CORAM: Hon’ble Chief Justice Abhay S. Oka and Hon’ble Justice S. Vishwajith Shetty
In its interim order restraining the Government of India and the National Informatics Centre (NIC) from sharing the response data of users of the Aarogya Setu app, the Karnataka High Court noted that the sharing of citizens health data without their informed consent would breach the right to privacy provided for in Article 21 of the Constitution.
Chief Justice Abhay Oka and Justice S Vishwajith Shetty observed “The information contains data about the health of the user which all the more requires the protection of right to privacy.”
The court said, “The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India”.
Specifically, the petition filed by cyber security activist Anivar A Aravind sought an order to restrict respondents from continuing in any way with the Aarogya Setu app and the data collected during the pending petition, if the collection of data from members of the public is stated voluntary or involuntary.
Senior Advocate Colin Gonsalves appearing for the petitioner had relied on the judgment of the Supreme Court in the case of Justice K.S. Puttaswamy (retired) v. Union of India. Hepointed out the provision regarding sharing of response data containing personal data by NIC with various Government departments and Public Health Institutions of the Government.
In addition, he argued that no sunset clause exists for the collected data. The sunset clause specifies that, unless expressly extended in view of the continuation of the COVID-19 pandemic in India by the Empowered Group, the protocol will remain in effect for a period of six months from the date on which it was given.
Additional Solicitor General M B Nargund stated “The claim of the petitioner that all personal data of the users of Aarogya Setu app is shared has no foundation at all, inasmuch as, all the safeguards have been provided. He submitted that Aarogya Setu app is one of the important tools for locating those who are infected with COVID-19.”
The Court examined the additional affidavit submitted by the Central Government in which reference was made to the order issued by the Chairperson of the Empowered Group on Technology and Data Management on 11 May 2020, which implemented the Aarogya SetuData Access and Knowledge Sharing Protocol 2020.
The affidavit claimed that, for the purpose of coping with the pandemic, the NIC would only collect the response data as required. Specific provisions for protecting the privacy of app users are also made in the App.
The bench observed,
“The role of the Empowered Group is of identification of problems/difficulties, finding out solutions, formulating contingency plan etc. There is nothing placed on record to show that the Chairperson, Empowered Group on Technology and Data Management is empowered to pass any order which will have a binding effect.”
It also added,
“Prima facie, it is not shown that this Empowered Group has any statutory power either under the said (Disaster Management) Act of 2005 or any other Act to pass such an order. There is nothing on record to show that the powers of the authorities under the said Act of 2005 have been delegated to the said Empowered Group.”
The bench noted that Clause 5(a) of the protocol specifically stipulates that the Aarogya SetuApp Privacy Policy clearly sets out any response data and the reason for which it is collected by the NIC. Perusal of the App Privacy Policy. It demonstrates that there is no relation to the collection of response data by the NIC and the purpose of the collection. Clause 6 of the Protocol requires NIC data to be shared with the individuals referred to therein. The said entities are the State Government, the Public Health Agencies, etc. But the Privacy Policy states that only the Government of India can share the details.
Clause 8 requires the NIC to share response data with third parties for analysis purposes. It is important to note that, in the privacy policy or terms of service available on the app itself, there is no reference to the above clauses 5, 6 and 8.
The Court observed,
“Thus, the collection of the data as per clause 5 and sharing of response data as per Clauses 6 and 8 is being done without the consent of the user, much less, an informed consent. Though Clause 8 provides for the anonymisation, there is nothing on record to show that the claim of anonymisation is tested by any agency.”
The bench concluded by saying:
“The users are not even informed about the said protocol and the provisions therein about sharing of the response data before he uploads his personal information. Secondly, it is not the case made out by the Government of India that the informed consent of the user is obtained to sharing of the response data, as provided in the said protocol. Prima facie, we find that the sharing and use of the response data as per the said protocol will infringe theright of privacy of the users, thereby amounting to violation of the rights guaranteed under Article 21 of the Constitution.”
The court therefore issued an interim order to restrain the Central Government and the National Informatics Centre (NIC) from sharing with other government departments and agencies the answer data provided by a person in the ‘Aarogya Setu’ app, without obtaining the users’ informed consent. The Court has granted the Centre the right to vacate the order by filing an affidavit demonstrating that it has received informed consent from users to share the response data.