Reviewed by MediaNama, both RTIs sought answers on the data sharing protocols instituted by the Union to reportedly govern COVID-19-related personal and non-personal data collected by the Aarogya Setu app.
According to the Economic Times, an NIC official stated that the Protocol was lapsed as it had ‘lost its relevance (..) Aarogya Setu is transitioning to a national health app [from a contact tracing one].’ As MediaNama reported a few years ago, this echoes concerns that the ‘Aarogya Setu app would be repurposed for other purposes after the pandemic is dealt with, including becoming the first building block of the India health stack.’
Introduced on May 11th, 2020, the Protocol allowed for the retention of ‘contact, location, and self-assessment data [collected by the app] for up to 180 days.’ Later on in the year, however, the Ministry of Electronics and Information Technology announced the Protocol’s extension beyond November 2020, until May 10th, 2021. An RTI response from last September revealed that the Protocol had been further extended until May 10th, 2022, ‘in view of the ongoing pandemic’.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
Why it matters: The Protocol’s data collection practices have been criticised for falling ‘short of principles of legality, necessity and proportionality,’ which poses serious harms to the privacy of the many users who have signed up for it. As per the June 8th RTI response, Aarogya Setu had 21,60,82,111 registered users as of May 20th, 2022. Even if the Protocol has lapsed, the government’s response to IFF’s RTIs does not clearly describe how data collected so far is being accessed, managed or deleted, leaving privacy concerns largely unanswered.
What Else Did the RTIs Reveal?
‘(b) All personal information collected under Clauses 1(b), 1(c), 1(d) and 1(e) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded. All information collected under Clauses 1(b), 1(c), 1(d) and 1(e) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.’
‘Deleting the app will delete all the information collected and stored on your phone but will not delete any information stored on the cloud. If you wish to delete the registration information referred to in Clause 1(a) and stored on the backend servers, you may cancel your registration. Once you confirm that you want to cancel registration, all the information you had provided to us under Clause 1(a) will be deleted after the expiry of 30 days from the date of such cancellation.’
The June 8th response further added that the government neither had information on the app’s most recent feasibility report on record, nor a list of research institutions that its data had been shared with. The follow-up response, on the other hand, stated that ‘no data has been shared as per the Aarogya setu data access and knowledge sharing protocol.’
What Were the Concerns Surrounding the Protocol?
Concerns raised by the Internet Freedom Foundation in the past include:
- The Protocol fails to offer a legislative foundation for Aarogya Setu. This is of concern as the State cannot curtail fundamental rights without legislative backing—the Protocol does not offer this backing. So, the Aarogya Setu app, and its data collection policies, function in a legislative vacuum.
- The Protocol justifies Aarogya Setu’s centralised data collection practices of individual data in order to develop ‘appropriate health responses’. The expansively designed policy axiom is ‘incompatible with the principle of proportionality’. According to IFF, little attempt is made to ensure that the most privacy-respecting data collection practices are deployed.
- The sharing of centralised data with various research institutions indicates the ‘appetite [sic] of the Government of India to commercialise or discover commercial applications of the Aarogya Setu app, rather than go the path of other democratic societies which are more focused on decentralised models which may effectively alert people to get tested and treated for the coronavirus itself.’
- The Protocol also introduced a sunset clause—if the Protocol is not in effect after November 11th, 2020, then all user data collected by the app would be deleted. However, IFF contends that the sunset clause is also questionable as the Protocol includes ‘no reference to the actual destruction of servers and systems created as an output of the Aarogya Setu programme.’ This may lead to persistent government surveillance.
What is the Protocol?
The Protocol permitted the sharing of the collected data with state health departments, the Ministry of Health and Family Welfare, the National and State Disaster Management Authorities, and various other public health institutions, whenever it was necessary to ‘formulate or implement an appropriate public health response.’ At the same time, it also laid down stringent guidelines for sharing data with research institutions.
Sections 51 to 60 of the Disaster Management Act, 2005, may be invoked in the case of violations, alongside applicable legal provisions. The NIC was to handle data management and processing by the app. MeitY had a supervisory role in implementing the Protocol, and was to be guided by Empowered Group 9’s recommendations.
RTI responses further revealed that several of MeitY’s inputs for the Protocol at the time were rejected. These included guidelines to govern not just data collected by the Aarogya Setu app, but all COVID-19-related data in India. These guidelines could be potentially used during any ‘disaster response’.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
- All You Need To Know About MEITY’s Data Access And Sharing Protocol For Aarogya Setu
- Validity Of Aarogya Setu’s Data Access And Sharing Protocol Extended By Six Months
- MEITY Wanted A Protocol To Govern All COVID-19 Data, Not Just Aarogya Setu: RTI
- ‘MEITY’s Data Access Protocol Is Not A Legislative Backing For Aarogya Setu’: Petitioner In Kerala HC