Coercive extraction of personal information unheard of in a democracy: PIL challenging mandatory use of Arogya Setu app in Kerala HC

The petitioner contends that the imposition of the COVID-19 tracking app would entail a dilution of personal autonomy, of informed consent, risks possible misuse and raises concerns of a surveillance system being set up

Meera Emmanuel
May 7, 2020, 6:39 PM IST
A PIL plea has been moved in the Kerala High Court challenging the move to make the installation and use of the Central Government’s Aarogya Setu COVID-19 tracker mobile application mandatory, citing privacy and data security concerns.

The petition has been moved by one, John Daniels, General Secretary of the District Congress Committee, Thrissur through Advocates Sriram Parakkat, KR Sripathi and Anupama Subramanian.

It highlights that the use of the Aargoya Setu app was made mandatory by way of two Government notifications, i.e.

On April 29, an office memorandum was issued by the Union Ministry of Personnel, Public Grievances and Pensions Department of Personnel & Training, whereby the use of Arogya Setu was made mandatory for all Central Government Employees.

Clause 15 of the National Directives given to the State Governments earlier this month, while extending the COVID-19 lockdown to its third phase, stated that the “Use of Arogya Setu app shall be made mandatory for all employees, both private and public. It shall be the responsibility of the Head of the respective Organisations to ensure 100% of this app among all employees.”

The petitioner further points out that the non-compliance of these directions may invite penal consequences under the Disaster Management Act.

He goes on to submit that even while the Government promoted the use of the app during the pandemic, there were still people who “made their informed opinion and decided not to download the application, thereby resisting to put into stake their personal information.”

In this backdrop, it is contended that such mandatory imposition of the Aarogya Setu app would effectively dilute the principles of personal autonomy, as recognised in Supreme Court cases such as KS Puttaswamy v. Union of India and Anuj Garg v. Hotel Assn. of India. The petitioner elaborates further that,

“… mandating the use of the application, Arogya Setu takes away the right of a person to decide and control the use of information pertaining to him. He is forced to give away data to a system which he may or may not approve of, thereby attacking his right of informational autonomy. Autonomy guaranteed by the Constitution of India also grants an individual freedom not to take part in activities he does not approve of.”
Another principle at stake, the petitioner contends, is one of informed consent, which assumes significance given that the information stored by the app is personal and sensitive in nature.

The petitioner states that if a citizen disapproves the collection of his personal information in this manner, “it could be said that the information was forcibly and coercively taken from him without his consent and by inflicting fear of penal consequences.”

The petitioner argues that even if a person agrees to install the app, it would not amount to full consent unless the Government discloses who all would have access to the information and for what purposes in may be used.

“… consent must be specific, rather than infinite or open ended. Unless information relates to a specific action, the party from whom it is being obtained cannot know what it is that one is consenting to. In this particular case, the user of the application is unaware as to why his personal data is collected and for what purpose it will be used for and by whom it will be used for”, the petition reads.

The petitioner goes on to add,

“Such coercive and forcible extraction of personal information from an individual is unheard of in a democratic and republic setup and it is attribute of a dictatorial system.”
Petitioner
Concern has also been raised over the possibility of misuse or breach of the personal information collected. It is noted that the user’s device establishes contact with other devices using Bluetooth or GPS. The personal and sensitive information collected is transferred and stored in a cloud server.

The petition states that the exchange of information between devices adds to the vulnerabilities of the app and the possible points of attack for malicious actors.

On a related note, it is pointed out that there is not clarity as to which Government Department would be accessing the data, which leads to concerns of possible State overreach.

The petitioner raises concern over the absence of healthcare officials on the committees concerning the Aarogya Setu app. He adds that this prompts suspicions about the actual usage and application of the same.

“It raises concerns of a surveillance system being set up. The Committee is reportedly mulling recommendations to expand the Government’s powers in using technological tools – like the Aarogya Setu application. In fact it has reportedly already made a specific recommendation to extend and expand the scope of the application post the lockdown.”
Petitioner
Whereas it is claimed that certain personal data is deleted from the app after a 30-day period, the petitioner points out that there is no verification system to check whether this is actually done. Both researches and individual users have “no means of transparently auditing what the app is doing in the backend”, the petition states.

Adding to these concerns, the petitioner points out that the Government has inserted a blanket liability limitation clause into its service agreements and privacy policies.

“This means citizens cannot hold the Government accountable or seek judicial remedy should they wish to ensure the Government’s processes are compliant with the right to privacy”, the petition states.

It is also noted that the Government cannot be held legally responsible should the Aarogya Setu app and accompanying services lead to errors in accurately identifying people who have tested positive for COVID-19.

“Considering this disclaimer to hedge against the possibility of errors, it begs the question, who should users hold accountable should an inaccurate decision be made by the app which implicates a user’s rights?”
Petitioner
The petitioner also contends that the automatic exclusion of non-smartphone users from the this compulsion is unfair, unjust and would defeat the purpose of compelling the use of the Aarogya Setu application.

The vicarious liability imposed on employers when to comes to the installation of their app by their employees has also been challenged as arbitrary, given that the employer may not have any mens rea.

“An employer who has only a work relationship with an employee cannot compel the employee to install a mobile application and use it diligently and to provide his personal information to the domain”, the petitioner adds.

While also relying on the significance attached to ensuring the confidentiality of sensitive information and obtaining informed consent in order passed by the Kerala High Court recently in the Sprinklr case, the petitioner goes on to make the following prayers:

That the Court strike down as unconstitutional Clause 15 of the National Directives for COVID-19 management which imposes the use of the Aarogya Setu app;

That the Court direct that the usage of Arogya Setu is subject to the personal discretion of each citizen;

That the Government authorities be directed to refrain from taking any penal action or other stringent measures to impose the mandatory usage of the Arogya Setu app.

II.