Sharing Citizens Health Data Without Their Informed Consent Infringes Right To Privacy Under Article 21: Karnataka HC In ‘Aarogya Setu’ Case

0
195

It is in the fitness of things that the Karnataka High Court has most recently on January 25, 2021 in its interim order in the latest, landmark, learned and laudable judgment titled Anavir A Aravind vs Ministry of Home Affairs and others has restrained the Government of India and National Informatics Centre (NIC) from sharing the response data of users of Aarogya Setu app, observed that sharing of health data of citizens without their informed consent will violate right to privacy under Article 21 of the Constitution. A Division Bench of Chief Justice Abhay Oka and Justice S Vishwaith Shetty very rightly noted that, “The information contains data about the health of the user which all the more requires the protection of right to privacy.” It was also very rightly observed that, “The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India.” This observation is the real crux of this entire commendable judgment.

While specifying the purpose of the writ petition, it is stated right at the outset that, “This Writ Petition is filed under Article 226 of the Constitution of India praying to direct the respondent Authorities to make the use of Aarogya Setu application by citizens voluntary and etc.” It is also pointed out that this Writ Petition having being heard and reserved for passing order on prayer for interim relief, coming on for pronouncement of order.

To start with, the Division Bench first and foremost sets the ball rolling by first and foremost observing in para 1 that, “On 19th August, 2020 rule nisi has been issued in this petition. Thereafter, submissions were heard from time to time on the prayer for interim relief. The submissions were lastly heard on 17th December, 2020 and order was reserved.”

To put things in perspective, the Bench then observes in para 2 that, “The issue in this writ petition concerns Aarogya Setu application (for short, ‘the Aarogya Setu app’) introduced by the Government of India after the nationwide lockdown was announced by the Hon’ble Prime Minister on 24th March, 2020. The National Informatics Centre (‘NIC’ for short)-seventh respondent launched the Aarogya Setu app on 2nd April, 2020 which is stated to have been downloaded by more than one hundred million users. One of the issues involved is whether the Government of India has a right to use the personal data of Aarogya Setu app users on the app and whether it can transfer/ share the data without obtaining the informed consent of the users. On 1st May, 2020, an order was made by the Union Home Secretary, the Ministry of Home Affairs, in his capacity as the Chairperson of the National Executive Committee of the National Disaster Management Authority (for short, ‘the NDMA’) under the Disaster Management Act, 2005 (for short, ‘the said Act of 2005’). The said order was passed in exercise of powers under Section 10 (2) (l) of the said Act, 2005, by which, new guidelines were issued on lockdown which were annexed to the said order. The guidelines appended to the said order provided for ensuring 100% coverage of the Aarogya Setu app amongst the residents of Containment Zones. On 11th May, 2020, an order was issued by the Chairperson, Empowered Group on Technology and Data Management which was constituted by the National Executive Committee of the NDMA. By the said order of 11th May, 2020, directions were issued in the name and style of “the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020” (for short, ‘the said protocol’).”

Be it noted, the Bench then enunciates in para 4 that, “Prayer III-C refers to clause 3 (vii) of Annexure-N which is a Standard Operating Procedure (for short, ‘SOP’) issued by the Government of India, Ministry of Health and Family Welfare on 4 th June, 2020 relating to the preventive measures to contain spread of COVID-19 in the offices. Clause 3 (vii) of the said SOP seeks to make the installation and use of the Aarogya Setu app by the employees mandatory.”

For the sake of clarity, the Bench then clarifies in para 5 that, “We must note here that by the Order dated 19th October, 2020, this Court directed that till the petition is heard on the prayer for interim relief and in the absence of any legislation, neither the State Government nor the Central Government, its agencies or instrumentalities can deny any benefit of any services to a citizen only on the ground that he has not installed the Aarogya Setu app on his cell phone. As far as the prayer made in clause (2) for interim relief is concerned, we must note here that the Government of India (8th respondent), Airports Authority of India (4th respondent) and Bengaluru Metro Rail Corporation Limited (9th respondent) have taken a clear stand that installation and use of the Aarogya Setu app is not mandatory for those who want to avail facilities provided by them. The order dated 12th June, 2020 clearly records that the passengers who wish to travel by Air or Railway are not mandatorily required to download and install the Aarogya Setu app as a condition precedent for travelling. The Order dated 3rd August, 2020 records the statement made by the Government of India in the memo dated 2nd August, 2020 wherein it is stated that installation of the Aarogya Setu app is voluntary in nature which is intended to help the users to have reduced risk of infection of COVID-19. The Order dated 19th August, 2020 records the submission made by the learned counsel appearing for the Airports Authority of India to the effect that downloading and installation of the Aarogya Setu app for Air travelers is not mandatory and it is optional. Thus, the second prayer for interim relief is virtually worked out. The same is the case as regards the first prayer for interim relief. Thus, what remains for consideration is the third prayer for interim relief.”

Significantly, the Bench then puts forth in para 26 that, “We have perused the contents of Annexure-R19 which is an Order/Notification dated 11th May, 2020 regarding the issue of the said protocol. The said protocol is issued by the Chairperson, Empowered Group on Technology and Data Management appointed under Order dated 29th March, 2020 issued by the Ministry of Home Affairs, a copy of which produced as Annexure-R2. Clause-2 of Annexure-R2 is relevant which reads thus:

“2. The measures taken hitherto have been effective in containing the pandemic so far. However, considering the gravity and magnitude of the challenges, which are emerging with every passing day, there is a pressing need to augment and synchronies efforts cutting across various Ministries/Departments. Keeping in view the need for such comprehensive action and integrated response, in exercise of the powers conferred under the section 10 (2) (h) and (i) of the Disaster Management Act, 2005, the undersigned in the capacity as Chairperson, National Executive Committee, hereby constitute eleven Empowered Groups of Officers (as per Appendix). These Groups are empowered to identify problem areas and provide effective solutions therefor; delineate policy, formulate plans, strategize operations and take all necessary steps for effective and timebound implementation of these plans/policies/ strategies/decisions in their respective areas.””

More significantly, the Bench then elucidates quite remarkably in para 27 that, “On plain reading of clause-2 referred above, the role of the Empowered Group is of identification of problems/difficulties, finding out solutions, formulating contingency plan etc. There is nothing placed on record to show that the Chairperson, Empowered Group on Technology and Data Management is empowered to pass any order which will have a binding effect. Prima facie, it is not shown that this Empowered Group has any statutory power either under the said Act of 2005 or any other Act to pass such an order. There is nothing on record to show that the powers of the authorities under the said Act of 2005 have been delegated to the said Empowered Group. We have perused the said protocol. Clause 5(a) clearly stipulates that any response data and the purpose for which it is collected by NIC shall be clearly specified in the Privacy Policy of Aarogya Setu App. Perusal of Privacy Policy available on the App. shows that there is no reference incorporated therein to collection of response data by NIC and purpose of collection. Clause 6 of the protocol permits sharing of data by NIC with the entities mentioned therein. The said entities are State Government, Public Health Institutions etc., But, the Privacy Policy says that the data will be shared only with the Government of India. Clause 8 permits NIC to share the response data for research purposes with third parties. It is pertinent to note that there is no reference to the said Clauses 5, 6 and 8 in the privacy policy or terms of service available on app itself. Thus, the collection of the data as per clause 5 and sharing of response data as per Clauses 6 and 8 is being done without the consent of the user, much less, an informed consent. Though Clause 8 provides for the anonymisation, there is nothing on record to show that the claim of anonymisation is tested by any agency. The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India. Therefore, prima facie, the said protocol regarding sharing of ‘response data’ cannot be permitted to be implemented for two reasons. Firstly, the user of Aarogya Setu app is not informed about the said protocol at all and the same is not at all a part of the terms of use or privacy policy which are available on Aarogya Setu app itself. The users are not even informed about the said protocol and the provisions therein about sharing of the response data before he uploads his personal information. Secondly, it is not the case made out by the Government of India that the informed consent of the user is obtained to sharing of the response data, as provided in the said protocol. The information contains data about the health of the user which all the more requires the protection of right to privacy. Prima facie, we find that the sharing and use of the response data as per the said protocol will infringe the right of privacy of the users, thereby amounting to violation of the rights guaranteed under Article 21 of the Constitution. We may note here that by order dated 10th November, 2020 which has been produced along with the memo dated 11th November, 2020, it has been directed that the said Protocol will remain in force for a further period of six months i.e., till 10th May, 2021.

Finally and far most significantly, the Bench then holds in para 28 that, “Therefore, we pass the following interim order:

i)    We accept the assurance given by the Government of India that no individual will be denied the benefits of any services that are being provided by the Governments, its agencies and instrumentalities on the ground that he has not downloaded and installed Aarogya Setu app;

ii) Prima facie, we hold that informed consent of the users of Aarogya Setu app is taken to what is provided in the privacy policy which is available on Aarogya Setu app itself and, therefore, there is an informed consent of the users of Aarogya Setu app which is limited only to collection and manner of collection of information, use of information and retention, as provided in the privacy policy which is available on the Aarogya Setu app. However, it is made clear that the use and retention of information and data shall remain confined to what is provided in the privacy policy which is available on the Aarogya Setu app;

iii)  Prima facie, we hold that there is no informed consent of users of Aarogya Setu app taken for sharing of response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, as there is no reference to the said protocol in the terms of use and Privacy Policy available on the app.

iv) Till further orders, we hereby restrain the Government of India and National Informatics Centre, the eighth and seventh respondents respectively from sharing the response data by applying the provisions of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 issued vide order dated 11th May, 2020 (Annexure-R19) unless the informed consent of the users of Aarogya Setu app is taken;

v)  However, it will be open for the Union of India and National Informatics Centre, the eighth and seventh respondents respectively to file an affidavit for satisfying the Court that the Chairperson, Empowered Group on Technology and Data Management or the said Empowered Group is legally empowered to issue the said protocol and that the informed consent of the users of Aarogya Setu app is taken for implementation of clauses regarding sharing of the data as provided in the said protocol. After filing of an affidavit and the documents as aforesaid, it will be open for the said respondents to apply for vacating the limited interim relief granted as above, in terms of clause (iii).”

Of course, it goes without saying that the Karnataka High Court Division Bench has very rightly upheld the prayer made in the petition filed by cyber security activist Anivar A Aravind who had specifically sought an order restraining the respondents during the pendency of the petition from proceeding with the Aarogya Setu app and with the data collected, in any manner, whether the collection of data from members of the public is stated to be voluntary or involuntary. Senior Apex Court advocate Colin Gonsalves while appearing for the petitioner had heavily and very rightly relied on the landmark judgment of the Supreme Court in the case of Justice KS Puttaswamy (retired) vs Union of India. It is certainly a well-written, well-reasoned, well-substantiated, well-articulated and well-comprehended 50-page judgment by a Division Bench of the Karnataka High Court which must be read certainly in its entirety! All the governments must always respect the right of privacy of citizens which is an inalienable fundamental right and should desist from sharing any data without the prior informed consent of concerned citizens as held very commendably in this leading case also! There can certainly be no denying or disputing it!

Sanjeev Sirohi

LEAVE A REPLY

Please enter your comment!
Please enter your name here

* Copy This Password *

* Type Or Paste Password Here *