The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates
The Supreme Court of India has held that the right to privacy is a fundamental right protected under article 21 (right to life and personal liberty) of India’s Constitution. India currently does not have a comprehensive Privacy Bill, though one is being developed, but specific provisions to protect electronic data can be found in the Information Act, 2000, and its subsidiary privacy rules. No central law lays out data retention provisions for government agencies and departments but various agencies have adopted their own data retention policies.
Both the Union and state governments have launched numerous COVID-19-related apps over the last two months to curtail the spread of the disease in the country. The most prevalently used app is the Union government’s official COVID-19 tracking app, Aarogya Setu (“bridge to health”), which was launched in April for Android and iOS users. The app was developed by the National Informatics Centre of the Ministry of Electronics and Information Technology as a contact tracing app. It uses both Bluetooth and GPS location data technology and allows users to assess the risk of their catching the coronavirus infection based on their interactions with others.
According to the Ministry of Health and Family Welfare website, as of May 22, 2019, India had 66,330 active cases of COVID-19, 48,533 cured/discharged COVID-19 patients, and 3,583 deaths from the disease.
There are an estimated 450 million smartphone users and 550 million feature phone users in India. According to a 2019 KPMG report, the smartphone user base is forecast to be 829 million by 2022, growing at a compound annual growth rate of 15.5%. According to Statista, “[i]t was predicted that by 2022, 36 percent of mobile phone users in the country would use a smartphone, up from 26 percent in 2018.”
Most surveys on users’ willingness to share personal data appear to be focused on the private sector. One recent survey by Accenture found that “[n]early six in ten consumers would be willing to share significant personal information, such as location data and lifestyle information, with their bank and insurer in exchange for lower pricing on products and services.” However, “consumers believe that privacy is paramount, with three quarters (75 percent) saying they are very cautious about the privacy of their personal data. In fact, data security breaches were the second-biggest concern for consumers, behind only increasing costs, when asked what would make them leave their bank or insurer.” One 2018 survey by the Analytics India Magazine found that “50.6% of the respondents said they trust banks most with their personal data¾more than the government, e-commerce companies, social media websites or online media companies,” and “[o]verall, 33% respondents said they trust government departments with their data. 27% are neutral and 40% of respondents admitted that they do not trust them with their data.”
II. Legal Framework
A. Privacy and Data Protection
On August 24, 2017, the Supreme Court of India, in Justice K.S. Puttaswamy (Retd.) v. Union of India, held that privacy is a fundamental right protected by article 21 (right to life and personal liberty) of India’s Constitution.
Currently, the Information Technology Act, 2000, “contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically).” India’s Ministry of Electronics and Information Technology (IT) adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), which took effect in 2011 and “require corporate entities collecting, processing and storing personal information, including sensitive personal information, to comply with certain procedures.” The rules contain “specific provisions regarding the collection of sensitive personal data or information. They apply to all body corporates in India other than those providing services related to the processing of sensitive personal data or information to any person under a contract.”
The above Supreme Court ruling has led to the drafting of the wide-ranging Personal Data Protection Bill 2019, which was introduced by the Minister of Electronics and Information Technology and is currently being reviewed by the Joint Parliamentary Committee (JPC). It would apply to the processing of personal data by the state and private sector, but the processing of “anonymous data” is outside the scope of the Bill, except that the central government could direct organizations to disclose “anonymized” personal data or “non-personal data” under section 91 “to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.” The proposed Bill has “a broad definition of sensitive personal data and also identifies financial data, data about caste, tribe, religious and political belief or affiliation as sensitive personal data,” and has “stringent requirements with respect to the processing of sensitive personal data and information including requiring explicit consent, imposing additional conditions for cross-border transfers and requiring a copy to be stored in India.”
B. Data Retention and Location Tracking
1. Data Retention
There is no central law for government agencies and departments in India that lays out data retention provisions, but various agencies have adopted their own data retention policies.
For the private sector, Rule 5(4) of the Privacy Rules states that a “[b]ody corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.” Record and document preservation provisions are also set out in various laws and mostly vary from 5-8 years or permanent preservation.
2. Location Tracking
The 2000 Information Technology Act allows the central government to authorize any agency of the government to monitor and collect data generated, transmitted, received, or stored in any computer source for the purpose of enhancing cyber security and for “identification, analysis and prevention of intrusion or spread of computer contaminant in the country.” Procedures and safeguards for monitoring and collecting traffic data under this provision are regulated by the Information Technology Act and the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009. These Rules stipulate
who may issue directions for interception and monitoring; how such directions are to be executed; the duration they remain in operation; to whom data may be disclosed; the confidentiality obligations of intermediaries; periodic oversight of interception directions by a Review Committee under the Telegraph Act; the retention of records of interception by intermediaries; and the mandatory destruction of information in appropriate cases.
III. Electronic Measures to Fight COVID-19 Spread
Both the Union and state governments have launched “a host of coronavirus-related apps over the last few weeks to curb the spread of the pandemic in the country.”
A. Aarogya Setu Contact Tracing App
1. How It Works
[w]hen two registered users come within Bluetooth range of each other, their Apps will automatically exchange unique Digital IDs (DiDs) and record the time and GPS location at which the contact took place. The information that is collected from the User’s App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for COVID-19, this information will be securely uploaded from his/her mobile device and stored on the Server. Then this information is used to further carry out the contact tracing and find out all possible persons who may have come in close contact with the person who has tested positive for COVID-19.
The app tries to “determine if the user has been within six-feet of an infected person, by cross-referencing” the pan-India database (referred to as the “Server” in the above quote) of all COVID-19 patients. The app also allows the Department of Health to “inform users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.”
2. Data Collected
When the Aarogya Setu app is registered by a user, the following details are collected: “(i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days.” This information is stored on the “back-end Server and it is hashed with a unique digital id (DiD)” that is pushed to the user’s app. The DiD is used to identify the user in all subsequent app-related transactions and will be associated with any data or information uploaded from the app to the database. The user’s location details are also captured and uploaded to the database.
The app collects location data continuously at 15-minute intervals, which is stored on the mobile device and includes a record of all the places the user has been” at those intervals. This information is uploaded to the database along with the user’s DiD,
(i) if the person tests positive for COVID-19; and/or
(ii) if the persons self-declared symptoms indicate that they are likely to be infected with COVID-19; and/or
(iii) if the results of a self-assessment test are either yellow or orange. This information will not be uploaded to the Server if you are not unwell or if the result of your self-assessment test is green.
Yellow or orange signifies “a high level of risk for contracting COVID-19.”
3. Persons Required to Download the App
When the app was launched in early April its use was considered voluntary but became mandatory for persons in certain containment zones and for public and private sector employees in May.
On May 1 the Union Home Secretary issued new guidelines under section 10(2)(I) of the Disaster Management Act, 2005, that designated districts into Red, Orange, and Green Zones based on risk. Green Zones are those that had no cases as of the date of the guidelines or within the previous 21 days; Red Zones were designated based on the “total number of active cases, doubling rate of confirmed cases, extent of testing and surveillance feedback.” Orange zones are those that do not fit the criteria for the Green or Red designations.
Within the Red and Orange Zones authorities may set up Containment Zones or areas for more intense surveillance, such as contact tracing, home or institutional quarantining, and house-to-house surveillance by special teams. According to the guidelines, “[t]he local authority shall ensure 100% coverage of [the] Aarogya Setu app among the residents of Containment Zones.” The guidelines also required all employees in the public and private sector to use the Aarogya Setu app, with the head of each organizations being responsible for ensuring use by all employees. However, after criticisms from privacy advocates, it appears the government is easing its position on mandatory use of the app in offices: On May 17, the Ministry of Home Affairs issued new guidelines that stated, “[w]ith a view to ensur[ing] safety in offices and work places, employers on [a] best effort basis should ensure that the application is installed by all employees having compatible mobile phones.” The new guidelines also stipulate that “[d]istrict authorities may advise individuals to install the Aarogya Setu application on compatible mobile phones and regularly update their health status on the app. This will facilitate timely provision of medical attention to those individuals who are at risk.” Another set of guidelines were issued on May 30, 2020, for the phased reopening of the country outside containment zones, which included the same provisions on the use of the app.Noida, a suburb of the capital, Delhi, had made it “compulsory for all residents to have the app, saying they can be jailed for six months for not complying.” However, the order was reversed on May 20 “after some residents submitted a representation to the Additional Deputy Commissioner (Law and Order) challenging the directive’s legal basis.” The Ahmedabad Municipal Corporation (AMC) has “also made it mandatory for personnel engaged in delivery of grocery and food item to download the app on their mobile phones. The revised guidelines issued by the Union Health ministry for home isolation of very mild/pre-symptomatic cases also call for downloading the app on the mobile and made it clear it should remain active at all times (through Bluetooth and Wi-Fi).” Since the new federal guidelines removing the mandatory requirement were issued some states such as Uttar Pradesh have still made the use of the app mandatory and are imposing a fine for not doing so.
In addition, some private companies such as Zomato and Xiaomi have made it mandatory for employees to download the app.
According to guidelines for international arrivals, “[a]ll passengers shall be advised to download Arogya Setu app on their mobile devices.” Those who for “exceptional and compelling reasons such as cases of human distress, pregnancy, death in [the] family, serious illness and parent(s) accompanied by children below 10 years, as assessed by the receiving states,” cannot carry out an institutional quarantine are permitted to home quarantine for 14 days but are required to use the Aarogya Setu app. Union guidelines for domestic travel, including air and train, also advise passengers to download the Arogya Setu app on their mobile devices. On May 25 domestic flights had resumed operations and the use of the app was made mandatory. According to a news report “[a]ll passengers, except children below 14 years, must be registered on the Aarogya Setu app and it will be verified at the entry gate of the terminal building.” Another news report noted that “passengers ‘not showing Green’ on Aarogya Setu app will not be allowed to enter into the airports.” The Aarogya Setu app was also made mandatory for train passengers in the country.
4. Government Use
According to the government, the personal information collected upon registration will
only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.
All traced personal information shared between users, risk assessment tests and location information will be retained on the mobile device for a period of 30 days from the date of collection. All personal information uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.
Persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
There is an exception for “anonymized/ aggregated datasets” generated by the “personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets, the medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment will be retained.” (For more on this topic see subsection (f), below.)
5. Privacy Concerns
As per the head of this project, Arnab Kumar, the app was built to the standards of the draft data privacy bill, which is currently in the country’s parliament, and “access to the data it collects is strictly controlled.” Such data “is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.”
However, when the app was first introduced and even now, political leaders, experts and human rights organizations have expressed several criticisms and highlighted a number of privacy concerns. Rahul Gandhi, a prominent MP and former leader of the opposition Indian National Congress is reportedly among those who are critical of the app, arguing that it has “no institutional oversight” and raises “serious data security and privacy concerns.”
In a blog post on Medium on May 6, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson, observed a number of security concerns and flaws with the app, including that it was “possible to modify the location of the app, which can enable one to identify how many people are unwell or infected even without being physically present in their vicinity.” However, he stated that in a subsequent version of the app, “this issue was ‘fixed silently’ by the developers.” In mid-May, a software engineer in the city of Bangalore, growing concerned that installing the app was slowly becoming mandatory in India, hacked the app so it was “collecting no data but still flashing a green badge declaring that the user was at low risk of infection.”
Experts have noted that India is currently the only democratic nation in the world that had made the coronavirus tracking app mandatory for a significant portion of its population. Some observers have also criticized the app on the ground that it “stores both location data and requires constant access to the phone’s Bluetooth,” which makes it “invasive from a security and privacy viewpoint.” Until recently, Aarogya Setu was not open source, so the app was also criticized because it could not be “audited for security flaws by independent coders and researchers.” Experts felt that “[m]ore transparency could lead to ’potentially improved security as it would be open to scrutiny from third-party experts,’ ” according to news reports. Experts also noted that the app used “a static ID and is more easily amenable to de-anonymisation i.e. identifying the owner, in case someone else gets hold of the DID, because there is only a single layer of encryption.” On May 7, the MIT Technology Review highlighted a number of similar concerns including the absence of a national data protection law.  This has raised the concern that the use of the app and its data collection has an “ambiguous legal basis.”
Though MIT researchers had given the app 2 out 5 stars in their review, they later downgraded the rating to one star, according to The Quint. “[T]he app lost more points on the parameters of ‘data minimisation’ which means the app is collecting more data than needed for the app to work,” the article said, citing a Times of India report. One recent report highlights certain examples of this “non- adherence to the principle of data minimization”:
- The personal information collected includes detail of the individual’s profession[,] which has no direct relation with the effective use of the App
- Proximity data should be used (as opposed to location tracking)
Concern has also been expressed over the lack of definition of collected “anonymised data” and conflicting reports over how long such data can be retained. There is also concern that health surveillance, which is “a necessity in a pandemic,” “can soon evolve into mass surveillance.”
On May 26 the Ministry of Electronics and IT announced that the software has been made open source. “The source code for the Android version of the application is available for review and collaboration,” the Ministry said, and an “iOS version of the application will be released as open source within the next two weeks and the server code will be released subsequently. Almost 98% of Aarogya Setu Users are on Android platform.”
6. Aarogya Setu Data Access and Knowledge Sharing Protocol
On May 11, 2020, in response to the many privacy concerns, the Ministry of Electronics and IT published through a notification the Aarogya Setu Data Access and Knowledge Sharing Protocol. The Protocol was issued by the chairperson of the “empowered group on technology and data management,” “which is one of the 11 empowered groups created by the National Executive Committee of the National Disaster Management Authority” to “provide legal safeguards for the operation of the Aarogya Setu mobile application.” Some of the key highlights of the protocol include the following:
1. Data points collected from the individuals: ‘Response data’ collected from people using the Aarogya Setu app will have the following data points-
1.1 Demographic data, which includes the name, mobile number, age, gender, profession and travel history of the person;
1.2 Contact data i.e. data about another person that a given person has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred;
1.3 Self-assessment data i.e. the responses provided by the person to the self-assessment test on the Aarogya Setu app, and
1.4 Location data i.e. data about the geographical position of an individual in latitude and
2. Implementing agency: MeitY will be responsible for overall implementation of the protocol. The National Informatics Centre (“NIC”) under the MeitY will collect, process and manage ‘response data’.
4. Third party sharing of response data:
4.1 Sharing of personal response data: It can be shared with- (a) the Ministry of Health and Family Welfare; (b) Health departments of the state/union territory/local government, NDMA and state disaster management authorities (“SDMAs”), and any other department/ministry/public health institution of the central/state/local government, but only if the data is necessary to frame/implement an appropriate health response.
4.2 Sharing of de-identified response data: It can be shared with the ministry/department/public health institution of the central/state/union territory/local government, NDMA and SDMAs, where the data needs to be shared for framing/implementation of a critical health response. De-identified data means data which has been stripped of personally identifiable data.
4.3 Maintaining records of third parties: NIC will, to a reasonable extent, maintain a list of agencies with whom response data is shared, and record details such as the purpose of sharing, categories of data shared etc.
4.4 Application of collection limitation, purpose limitation and period limitation principles: These principles will also apply to third-party sharing of response data. The data must be permanently deleted in all circumstances after 180 days from the date on which it is accessed. Any ministry/department/public health institution with whom the data is shared must implement reasonable security practices and procedures under the Information Technology Act, 2000.
4.5 Further sharing of response data: Any ministry/department/public health institution shall further share response data only when it is strictly necessary to frame/implement appropriate health responses. It must ensure compliance of the Protocol by other such entities with whom data is further shared. Such entities can be subject to an audit and review of their usage of response data by the central government.
5. Sharing of response data for research purposes:
5.1 Availability of response data to Indian universities and research institutions: Such universities and research institutions must be registered in India. The response data provided to them must be subject to ‘hard anonymisation’ (as opposed to de-identification). The anonymisation protocols for ‘hard anonymisation’ will be developed by an expert committee appointed by the Principal Scientific Advisor of the Indian government.
5.2 Data access subject to approval of expert committee: An institution will need to submit a request to the PSA-appointed expert committee to seek access to response data. The expert committee can approve such request only if it is satisfied that the access is sought for the purposes of statistical, epidemiological, scientific or any other form of academic research. It can also specify additional terms for accessing the data.
5.3 Reverse anonymisation/re-identification banned: If the institution, irrespective of its intention, conducts reverse anonymisation or re-identification of the response data, its access rights will be terminated. It will also be subject to penalties under the applicable laws.
5.4 Further sharing of response data: Institutions can share the anonymised response data with any other institution, provided that- (a) the sharing is for the purpose approved by the expert committee; (b) there is a contract between both parties, mentioning particulars such as nature of data shared, purpose of sharing data, the duration of such sharing and other details specified by the expert committee. The institution must provide a copy of the contract to the expert committee.
6. Penalties: Any violation of the protocol will be punishable under the Disaster Management Act, 2005 and any other applicable legal provisions.
7. Termination of protocol: The Protocol will be in force for 6 months i.e. till 11 November 2020. However, its enforcement period may be extended upon a review by the EG.
The Protocol has still come under criticism by privacy groups for not being legally binding; lacking a complaint mechanism for violations of the protocol; not providing a process by which to request deletion of data; not going far enough with the privacy safeguards, particularly in regard to the anonymization of data and data sharing with third parties; and including a sunset clause for the protocol but not for the app itself.
7. Judicial Response
On May 12, the Kerala High Court “refused to pass an interim order to stay the mandatory downloading of ‘Arogya Setu’ app on employees’ phones and sought a statement from the central government on data safeguards of the app being developed by the National Informatics Centre,” the Hindustan Times reported.
B. State-Level Apps
According to one news report several states and municipalities in India have developed their own COVID-19 contact tracing, home quarantine, and information advisory apps over the past two months, with most of these having been developed by private companies “that have unprecedented access to sensitive patient data with little liability in case of a breach.” The Indian Express highlighted a number of privacy concerns for these apps:
“Most of these apps have been developed by private companies and they have access to all the data while the liability provisions in case of breach are very vaguely worded, sometimes even asking the user to completely wave the liability and accountability of the service provider in case of data breach or loss,” Salman Waris, founder & partner at TechLegis Advocates & Solicitors said.
. . .
The permissions sought by the most of these contact tracing apps and home quarantine portals is another security issue which must be paid attention to, cyber-security experts said. “Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera,” a SFLC spokesperson said.
For example, Telangana’s app ‘T-Covid-19’ developed by Quantela Inc, a US-based company, aims only to “provide citizens with preventive care information and other government advisories”. “However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location,” legal cyber-security advisory group Software Freedom Law Centre said.
A similar COVID-19 dashboard, developed by the Madhya Pradesh Agency for Promotion of Information Technology was taken down after Robert Baptiste, a French ethical hacker who used the pseudonym Elliot Alderson on Twitter, pointed out flaws and showed that it violated the basic personal privacy laws. The quarantine and information vending apps of Punjab and Kerala, similarly seek more information than is necessary for these programs to function, experts said.
Punjab’s information vending app ‘Cova Punjab’ seeks to have full network access and even view network connections. The app even seeks to pair with Bluetooth devices in its vicinity without express approval of the device holder, which can be extremely problematic and invasive, a cyber-law expert said. “The problem is that all the state apps are using Centre’s Aarogya Setu framework and foundation as the starting point. That will not be a correct approach,” Supreme Court lawyer and cyber-law expert Pavan Duggal told The Indian Express.
In Uttar Pradesh, the “Chikitsa Setu” app was launched to “ensure safety of COVID-19 frontline workers,” with the objective “to provide official training content, spread awareness, and ensure safety of healthcare workers, sanitation workers and police personnel who are actively involved to protect citizens, breaking the chain of COVID-19 infection.”
Prepared by Tariq Ahmad
Foreign Law Specialist
 Six in Ten Consumers Willing to Share Significant Personal Data with Banks and Insurers in Exchange for Lower Pricing, Accenture Study Finds, Accenture (Mar. 14, 2019), https://perma.cc/AJ6D-W9FQ.
 DLA Piper, supra note 9.
 DLA Piper, supra note 9.
 Personal Data Protection Bill, No. 373 of 2019, § 2(A).
 Id. § 2(B).
 Id. § 91(2).
 Talwar Thakore & Associates, supra note 14.
 Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), 2011, Rule 5(4).
 Information Technology Act, 2000, § 69B.
 Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009, The Gazette of India Extraordinary, pt. II, § 3(i) (Oct. 27, 2009), https://perma.cc/373K-HESJ.
 Government of Assam, supra note 34, Q2.
 Id. Q4.
 Disaster Management Act, 2005, § 10(2)(I).
 Neerad Pandharipande, ‘Indian Govt Should Convince Public on Aarogya Setup’s Efficacy rather than Forcing It on Them’: Cybersecurity Expert Elliot Alderson Tells Firstpost, Firstpost (May 23, 2020), https://perma.cc/A6S2-MRZ9.
 Government of Assam, supra note 34, Q5.
 Id. Q6.
 Aditi Agrawal, supra note 30.
 Pandharipande, supra note 48.
 Clarance, supra note 47.
 O’Neill, supra note 67.
 Tripti Dhar, supra note 59.
 Tripti Dhar, supra note 59.
 Ikigai Law, supra note 78.
 Aditi Agrawal, supra note 30.
Last Updated: 07/24/2020