Decoding Aarogya Setu: Data Protection and the Right to Privacy

Md Tasnimul Hassan

Edited by: Sarthak Mishra

“Privacy has both positive and negative content: The negative content restrains the State from committing an intrusion upon the life and personal liberty of a citizen. Its positive content imposes an obligation on the State to take all necessary measures to protect the privacy of the individual.”

– Dr Justice D.Y. Chandrachud [1]


After the efficacy of tactics deployed by several countries to enable “contact tracing” of individuals infected with the contagious coronavirus (COVID-19), India came up with a mobile application called Aarogya Setu (“App”), which literally means “bridge to health” in Sanskrit. The App was launched on April 2 this year, and was downloaded by more than five crore users within 13 days, albeit there are several similar applications developed and deployed by local authorities. Once you install the app, it uses the phone’s Bluetooth or Wi-Fi and location data, to inform the users if they have been near a COVID-19 host, by scanning a server database owned by the government. However, without rapid testing and treatment facilities, such application, becomes a nuisance providing the threat of data breach or systematic surveillance. Thus, the app’s method for tracking the infected has been under lens for being invasive and violating data privacy norms.

Data Protocol and Privacy Policy of Aarogya Setu

On May 11, the Ministry of Electronics & Information Technology released Data Access and Sharing Protocol for the app, laying down guidelines for sharing the collected data of an individual. The collected data is called response data, which can be broadly divided into four categories: demographic data (such as name, mobile number, age, gender, profession and travel history), contact data (about any other individual that a target individual has come in proximity with), self-assessment data (response to the self-administered test within the app) and location data (geographical position).

According to the Protocol, the response data shall not be retained beyond 180 days from the day it was collected, and may be shared by the app’s developer, National Informatics Centre, in de-identified form with various ministries, institutions and departments of the Central and State/UT governments, “where such sharing is strictly necessary to directly formulate or implement an appropriate health response”. The phrase “appropriate health response” has not been specified in the Protocol, which goes against the principle of data proportionality and purpose limitation. There is no specification if the unique identification (DiD) pushed to the device of users will be static or dynamic; if static, the de-identified information can be relinked to the personal data.

On May 24 this year, the App’s terms of service and privacy policy were updated. As stated in clause 1, “the App will also serve as digital representation of an e-pass where available. The App will also provide links to convenience services offered by various service providers”, the updated terms of service have extended its function beyond mere contact tracing. This might lead to serious privacy insinuations in case of a data breach considering its upload on government server in decrypted form.

Although, clause 5(e) of the Protocol allows to request deletion of demographic data, there is no provision for deletion of rest of the response data. Further, no specification elsewhere is provided if un-installation of App will delete demographic data. While the Protocol states that the response data of a user will be  , the Privacy Policy states that the data of a COVID-19 positive patient will be retained till 60 days after being declared cured. Although, the Protocol has a sunset clause of 6 months unless decided otherwise by an Empowered Group, the fact remains that the Protocol is not a legal footing for the App.

The Fault in Administrative Orders

The Ministry of Home Affairs, vide an order dated May 1, declared that the App shall be made mandatory for all private and public employees and the head of respective organizations shall be responsible to ensure 100% coverage of the app among employees. Further, internal surveillance mechanism is to be established within the Containment Zones and 100% coverage of the app among the residents of such zone shall be ensured, the order stated. However, the ministry vide an order dated May 17, beckoned a backward shift and specified that all employers “should on best effort basis” ensure that the app is downloaded by all employees having “compatible mobile phones”.

While India is the only democracy to make such app mandatory for people outside containment zones, having the app on phone is now a condition for millions of workers in India to enter office premises, work from home, register attendance, or be paid salaries. Regardless of the official policy, the government employees are required to use it, while private employers and landlords mandated its use to their subjects. The authorities in Noida reportedly fined and even threatened to arrest those who did not install the app. Further, the Ministry of Health & Family Welfare vide an order stated “download of Aarogya Setu App and it should remain active at all times (through Bluetooth and Wi-Fi)” as an eligibility condition for home isolation.

The Right to Privacy and Data Protection

As much as we use the internet, we create our digital footprints, which can have a stultifying effect on the expression of dissent and no democracy can afford it. An individual has the right to control one’s life while submitting personal data for any facility or service. The hallmark of freedom in a democracy is having the autonomy and control over our lives. Thus, it has been argued that any app that tracks your location and notes who you have been in contact with, always, is a clear violation of privacy. There is widespread agreement that digital surveillance may be an efficient way to contain COVID-19, and at the same time, the consequences that surveillance entails, could lead to suspension of liberties.

India has a terrible history of data protection since the only provisions casing data protection is Section 43A and Section 72A of the Information Technology Act, 2000, supplemented by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Section 43A attaches civil liability for any breach, to a body corporate dealing with “sensitive personal information or data”, defined in Rule 3 to include health condition, among many others. Section 72A makes intentional disclosure of “personal information” obtained under a contract, for wrongful loss or wrongful gain, punishable with imprisonment and fine. Rule 2(i) defines “personal information” to mean information that relates to any natural person, which can identify such person. In addition, the disclosure of personal information given in confidence is considered an unfair trade practice under section 2(r) of the Consumer Protection Act, 2015.

The prominent ruling on privacy by the Supreme Court in Justice (Retd.) KS Puttaswami v. Union of India is that, there should be a four-step process for the government to limit one’s privacy. Firstly, it must be coming from a law. Second is the necessity principle, i.e., for the achievement of a legitimate state aim. The third is the proportionality principle i.e., there must be necessary nexus between the aim and methods employed by the state. The fourth is safeguards i.e., each step violating privacy must be safeguarded, alongside grievance redressal systems. The Court also said if the person does not want to let the government process their data, they should have “opt-in and opt-out condition”. However, the app has not deployed any opt-out measure, i.e., it lists nothing concretive pertaining to the deletion of the recorded data.


The mere denial to download the app has resulted into enforcement of criminal and pecuniary measures, while in countries such as Germany and France, the use of such tracking apps has been said to be kept purely voluntary. Further, neither does the Disaster Management Act, 2005, nor does the Epidemic Diseases Act, 1897, which has been followed, authorise the government to collect such data to achieve this objective. Former Supreme Court Judge B. N. Srikrishna, who chaired the committee on the Personal Data Protection Bill, termed mandating the use of the App as “utterly illegal”.

 The App becomes the central unifying feature that connects the cell phone with geo-location data, and eventually starts a “causal link” between data which was usually unconnected. Though, the smartphone penetration stands at 38%, unless the law mandates an effective data protection framework, the quest for liberty and dignity would be “as ephemeral as the wind”. The retention of personal data and the ensuing possibility of State surveillance has a chilling effect on fundamental rights. Thus, it is required that the pending Data Protection Bill of 2019 with appropriate clauses be brought in force before the threat of data breach intensifies further.

The author is a student  at Jamia Millia Islamia, New Delhi. He can be contacted at

Photo Credits: Indranil Aditya/NurPhoto


[1] Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors., WRIT PETITION (CIVIL) NO 494 OF 2012

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s