weeks later the iOS version was also released.

4.      The lifespan of the app and its data systems

Initially, the response data (demographic, contact, self-assessment data) was deleted on a rolling basis, 60 days for infected individuals and 30 days for healthy and the personal information was to be removed from the server after 45 days. Later according to the new protocol of the government it was notified that the data will be permanently deleted after 180 days. Also, individuals can seek deletion of the demographic data within 30 days on request basis. Government protocol also allowed it to hold on to the data beyond 180 days if a specific recommendation is made by an empowered group on technology.[41]

The main loophole was that there was no mechanism for the individuals to check whether or not the personal information is deleted and there is no means of transparently auditing what the app is doing in the backend. To avoid the repressive measure of the government, individuals are filling incorrect data and there is no means to verify it, thus the efficacy of the data is questionable.

The government is silent regarding the lifespan of the app. No public sunset clause has been added stating when the app will stop being mandatory. The government can subsequently also make the application a pre-requisite to citizens’ accessibility to basic services. This is similarto the Aadhar scheme, which was voluntary initially but was later made mandatory for citizens to avail the benefits of government schemes. This continued till the Supreme Court intervened.[42]

The scheme of the application appears to be trading the rights of citizens (such as right to autonomy, privacy and freedom of movement) in exchange of basic services, and can be rightly termed as an unconstitutional barter in view of the fact that users would not have foreseen such consequences while downloading the application and further because their consent was obtained without providing them with this information.[43]

5.      No Liability

According to the app terms and conditions “the user agrees that the Government of India will not be held liable for any unauthorised access to your information and modification thereof”. It means that the Government will not be held liable even if the personal information of the user is leaked. It also limits the government’s liability if the app provides inaccurate information or shows false positives.[44]

This also goes against the provisions of the IT Act and the proposed PDPB as the app service provider would fall under the definition of an intermediary and (is) obligated to ensure the security of the data collected and (is) liable for loss of it under the intermediary guidelines.

Critical Analysis of the App

In August 2017, the Supreme Court of India held the right to privacy as a fundamental right. Still citizens suffer from the threat of data privacy since the government has no clear legislation on privacy to monitor data protection. A committee headed by Justice Srikrishna submitted a report in July 2018, followed by a draft of the Data Protection Bill. The committee recommended several rights for the data principal (whose personal data is collected) from revoking consent granted for processing data, notifying a breach to having their incorrectly processed data rectified by the authorities. Despite there being a draft bill yet there is a void in the legislation regarding privacy because the bill is yet to be approved in the parliament.

The lack of personal data protection regulation gives the government powers of surveillance. The IT Act, for instance, allows widespread communications interceptionsby the government in the event of a security or national threat. Given these powers of the state, the worry is that Aarogya Setu could become a citizen-surveillance tool. 

A protocol was issued by the government for Aarogya Setu which set forth the principles for collecting and processing of data. The protocol is an order by the Empowered Group on Technology and Data Management set up by the National Executive of the Disaster Management Act.

Justice Srikrishna in relation to the protocol  pointed that such an order is issued at the executive level and is not backed by Parliamentary legislation which holds more backing of law. As per Entry number 97 of theSeventh Scheduleof theConstitution of India, a legislation on data collection and use would be covered only by the Union list, and thus, only the Parliament would have the power to legislate on such a subject.[45] In view of the same, the NDMA cannot be used to formulate guidelines on data collection and use. Therefore, such an action suffers from excessive delegated legislation ‘horizontally’.

Also, NDMA has no provision for the constitution of an empowered group, so therefore the law is in question behind the order. The provisions are vague in terms of the liability it creates, as to who should be held accountable in case of data breach. Justice Srikrishna also recommended the tracing of the app back to the Personal Data Protection through an appropriate amendment. The bill does have an enabling provision which best suits the scenario of COVID-19 under Section 12 which allows collection and use of such data in exceptional circumstances even without consent. Despite being a legislative void, the government is collecting data under Section 10(2)(1) of NDMA which allows the government to formulate guidelines on any domain of law with no restrictions in the name of disaster management.[46]

On 1 May 2020 , the Ministry of Home Affairs, notified through the guidelines that Aarogya Setu App has been made mandatory for employees of private and public sector offices. It also asked local authorities to ensure 100% coverage of the app in containment zones. The guidelines were issued by the National Executive Committee set up under the National Disaster Management Act (NDMA), 2005. Justice Srikrishna termed the government’s push of mandating the use of Aarogya Setu app “utterly illegal”. 

Justice Srikrishna said that the guidelines cannot be considered as having sufficient legal backing to make the use of Aarogya Setu mandatory. Both pieces of legislation i.e. the National Disaster Management Act and Epidemic Diseases Act are for a specific reason and the national executive committee cannot be considered as a statutory body.”

 Global Viewpoint

India is not the first country to deploy technology for coronavirus contact tracing, there are other countries like China, US, Singapore, Hong Kong and various European countries have such apps. Many fear that in country like India with no meaningful anti-surveillance, privacy or data protection laws it will have a sinister implication.

Famous Indian author Arundhati Roy has stated that, “The coronavirus is a gift to authoritarian states including India”. She also explained it with an analogy stating that pre-corona the country was sleepwalking into a surveillance state and now the country is panic-running into super surveillance state.[47]

MIT University has reviewed the Aarogya Setu app to understand how effective is the app, is it safe to use, and how it compares to other contact tracing apps that are being used in different parts of the world. The policy of the app suggest that the app is voluntary but later the app was made mandatory and thus India became the only democratic nation in the world to have such a mandate. Another concern raised was the accessibility point, it was not clear as to get the access to the data. The policy of the app is not transparent and the icing on the cake is the lack of national data protection law. French ethical hacker Alderson presented the mandatory use of such contact tracing app as a work of repression and not a success story.[48]

Conclusion

Consumer privacy, in the context of healthcare is extremely vital. The amount of consumer health data collection is increasing exponentially and very little is known about the extent to which this data is being shared with third parties especially when we are dealing with an invisible enemy in the form of COVID-19.

Some well-renowned commentators like Edward Snowden and Yuval Noah Harari have already warned the world that increasing surveillance for tackling the present healthcare crisis can make surveillance state the ‘new normal’ thereby threatening the privacy of the people. A responsible and democratic state will only collect that much information as it is needed for achieving the specific objectives and once the objectives are achieved shall delete such data.

While DISHA and NEHA sound promising enough, their implementation and enforcement chiefly remains untested, not to forget the Personal Data Protection Bill of 2019, which still remains a hesitation. Implementing DISHA and NEHA as a regulatory response would make India, a front runner in the regulation of healthcare data, in this crucial hour, when governments all around the globe are still scrambling to narrow down a proper definition of ‘personal information’ in their respective legislations along with the rights and controlling access of such information.

Since India is stepping up to create an overarching legislation on data privacy and security, the timing of both the drafts seem to be questionable. If such a lack of coordination and inconsistency exists between the ministries, it could lead to irregularities athwart to sectoral regulations of health data and also shift back India in the race towards attaining the much awaited ‘culture of privacy’.

[1] Press Release, Ministry of Electronics & Information Technology, 26 May 2020: https://static.mygov.in/rest/s3fs-public/mygov_159050700051307401.pdf.

[2] Aarogya Setu App: COVID-19 Tracker Launched to Alert You and Keep You Safe, NATIONAL INFORMATICS CENTRE, MINISTRY OF ELECTRONICS & IT, https://www.mygov.in/task/aarogya-setu-app-covid-19-tracker-launched-alert-you-and-keep-you-safe-download-now/.

[3] Press Information Bureau, ‘Government of India launches Aarogya Setu App to track Covid-19 infection’ (Press Information Bureau, 2 April 2020) https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1610326> accessed 25 November 2020.

[4] Ministry of Electronics & Information Technology, Aarogya Setu Privacy Policy, April 2, 2020, https://static.mygov.in/rest/s3fs-public/mygov_159051645651307401.pdf.

[5] Olmstead v. United States, 277 US 438 (1928).

[6]P. Ishwara Bhat, Fundamental Rights- A Study of their Interrelationship 324 (2004).

[7]A.M. Bhattacharjee, Equality, Liberty and Property under the Constitution of India 104, 105 (1997).

[8] Universal Declaration on Human Rights, G.A. Res. 217A, U.N. Doc. A/810 (December 12, 1948) Article 12; International Covenant on Civil and Political Rights, December 16, 1966, UN Doc. A/6316 (1966), Article 17.

[9] The Information and Technology Act, No. 21 of 2000.

[10]Bhabani Prasad Jena v. Orissa State Commission for Women, (2010) 8 SCC 633.

[11]M.P. Sharma v. Satish Chandra, AIR 1954 SCR 1077.

[12]Kharak Singh v. State of Uttar Pradesh, AIR 1964 (1) SCR 332.

[13]Gobind v. State of Madhya Pradesh, (1975) 2 SCC 14.

[14]K.S Puttaswamy & Anr. v. Union of India & Ors., (2017) 10 SCC 1.

[15]The Information and Technology Act, No. 21 of 2000, §43A & §72A.

[16] The Information Technology (Reasonable Security Practices and Procedures and sensitive personal data or information) Rules 2011, F. No. 11(3)/2011-CLFE.

[17] Supra note 14.

[18] Fouzia F. Ozair and others, ‘Ethical Issues in Electronic Health Records: A General Overview’ (2015) (6)(2) PICR <http://www.picronline.org/temp/PerspectClinRes6273-5763666_160036.pdf> accessed 20 November 2020.

[19] Stephen Corones and Juliet Davis ‘Protecting Consumer Privacy and Data Security: Regulatory Challenges and Potential Future Directions’ (2017) 45 Fed L Rev 65.

[20] Kathryn C. Montgomery and others, ‘Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, And Consumer Protection’ (CDD Report, 2017). https://www.democraticmedia.org/sites/default/files/field/public/2016/aucdd_wearablesreport_final121516.pdf accessed 2 November 2020.

[21] Rudra Srinivas ‘All You Need to Know About India’s First Data Protection Bill’ (CISOMAG, 3 January 2020) <https://www.cisomag.com/all-you-need-to-know-about-indias-first-data-protection-bill/> accessed 20 November 2020.

[22] Milind Antai and others, ‘DISHA the First Step towards Securing Patient Health Data in India’ (Mondaq, 3

August 2018) <https://www.mondaq.com/india/healthcare/723960/disha-the-first-step-towards-securingpatient-

health-data-in-india> accessed 20 November 2020.

[23] Digital Information Security in Healthcare Act, 2018, §28.

[24]The Personal Data Protection Bill (2019), cl 3(36)(ii).

[25]The Personal Data Protection Bill (2019), cl 17 and 18.

[26] Supra note 14.

[27]The Information Technology Act, No. 21 of 2000, §43A.

[28]Supra note 14.

[29]Aarogya Setu: Lack of Data Privacy Laws, Transparent Policies Make App Worrisome, Say MIT Researchers, FIRST POST (May 11, 2020, 13:08 PM), https://www.firstpost.com/tech/news-analysis/aarogya-setu-themandatory-contact-tracing-app-of-india-gets-reviewed-by-mit-university-here-is-what-they-think-8354661.html.

[30]Ibid.

[31] Patrick Howell O’Neill, India Is Forcing People to Use Its Covid App, Unlike Any Other Democracy, MIT

TECHNOLOGY REVIEW (May 7, 2020), https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-madatory/.

[32]Is Aarogya Setu privacy-first? Nope, but it could be– If the government wanted. #SaveOurPrivacy, INTERNET FREEDOM FOUNDATION, https://internetfreedom.in/is-aarogya-setu-privacy-first-nope-but-it-could-be-if-thegovernment-wanted/.

[33] Andrew Clarance, Aarogya Setu: Why India’s Covid-19 Contact Tracing App Is Controversial, BBC NEWS (May 15, 2020), https://www.bbc.com/news/world-asia-india-52659520.

[34] Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020,https://perma.cc/WPH6–S6CY.

[35]The Aarogya Setu Privacy Policy, cl 2(a).

[36] Anand Venkatanarayanan, Op-ed, Covid-19: How the Aarogya Setu App Handles Your Data, BLOOMBERGQUINT (Apr. 17, 2020, 12:46 PM), https://www.bloombergquint.com/coronavirus-outbreak/covid19-how-the-aarogya-setu-app-handles-your-data.

[37]NeeradPandharipande, ‘Indian Govt Should Convince Public on Aarogya Setup’s Efficacy rather than Forcing It on Them’: Cybersecurity Expert Elliot Alderson Tells Firstpost, FIRSTPOST (May 23, 2020, 15:06 PM), https://www.firstpost.com/india/indian-govt-should-convince-public-on-aarogya-setus-efficacy-ratherthan-forcing-it-on-them-cybersecurity-expert-elliot-alderson-tells-firstpost-8400371.html.

[38]Clarance, supra note 33.

[39]The Copyright Act, No. 14 of 1957, §52(a).

[40] Press Release, Ministry of Electronics & IT, Aarogya Setu Is Now Open Source (May 26, 2020, 20:18 PM), https://pib.gov.in/PressReleasePage.aspx?PRID=1626979.

[41] The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, Protocol 5(e).

[42] Supra note 14.

[43] Venkat Ananth, ‘Aarogya Setu’s Not All That Healthy for a Person’s Privacy’ The Economic Times (15 April 2020) <https://economictimes.indiatimes.com/tech/software/aarogya-setus-not-all-that-healthy-for-a-persons-privacy/articleshow/75112687.cms&gt; accessed 20 November 2020.

[44]Aarogya Setu Terms & Conditions, Term 6, https://aarogyasetu.gov.in/terms-conditions/.

[45] Constitution of India, Entry 97, Seventh Schedule (1950).

[46] National Disaster Management Act, Section 10(2)(1), (2005).

[47] Hannah Ellis Peterson, India’s Covid-19 app fuels worries over authoritarianism and surveillance, THE GUARDIAN (May 4, 2020), https://www.theguardian.com/world/2020/may/04/how-safe-is-it-really-privacy-fears-over-india-coronavirus-app.

[48] Patrick Howell O’Neill, India Is Forcing People to Use Its Covid App, Unlike Any Other Democracy, MIT TECHNOLOGY REVIEW (May 7, 2020), https://www.technologyreview.com/2020/05/07/1001360/india-aarogya-setu-covid-app-madatory/.