The global coronavirus pandemic has ensured the destruction of the status quo in almost every domain of human activity. While countless lives and livelihoods have been destroyed and the crisis is picking up pace, governments and technology companies are busy chipping away at privacy rights. The over-reliance on data and the blind belief in one-stop technological solutions have prepared the stage for a proliferation of surveillance technologies making a springboard entry during the crisis.

It needs to be stated unambiguously that the protection of basic human dignities and upholding the right to privacy can go hand in hand with prevention and monitoring of the crisis. The prior existence of legal frameworks and guidelines ensuring due process and transparency, grievance redressal, and algorithmic accountability are the most important elements of any strategy that aims to preserve privacy rights of users. The adoption of this approach has been made necessary by the sensitive nature of health data and the myriad issues that arise in case of the data being misused.

The debate over the Aarogya Setu application has traversed through civil society vigil and undergone legal scrutiny by lawyers, privacy experts and academicians. Affidavits by experts, RTI requests and public interest litigations have played a significant role in expediting the processes safeguarding privacy vis-à-vis health records. Incidentally, developments in several courts may have led to the striking down of the directive pushing for the mandatory use of the app. The situation bears similarity with the Aadhaar case: the directive mandating the use of Aadhaar was changed from ‘mandatory’ to ‘voluntary’. However, in practice, the shift to a ‘voluntary’ form was, in effect, ‘mandatory’, and this has for long been challenged within different sector-specific laws in the courts. There is concern that the case of the Aarogya Setu app treads on the familiar path of the use of the app for allegedly unintended purposes. The app is now a permanent fixture in accessing public services such as air and train travel as well as for applications for e-passes to enable movement between cities.

More recently, there have also been such incidents as the demand for forceful registration on the app by residents’ welfare associations attempting to regulate the entry of individuals into residential spaces. A PIL was filed in Delhi by a citizen who was prevented from entering a privately-owned store for essential commodities in a mall because he had not downloaded the app. Reiterating the change in conditions of usage, the ministry of home affairs in an order on May 17, 2020 explicitly mentioned that the app should be used on the basis of “best efforts” by employers and that it “may be advised” to individuals by district authorities. In practice, drivers and delivery workers in app-based companies such as Uber, Zomato and others have been ordered to download the app. What must be noted is that their health data would also be accessible to companies. The secretary of the Indian Federation of App-Based Transport has said that a company can withdraw the provision of security and aid in case an employee tests positive for the virus. Such directives by private firms and the bartering of goods and services with civil liberties call for an enhanced role of the State in protecting citizens against lateral surveillance.

In India’s case, the biggest red flag is the absence of a data protection law. This means that the government is free to do as it pleases. The motive seems to be to create a nationwide dataset by accumulating demographic, health, location and contact data without any well-defined public health objectives. Such a step flies in the face of the recommendations of the Srikrishna Committee, the K.S. Puttaswamy judgment, the draft personal data protection bill and even the extant, but inadequate, sections of the Information Technology Act, 2000. There is no attempt by the government to obtain the explicit consent of users or data minimization to ensure only relevant data are collected. The absence of a sunset clause could mean the continued use of the database to identify and discriminate against people based on their health data even after the present crisis is over. Furthermore, there is a lack of clarity on access, sharing, storage and processing of such data.

The Aarogya Setu app puts a heavy burden on citizens while exonerating governments from being accountable to breaches of various kinds. Even as citizens are foregoing personal privacy in the larger public interest, ‘privacy’ needs to be given a central place within the data cycle.