Aarogya Setu: An analysis of the data admittance and expertise Sharing Protocol, 2020

Updated: Aug 15, 2020

Author: Simran saluja

Bharti Vidyapeeth New Law College, Pune


The Aarogya Setu is cellular software launched as India’s technological device to fight in opposition to the radical Coronavirus disorder (COVID-19). The App relies on contact tracing, which indicates that it helps to become aware of humans which might be probable to be vendors of the ailment. While the erstwhile strategies of touch tracing required physical interviews with people, cell generation has made the venture lots less difficult and more secure. 

The usage of such applications, but, has raised various privacy issues. Ever since the app has been launched, there are several concerns towards the extensive series of knowledge and its use, mainly within the absence of any clear legal basis or legislative framework to address those growing issues.

The Ministry of Electronics and expertise generation (MeitY) on May 11, 2020, informed about the Aarogya Setu the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 . With this Protocol, the govt approach to answer general queries surrounding the collection and use of know-how. However, the legal basis for assemblage and give up-use of the data stays ignored. 

The seizure of privacy by such assemblage of data can be effectively justified only if it satisfies the three-fold requirement as enunciated by the Apex court in Justice KS Puttaswamy (Retd.) v. Union of India. The Protocol, which is in the essence of an executive order, does not even fulfil the primary requirement of legality, which postulates that there should be a law alive to justify an encroachment on of privacy. An executive notification cannot be used to intervene on fundamental rights. Only a legislation or an Ordinance (when the Parliament isn't in session) provides a legal framework for the app can fulfil the legal requirement.

Definitions underneath the Protocol

One region wherein the Protocol resulted well is simply defining the key phrases all around, unlike the privacy approach of the app. “Appropriate health responses” are described to incorporate prevention and management of the COVID-19 pandemic, syndromic mapping, touch tracing, communique to an affected or the individual whose family is at risk and, overall performance of statistical analysis, clinical research, components of remedy plans or other clinical and public health responses related to the redressal and control of the COVID-19 pandemic. The definition of “individual” includes ones who are infected, vulnerable of being infected, or those who have come in touch with the infected people. Whilst this definition can be a welcome explanation, it is nonetheless not clear why this definition was adopted considering the information of "all" users of the app is collected. “Response data” is that the hypernym used for all facts collected via the app. Within its broadcast coverage, this includes demographic statistics, contact information, self-evaluation records and site records. This division of data into different classes is beneficial to spot the information being accumulated, but the utilization of data all over the Protocol is indicated in the form hypernym of the response data and not their particular classes. Though the meaning of each the constituent classes of retaliation information is self-apparent, the terms have nonetheless been defined under the Protocol, that is encouraging from a privacy angle.

Placing of duty

The ministry in charge or the government department managing the operation of the App and enforcement of any claims become doubtful before the launching of the Protocol. The Protocol has undoubtedly installed the MeitY as the authority accountable for its enforcement. However, the Protocol also lays down that the MeitY shall act below the overall route of the Empowered Group 9 on Technology and Data Management (“Empowered organization”) which has been formed through the National Disaster management Authority.

Accumulation and processing:

The Protocol imbibes equation and motive limitation for the accumulation of information and its usage. It is administered that the response data will be accumulated in a proportionate manner and will be strictly used just for the intention of formulating suitable health responses. The collection of exposure and location statistics on the device by way of default is a step towards the right direction. These facts will also be uploaded to the server for relevant health responses.

Data sharing concepts

The sharing of facts and figures with ministries, health departments, and government has also been sectionalized by using the Protocol. Sharing of private data Response records containing private information shall not be shared with the concerned authoritative departments unless such sharing is rigorously required to formulate or execute a relevant health response. It would be a step towards privacy-positive to curb the sharing of private records to the Ministry of Health and Family Welfare and health departments.  Although, making “other Ministries and Departments of the govt. Of India and State Governments…” doesn't appear to come over with the good result for the proportionality test, due to the fact the benchmarks for such strict necessity or when this clause could be invoked has been remained indistinct. It might have made for a finer approach if ministries and departments other than health were given private records access only in condition of essential need. Sharing of de-identified facts In instances wherein assistance in formulating a critical health response is needed, response data shall be shared in a de-identified form. It is appropriate to consider here that the term "critical health response" used for this aspiration is indefinite. The word "de-identified facts" is described under the Protocol and isn't the same as anonymised facts, which is a term used under the Personal Data Protection bill, 2019. De-identified records have been defined to mean records that has been denuded of personally identifiable data and has been appointed a randomly provoked ID. Further, the national Informatics Centre has been put under a duty to manage the repot of information sharing. This includes a broad part of documentation such as when the information has been shared, with whom the information is being shared, the variations of data being shared, and the cause of data sharing. Obligations of entities with whom facts is being shared A strict cause limitation has been located on any entity with whom information is shared. Further, records shall not be retained pas t a most ceiling of a hundred and eighty days in any manner. The entity receiving response statistics is moreover barred from sharing the information further with any third party, unless necessary. Any third party with whom such data is being shared shall be applicable with equal duties as are relevant on the entity sharing it. Violations The Protocol mentions that any violations of the guidelines thereunder will be punishable according to the Sections 51 to 60 of the Disaster Management Act, 2005 (DMA). It's provocative to note, however, the interplay of this direction with paragraph 6(d) of terms of use of the app, which release the administrators from any liability just in case of unauthorised access to data or modification thereof. Till this sort of head-on dispute is resolved through amending the terms of use of the app, it is constant to be seen how the violations of Protocol are going to be addressed.  In addition, under the DMA, offence for an intrusion of privacy could be made only under Section 51(b), which lays down the offence of denial to comply with any direction made by the authority without justifiable reason. Wherein this offence is committed by any department of the govt., it would come under Section 55 of the Disaster Management Act, within which the superior of the concerned department is deemed guilty of the stated offence. Accordingly, no prosecution will be directed under section 55 without the preceding sanction of the Central or State government depends upon the case.






35 views0 comments

Recent Posts

See All

Marine Pollution In India And Its Laws

Marine pollution The ocean constitute almost 70% of the globe. It is estimated that around 50-80% of Oxygen produced on Earth comes from the oceans. Marine pollution also known as oceans pollutions co


INTRODUCTION : The Energy Policy Act, which was signed into law in 1992, came into effect on 24 October 1997. This law, for the first time, mandates energy-efficiency standards for all general purpose

Subscribe Form


Copyright © 2020 . All Rights Reserved.
designed by generallaw