Flattening the curve, washing hands and social distancing have become the norme du jour. In a post-pandemic world, one of the many suggested ways to isolate, mitigate and stop the spread of this virus is to trace who travels where and who they meet- contact tracing. India introduced its contact tracing app in their first phase of lockdown to get ahead of the curve and this post attempts to understand the situation in light of the current regulatory regime.
What is a Contract Tracing Application?
In the world of connected devices and the ubiquitous smartphones, smart technology stepped in and provided a technological upgrade to manual contact tracing. A Contact Tracing Application (CTA) is an app on mobile devices that send alerts when one has been in contact with someone, who in future tests positive, after which necessary steps can be taken. The benefit of this app is that it does not rely on human memory of who they met or came in contact with. In simple terms, it collects the information from the mobile devices based on GPRS and/or Bluetooth data as to what movement has occurred and who was in that vicinity.
Reasons for the App
The reasons for using technology is a sense of ease of tracing and obtaining location to isolate, mitigate and stop the spread of this virus. However, the reasons for not wanting such apps is understandable in the minds of minority communities, or LGBTQ+ community (In 2018 the Supreme Court of India decriminalised homosexuality but did not legalise same sex marriages.) The lack of trust in the government and the historic misuse of data (the leak of Aadhar data) add to not wanting such an app.
Furthermore, most people do not read privacy policies or truly understand the permissions that they give. This post attempts to provide this information in an easy and simple manner to current and future users of these apps. This post studies the CTA in India to provide more clarity.
Aarogya Setu (Translates to ‘bridge for health’) is available since 2 April 2020. This application was developed by the National Informatics Centre, an office under the Ministry of Electronics and Information Technology, Government of India. On 26 May they released a statement reading “The key pillars of Aarogya Setu have been transparency, privacy and security and in line with India’s policy on Open Source Software, the source code of Aarogya Setu has now been made open source.” Interestingly, this was made open after the MIT Review, which has been keeping detailed track of these apps, downgraded the app from 2 stars to 1 due to data collection and storage.
Voluntary or Mandatory
The use of the app has changed in its status from being made mandatory to voluntary. On 29 April, The Government of India, made the downloading of the app mandatory for all central government staff. On 1st May (with effect from 4 May) an order by the Government stated that local authorities “…shall ensure 100% coverage of the Aarogya Setu App amongst its residents of containment zones…” i.e., making it mandatory for residents in certain designated areas, deemed as ‘red’ and ‘orange’ containment zones depending on the extent of the spread. On 17 May (with effect from 18 May) the Government issued another order, which stated that “…employers on a best effort basis should ensure that Aarogya Setu is installed by all employees having compatible mobile phone” which to a large extent made it advisable by using the term ‘best effort basis” rather than ‘shall’. Furthermore, as on 12 June, the app has been made optional and is not mandatory for air travel, by the Central Government of India, showing the dynamic nature and use of the app.
India’s current state of the law in relation to data protection stands in the form of the Personal Data Protection Bill, 2019. This bill was drafted along similar lines of the GDPR. However, there are certain aspects of the bill that are similar and different to the GDPR when compared. This section analyses the bill in light of CTAs.
- The bill and not an act- The Personal Data Protection Bill has been tabled in parliament on 11th December 2019. The Joint Parliamentary Committee (a committee consisting of members from both houses of Parliament) has analysed it from 17 December 2019 in consultation with experts and stakeholders. An earlier draft of this bill, Personal Data Protection Bill, 2018 was missing certain key elements (for example the right to be forgotten or federal exemption of government agencies) which were added to the new draft of the bill. This bill was to follow the lines of the GDPR and is India’s attempt at having privacy laws for its citizens after it was made a fundamental right (Right to Privacy is a fundamental right for Indian citizens under the Constitution of India (mostly under Article 21 and additionally under Part III rights))
- Anonymisation and privacy are fundamental – The app is based on features of confidentiality and security of information; encryption in transit; uploaded to the cloud server. These conditions are also essential parts of the personal data protection bill. The app also anonymises the data and the personal data protection bill. These essential elements of the app make the bill so much more crucial to become and act and be made applicable.
- Personal data v. sensitive data- The bill goes a step ahead of the GDPR and states explicitly what personal data and sensitive data are. This categorisation is important as sensitive data is a subtype of personal data and its presence makes it easier to categorise and protect certain kinds of information. For example, the health data collected through the app falls under sensitive personal data and is thus awarded further protection in comparison to personal data, providing more security with sensitive information and enhancing trust and security to use this app.
- Response to epidemics (section 15(b) and 21(b) of the bill)- Both personal data and sensitive data can be processed during an epidemic. However, under section 21(b) processing of sensitive data during an epidemic- only certain kinds of specified data (Passwords, financial data, health data, official identifiers, genetic data, and biometric data) can be processed. This specification indicates the sensitivity even during an epidemic.
Effectiveness of the app
As of 26 May, the app has crossed 115 million downloads(across all platforms) a seemingly large number. However, the population of India is 1.3 billion, which means that the app has been downloaded by approximately 8 percent of the Indian population. As of 2019, 420 million people had mobile phone internet. If only that population is considered, then this is still only 27% of the population that has mobile phone internet which has downloaded the app. This is the penetration of the app even after the app was initially made mandatory (a status now changed to advisable).
Also as of 26 May, the NITI Aayog CEO, Amitabh Kant, had stated that the app has been able to identify « more than 3,000 hotspots in 3-17 days ahead of time. » Now what these hotspots are, how they have been handled and more information in this regard is not yet available due to continuous developments.
There will always be a percentage of the population apprehensive about using these apps. With this post people are informed about what they are agreeing to, so they make informed decisions. This is a large social experiment and we must follow through to obtain results.
Posted by Pratiksha Ashok (PhD Researcher, UC Louvain)
Pratiksha joined the PROSECO (Platform Regulation and Operations in the Sharing Economy) Project in November 2019 as a PhD Researcher working under the supervision of Prof. Anne-Lise Sibony and Prof. Alain Strowel. She completed her Bachelor’s in Business Administration and Law in 2017 at Christ University, India where she continued to pursue her LLM in Corporate and Commercial Laws. She has written two theses on “A Paradox between Party Autonomy and Public Policy” and “Corporate Criminal Liability”. She is also a member of the Karnataka State Bar Council, India 2017, and the Bar Council of India, 2018. In July 2019, she graduated from The University of Cambridge with a Master of Corporate Law.