Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates

India

The Supreme Court of India has held that the right to privacy is a fundamental right protected under article 21 (right to life and personal liberty) of India’s Constitution. India currently does not have a comprehensive Privacy Bill, though one is being developed, but specific provisions to protect electronic data can be found in the Information Act, 2000, and its subsidiary privacy rules. No central law lays out data retention provisions for government agencies and departments but various agencies have adopted their own data retention policies.

Both the Union and state governments have launched numerous COVID-19-related apps over the last two months to curtail the spread of the disease in the country. The most prevalently used app is the Union government’s official COVID-19 tracking app, Aarogya Setu (“bridge to health”), which was launched in April for Android and iOS users. The app was developed by the National Informatics Centre of the Ministry of Electronics and Information Technology as a contact tracing app. It uses both Bluetooth and GPS location data technology and allows users to assess the risk of their catching the coronavirus infection based on their interactions with others.

I. Introduction

According to the Ministry of Health and Family Welfare website, as of May 22, 2019, India had 66,330 active cases of COVID-19, 48,533 cured/discharged COVID-19 patients, and 3,583 deaths from the disease.[1]

There are an estimated 450 million smartphone users and 550 million feature phone users in India.[2] According to a 2019 KPMG report, the smartphone user base is forecast to be 829 million by 2022, growing at a compound annual growth rate of 15.5%.[3] According to Statista, “[i]t was predicted that by 2022, 36 percent of mobile phone users in the country would use a smartphone, up from 26 percent in 2018.”[4]

Most surveys on users’ willingness to share personal data appear to be focused on the private sector. One recent survey by Accenture found that “[n]early six in ten consumers would be willing to share significant personal information, such as location data and lifestyle information, with their bank and insurer in exchange for lower pricing on products and services.”[5] However, “consumers believe that privacy is paramount, with three quarters (75 percent) saying they are very cautious about the privacy of their personal data. In fact, data security breaches were the second-biggest concern for consumers, behind only increasing costs, when asked what would make them leave their bank or insurer.”[6] One 2018 survey by the Analytics India Magazine found that “50.6% of the respondents said they trust banks most with their personal data¾more than the government, e-commerce companies, social media websites or online media companies,” and “[o]verall, 33% respondents said they trust government departments with their data. 27% are neutral and 40% of respondents admitted that they do not trust them with their data.”[7]

II. Legal Framework

A. Privacy and Data Protection

On August 24, 2017, the Supreme Court of India, in Justice K.S. Puttaswamy (Retd.) v. Union of India,[8] held that privacy is a fundamental right protected by article 21 (right to life and personal liberty) of India’s Constitution.[9]

Currently, the Information Technology Act, 2000,[10] “contains specific provisions intended to protect electronic data (including non-electronic records or information that have been, are currently or are intended to be processed electronically).”[11] India’s Ministry of Electronics and Information Technology (IT) adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules),[12] which took effect in 2011 and “require corporate entities collecting, processing and storing personal information, including sensitive personal information, to comply with certain procedures.”[13] The rules contain “specific provisions regarding the collection of sensitive personal data or information. They apply to all body corporates in India other than those providing services related to the processing of sensitive personal data or information to any person under a contract.”[14]

The above Supreme Court ruling has led to the drafting of the wide-ranging Personal Data Protection Bill 2019,[15] which was introduced by the Minister of Electronics and Information Technology and is currently being reviewed by the Joint Parliamentary Committee (JPC).[16] It would apply to the processing of personal data by the state and private sector,[17] but the processing of “anonymous data” is outside the scope of the Bill,[18] except that the central government could direct organizations to disclose “anonymized” personal data or “non-personal data” under section 91 “to enable better targeting of delivery of services or formulation of evidence-based policies by the Central Government.”[19] The proposed Bill has “a broad definition of sensitive personal data and also identifies financial data, data about caste, tribe, religious and political belief or affiliation as sensitive personal data,” and has “stringent requirements with respect to the processing of sensitive personal data and information including requiring explicit consent, imposing additional conditions for cross-border transfers and requiring a copy to be stored in India.”[20]

B. Data Retention and Location Tracking

1. Data Retention

There is no central law for government agencies and departments in India that lays out data retention provisions, but various agencies have adopted their own data retention policies.

For the private sector, Rule 5(4) of the Privacy Rules states that a “[b]ody corporate or any person on its behalf holding sensitive personal data or information shall not retain that information for longer than is required for the purposes for which the information may lawfully be used or is otherwise required under any other law for the time being in force.”[21] Record and document preservation provisions are also set out in various laws and mostly vary from 5-8 years or permanent preservation.[22]

2. Location Tracking

The 2000 Information Technology Act allows the central government to authorize any agency of the government to monitor and collect data generated, transmitted, received, or stored in any computer source for the purpose of enhancing cyber security and for “identification, analysis and prevention of intrusion or spread of computer contaminant in the country.”[23] Procedures and safeguards for monitoring and collecting traffic data under this provision are regulated by the Information Technology Act and the Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009.[24] These Rules stipulate

who may issue directions for interception and monitoring; how such directions are to be executed; the duration they remain in operation; to whom data may be disclosed; the confidentiality obligations of intermediaries; periodic oversight of interception directions by a Review Committee under the Telegraph Act; the retention of records of interception by intermediaries; and the mandatory destruction of information in appropriate cases.[25]

III. Electronic Measures to Fight COVID-19 Spread

Both the Union and state governments have launched “a host of coronavirus-related apps over the last few weeks to curb the spread of the pandemic in the country.”[26]

A. Aarogya Setu Contact Tracing App

1. How It Works

The official COVID-19 tracking app of the Union government, Aarogya Setu (“Bridge to Health”), was launched in April for Android and iOS users. The app was developed by the National Informatics Centre, which comes under the Ministry of Electronics and IT.[27] The app has reportedly been installed 114 million times with 50 million installs in 13 days and 100 million in 41 days.[28] There does not appear to be any particular legal framework that governs the app apart from a privacy policy and terms of service[29] that have been updated a number of times.[30]  Some aspects of its use¾for example, mandatory use in certain circumstances¾have been included in orders issued under the Disaster Management Act, 2005,[31] which allows the union government to issue emergency measures in “unforeseen emergent situations.”[32]According to the Ministry of Electronics and IT, the app is a contact tracing app that uses both Bluetooth and GPS location data technology, using “algorithms and artificial intelligence.” It allows users to assess their own risk of catching the coronavirus and will “calculate this based on their interaction with others.”[33] According to one government FALQ,

[w]hen two registered users come within Bluetooth range of each other, their Apps will automatically exchange unique Digital IDs (DiDs) and record the time and GPS location at which the contact took place. The information that is collected from the User’s App will be securely stored on the mobile device of the other registered user and will not be accessible by such other user. In the event such other registered user tests positive for COVID-19, this information will be securely uploaded from his/her mobile device and stored on the Server. Then this information is used to further carry out the contact tracing and find out all possible persons who may have come in close contact with the person who has tested positive for COVID-19.[34]

The app tries to “determine if the user has been within six-feet of an infected person, by cross-referencing” the pan-India database (referred to as the “Server” in the above quote) of all COVID-19 patients.[35] The app also allows the Department of Health to “inform users of the app regarding risks, best practices and relevant advisories pertaining to the containment of COVID-19.”[36]

2. Data Collected

When the Aarogya Setu app is registered by a user, the following details are collected: “(i) name; (ii) phone number; (iii) age; (iv) sex; (v) profession; and (vi) countries visited in the last 30 days.”[37] This information is stored on the “back-end Server and it is hashed with a unique digital id (DiD)” that is pushed to the user’s app. The DiD is used to identify the user in all subsequent app-related transactions and will be associated with any data or information uploaded from the app to the database. The user’s location details are also captured and uploaded to the database.[38]

The app collects location data continuously at 15-minute intervals, which is stored on the mobile device and includes a record of all the places the user has been” at those intervals. This information is uploaded to the database along with the user’s DiD,

(i)        if the person tests positive for COVID-19; and/or

(ii)      if the persons self-declared symptoms indicate that they are likely to be infected with COVID-19; and/or

(iii)    if the results of a self-assessment test are either yellow or orange. This information will not be uploaded to the Server if you are not unwell or if the result of your self-assessment test is green.[39]

Yellow or orange signifies “a high level of risk for contracting COVID-19.”[40]

3. Persons Required to Download the App

When the app was launched in early April its use was considered voluntary but became mandatory for persons in certain containment zones and for public and private sector employees in May.

On May 1 the Union Home Secretary issued new guidelines[41] under section 10(2)(I) of the Disaster Management Act, 2005,[42] that designated districts into Red, Orange, and Green Zones based on risk. Green Zones are those that had no cases as of the date of the guidelines or within the previous 21 days; Red Zones were designated based on the “total number of active cases, doubling rate of confirmed cases, extent of testing and surveillance feedback.”[43] Orange zones are those that do not fit the criteria for the Green or Red designations.

Within the Red and Orange Zones authorities may set up Containment Zones or areas for more intense surveillance, such as contact tracing, home or institutional quarantining, and house-to-house surveillance by special teams. According to the guidelines, “[t]he local authority shall ensure 100% coverage of [the] Aarogya Setu app among the residents of Containment Zones.” The guidelines also required all employees in the public and private sector to use the Aarogya Setu app, with the head of each organizations being responsible for ensuring use by all employees. However, after criticisms from privacy advocates, it appears the government is easing its position on mandatory use of the app in offices: On May 17, the Ministry of Home Affairs issued new guidelines that stated, “[w]ith a view to ensur[ing] safety in offices and work places, employers on [a] best effort basis should ensure that the application is installed by all employees having compatible mobile phones.”[44] The new guidelines also stipulate that “[d]istrict authorities may advise individuals to install the Aarogya Setu application on compatible mobile phones and regularly update their health status on the app. This will facilitate timely provision of medical attention to those individuals who are at risk.”[45] Another set of guidelines were issued on May 30, 2020, for the phased reopening of the country outside containment zones, which included the same provisions on the use of the app.[46]Noida, a suburb of the capital, Delhi, had made it “compulsory for all residents to have the app, saying they can be jailed for six months for not complying.”[47] However, the order was reversed on May 20 “after some residents submitted a representation to the Additional Deputy Commissioner (Law and Order) challenging the directive’s legal basis.”[48] The Ahmedabad Municipal Corporation (AMC) has “also made it mandatory for personnel engaged in delivery of grocery and food item to download the app on their mobile phones. The revised guidelines issued by the Union Health ministry for home isolation of very mild/pre-symptomatic cases also call for downloading the app on the mobile and made it clear it should remain active at all times (through Bluetooth and Wi-Fi).”[49] Since the new federal guidelines removing the mandatory requirement were issued some states such as Uttar Pradesh have still made the use of the app mandatory and are imposing a fine for not doing so.[50]

In addition, some private companies such as Zomato and Xiaomi have made it mandatory for employees to download the app.

According to guidelines for international arrivals, “[a]ll passengers shall be advised to download Arogya Setu app on their mobile devices.” Those who for “exceptional and compelling reasons such as cases of human distress, pregnancy, death in [the] family, serious illness and parent(s) accompanied by children below 10 years, as assessed by the receiving states,” cannot carry out an institutional quarantine are permitted to home quarantine for 14 days but are required to use the Aarogya Setu app.[51] Union guidelines for domestic travel, including air and train, also advise passengers to download the Arogya Setu app on their mobile devices.[52] On May 25 domestic flights had resumed operations and the use of the app was made mandatory. According to  a news report “[a]ll passengers, except children below 14 years, must be registered on the Aarogya Setu app and it will be verified at the entry gate of the terminal building.”[53] Another news report noted that “passengers ‘not showing Green’ on Aarogya Setu app will not be allowed to enter into the airports.”[54] The Aarogya Setu app was also made mandatory for train passengers in the country.[55]

4. Government Use

According to the government, the personal information collected upon registration will

only be used by the Government of India in anonymized, aggregated datasets for the purpose of generating reports, heat maps and other statistical visualisations for the purpose of the management of COVID-19 in the country or to provide you general notifications pertaining to COVID-19 as may be required. Your DiD will only be co-related with your personal information in order to communicate to you the probability that you have been infected with COVID-19 and/or to provide persons carrying out medical and administrative interventions necessary in relation to COVID-19, the information they might need about you in order to be able to do their job.[56]

In the event a person has tested positive for COVID-19, the information collected is used to map the places the person has visited over the past 14 days “in order to identify the locations that need to be sanitised and where people need to be more deeply tested and identify emerging areas where infection outbreaks are likely to occur.”[57] In late May the privacy policy and terms of service were updated so that “location data for the last 30, not 14, days will now be pinged to the server if a user comes in close proximity of an infected person.”[58] Other data retention requirements are as follows:

All traced personal information shared between users, risk assessment tests and location information will be retained on the mobile device for a period of 30 days from the date of collection. All personal information uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.

Persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.[59]

There is an exception for “anonymized/ aggregated datasets” generated by the “personal data of registered users of the App or any reports, heat maps or other visualization created using such datasets, the medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment will be retained.”[60] (For more on this topic see subsection (f),  below.)

5. Privacy Concerns

As per the head of this project, Arnab Kumar, the app was built to the standards of the draft data privacy bill, which is currently in the country’s parliament, and “access to the data it collects is strictly controlled.”[61] Such data “is encrypted using state-of-the-art technology and stays secure on the phone till it is needed for facilitating medical intervention.”[62]

However, when the app was first introduced and even now, political leaders, experts and human rights organizations have expressed several criticisms and highlighted a number of privacy concerns.  Rahul Gandhi, a prominent MP and former leader of the opposition Indian National Congress is reportedly among those who are critical of the app, arguing that it has “no institutional oversight” and raises “serious data security and privacy concerns.”[63]

In a blog post on Medium on May 6, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson, observed a number of security concerns and flaws with the app, including that it was “possible to modify the location of the app, which can enable one to identify how many people are unwell or infected even without being physically present in their vicinity.”[64] However, he stated that in a subsequent version of the app, “this issue was ‘fixed silently’ by the developers.”[65] In mid-May, a software engineer in the city of Bangalore, growing concerned that installing the app was slowly becoming mandatory in India, hacked the app so it was “collecting no data but still flashing a green badge declaring that the user was at low risk of infection.”[66]

Experts have noted that India is currently the only democratic nation in the world that had made the coronavirus tracking app mandatory for a significant portion of its population.[67] Some observers have also criticized the app on the ground that it “stores both location data and requires constant access to the phone’s Bluetooth,” which makes it “invasive from a security and privacy viewpoint.”[68] Until recently, Aarogya Setu was not open source, so the app was also criticized because it could not be “audited for security flaws by independent coders and researchers.” Experts felt that “[m]ore transparency could lead to ’potentially improved security as it would be open to scrutiny from third-party experts,’ ” according to news reports. Experts also noted that the app used “a static ID and is more easily amenable to de-anonymisation i.e. identifying the owner, in case someone else gets hold of the DID, because there is only a single layer of encryption.”[69] On May 7, the MIT Technology Review highlighted a number of similar concerns including the absence of a national data protection law. [70] This has raised the concern that the use of the app and its data collection has an “ambiguous legal basis.”[71]   

Though MIT researchers had given the app 2 out 5 stars in their review, they later downgraded the rating to one star, according to The Quint. “[T]he app lost more points on the parameters of ‘data minimisation’ which means the app is collecting more data than needed for the app to work,” the article said, citing a Times of India report.[72] One recent report highlights certain examples of this “non- adherence to the principle of data minimization”:

  • The personal information collected includes detail of the individual’s profession[,]  which has no direct relation with the effective use of the App
  • Proximity data should be used (as opposed to location tracking)[73]

Concern has also been expressed over the lack of definition of collected “anonymised data” and conflicting reports over how long such data can be retained.[74] There is also concern that health surveillance, which is “a necessity in a pandemic,” “can soon evolve into mass surveillance.”[75]

On May 26 the Ministry of Electronics and IT announced that the software has been made open source. “The source code for the Android version of the application is available for review and collaboration,” the Ministry said, and an “iOS version of the application will be released as open source within the next two weeks and the server code will be released subsequently. Almost 98% of Aarogya Setu Users are on Android platform.”[76]

6. Aarogya Setu Data Access and Knowledge Sharing Protocol

On May 11, 2020, in response to the many privacy concerns, the Ministry of Electronics and IT published through a notification the Aarogya Setu Data Access and Knowledge Sharing Protocol.[77] The Protocol was issued by the chairperson of the “empowered group on technology and data management,” “which is one of the 11 empowered groups created by the National Executive Committee of the National Disaster Management Authority”[78] to “provide legal safeguards for the operation of the Aarogya Setu mobile application.”[79] Some of the key highlights of the protocol include the following:

1. Data points collected from the individuals: ‘Response data’ collected from people using the Aarogya Setu app will have the following data points-

1.1 Demographic data, which includes the name, mobile number, age, gender, profession and travel history of the person;

1.2 Contact data i.e. data about another person that a given person has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred;

1.3 Self-assessment data i.e. the responses provided by the person to the self-assessment test on the Aarogya Setu app, and

1.4 Location data i.e. data about the geographical position of an individual in latitude and
longitude.

2. Implementing agency: MeitY will be responsible for overall implementation of the protocol. The National Informatics Centre (“NIC”) under the MeitY will collect, process and manage ‘response data’.

3. Application of collection limitation, purpose limitation and period limitation principles: The Protocol requires that- (a) the response data to be collected and its purpose must be specified in the privacy policy of the Aarogya Setu app; (b) the data must be used in a ‘necessary and proportionate’ manner only for the purpose of framing appropriate health responses and to improve such responses; (c) the contact data, location data and self-assessment data will not be retained beyond a period of 180 days, unless extended by the EG; (d) demographic data will be stored till the Protocol is in force i.e. 180 days, unless extended by the EG; in case a person requests her data to be deleted, then it must be deleted within 30 days of her request.

4. Third party sharing of response data:

4.1 Sharing of personal response data: It can be shared with- (a) the Ministry of Health and Family Welfare; (b) Health departments of the state/union territory/local government, NDMA and state disaster management authorities (“SDMAs”), and any other department/ministry/public health institution of the central/state/local government, but only if the data is necessary to frame/implement an appropriate health response.

4.2 Sharing of de-identified response data: It can be shared with the ministry/department/public health institution of the central/state/union territory/local government, NDMA and SDMAs, where the data needs to be shared for framing/implementation of a critical health response. De-identified data means data which has been stripped of personally identifiable data.

4.3 Maintaining records of third parties: NIC will, to a reasonable extent, maintain a list of agencies with whom response data is shared, and record details such as the purpose of sharing, categories of data shared etc.

4.4 Application of collection limitation, purpose limitation and period limitation principles: These principles will also apply to third-party sharing of response data. The data must be permanently deleted in all circumstances after 180 days from the date on which it is accessed. Any ministry/department/public health institution with whom the data is shared must implement reasonable security practices and procedures under the Information Technology Act, 2000.

4.5 Further sharing of response data: Any ministry/department/public health institution shall further share response data only when it is strictly necessary to frame/implement appropriate health responses. It must ensure compliance of the Protocol by other such entities with whom data is further shared. Such entities can be subject to an audit and review of their usage of response data by the central government.

5. Sharing of response data for research purposes:

5.1 Availability of response data to Indian universities and research institutions: Such universities and research institutions must be registered in India. The response data provided to them must be subject to ‘hard anonymisation’ (as opposed to de-identification). The anonymisation protocols for ‘hard anonymisation’ will be developed by an expert committee appointed by the Principal Scientific Advisor of the Indian government.

5.2 Data access subject to approval of expert committee: An institution will need to submit a request to the PSA-appointed expert committee to seek access to response data. The expert committee can approve such request only if it is satisfied that the access is sought for the purposes of statistical, epidemiological, scientific or any other form of academic research. It can also specify additional terms for accessing the data.

5.3 Reverse anonymisation/re-identification banned: If the institution, irrespective of its intention, conducts reverse anonymisation or re-identification of the response data, its access rights will be terminated. It will also be subject to penalties under the applicable laws.

5.4 Further sharing of response data: Institutions can share the anonymised response data with any other institution, provided that- (a) the sharing is for the purpose approved by the expert committee; (b) there is a contract between both parties, mentioning particulars such as nature of data shared, purpose of sharing data, the duration of such sharing and other details specified by the expert committee. The institution must provide a copy of the contract to the expert committee.

6. Penalties: Any violation of the protocol will be punishable under the Disaster Management Act, 2005 and any other applicable legal provisions.

7. Termination of protocol: The Protocol will be in force for 6 months i.e. till 11 November 2020. However, its enforcement period may be extended upon a review by the EG.[80]

The Protocol has still come under criticism by privacy groups for not being legally binding; lacking a complaint mechanism for violations of the protocol; not providing a process by which to request deletion of data; not going far enough with the privacy safeguards, particularly in regard to the anonymization of data and data sharing with third parties; and including a sunset clause for the protocol but not for the app itself.[81]

The privacy policy and terms of service have been updated to address some of these concerns including updates as of late May by which the government may now be held liable for “unauthorised access to your information or modification thereof” and removal of the ban on reverse engineering of the app.[82]

7. Judicial Response

On May 12, the Kerala High Court “refused to pass an interim order to stay the mandatory downloading of ‘Arogya Setu’ app on employees’ phones and sought a statement from the central government on data safeguards of the app being developed by the National Informatics Centre,” the Hindustan Times reported.[83]

B. State-Level Apps

According to one news report several states and municipalities in India have developed their own COVID-19 contact tracing, home quarantine, and information advisory apps over the past two months, with most of these having been developed by private companies “that have unprecedented access to sensitive patient data with little liability in case of a breach.”[84] The Indian Express highlighted a number of privacy concerns for these apps:

“Most of these apps have been developed by private companies and they have access to all the data while the liability provisions in case of breach are very vaguely worded, sometimes even asking the user to completely wave the liability and accountability of the service provider in case of data breach or loss,” Salman Waris, founder & partner at TechLegis Advocates & Solicitors said.

. . .

The permissions sought by the most of these contact tracing apps and home quarantine portals is another security issue which must be paid attention to, cyber-security experts said. “Excessive permissions are required by applications that undertake tracing and surveillance through capturing information from different internal broadcasts from components of the device. In some cases, apps which are only informative and intended to issue advisories have sought permissions for location, photos, storage and camera,” a SFLC spokesperson said.

For example, Telangana’s app ‘T-Covid-19’ developed by Quantela Inc, a US-based company, aims only to “provide citizens with preventive care information and other government advisories”. “However, for an information and advisory serving app, it asks for several permissions which include monitoring components including ‘extra location provider commands’ which pertains to state of location,” legal cyber-security advisory group Software Freedom Law Centre said.

A similar COVID-19 dashboard, developed by the Madhya Pradesh Agency for Promotion of Information Technology was taken down after Robert Baptiste, a French ethical hacker who used the pseudonym Elliot Alderson on Twitter, pointed out flaws and showed that it violated the basic personal privacy laws. The quarantine and information vending apps of Punjab and Kerala, similarly seek more information than is necessary for these programs to function, experts said.

Punjab’s information vending app ‘Cova Punjab’ seeks to have full network access and even view network connections. The app even seeks to pair with Bluetooth devices in its vicinity without express approval of the device holder, which can be extremely problematic and invasive, a cyber-law expert said. “The problem is that all the state apps are using Centre’s Aarogya Setu framework and foundation as the starting point. That will not be a correct approach,” Supreme Court lawyer and cyber-law expert Pavan Duggal told The Indian Express.[85]

In Uttar Pradesh, the “Chikitsa Setu” app was launched to “ensure safety of COVID-19 frontline workers,” with the objective “to provide official training content, spread awareness, and ensure safety of healthcare workers, sanitation workers and police personnel who are actively involved to protect citizens, breaking the chain of COVID-19 infection.”[86]

Back to Top

Prepared by Tariq Ahmad
Foreign Law Specialist
June 2020


[1] COVID-19 India, Ministry of Health and Family Welfare, https://perma.cc/QVT3-7ZBQ.

[2] Himanshi Lohchab, Overall India Handset Market Growth to Fall in 2020, The Economic Times (Dec. 24, 2019), https://perma.cc/9ERD-UJRD.

[3] KPMG, Fintech in India – Powering Mobile Payments 6-8 (Aug. 2019), https://perma.cc/VKC2-KPG3..

[4] Share of Mobile Phone Users that Use a Smartphone in India from 2014 to 2022, Statista (Oct. 24, 2019), https://perma.cc/942Z-XUUS.

[5] Six in Ten Consumers Willing to Share Significant Personal Data with Banks and Insurers in Exchange for Lower Pricing, Accenture Study Finds, Accenture (Mar. 14, 2019), https://perma.cc/AJ6D-W9FQ.

[6] Id.

[7] Smita Sinha, Annual Consumer Survey on Data Privacy in India 2018, Analytics India Magazine (May 25, 2018), https://perma.cc/E2K5-44HD.

[8] K.S. Puttaswamy v. Union of India, (2017) 10 S.C.C. 1, https://perma.cc/FF7F-YD7Z.

[9] Data Protection Laws of the World: India, DLA Piper, https://perma.cc/2YRD-P5GB.

[10] Information Technology Act, 2000, https://perma.cc/H4DG-9FZ7.

[11] DLA Piper, supra note 9.

[12] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), 2011, https://perma.cc/4WVQ-QC43.

[13] DLA Piper, supra note 9.

[14] Talwar Thakore & Associates, Data Protected, Linklaters, (Mar. 2020) https://perma.cc/6KXV-P7TT.

[15] Personal Data Protection Bill, No. 373 of 2019, https://perma.cc/S9PF-CSSN.

[16] The Personal Data Protection Bill, 2019, PRS Legislative Research, https://perma.cc/Y6H5-J3T7.

[17] Personal Data Protection Bill, No. 373 of 2019, § 2(A).

[18] Id. § 2(B).

[19] Id. § 91(2).

[20] Talwar Thakore & Associates, supra note 14.

[21] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (Privacy Rules), 2011, Rule 5(4).

[22] Period of Preservation of Accounts/Records under Different Laws, Bombay Chartered Accountants Society, https://perma.cc/RCV6-STMD.

[23] Information Technology Act, 2000, § 69B.

[24] Information Technology (Procedure and Safeguard for Monitoring and Collecting Traffic Data or Information) Rules, 2009,  The Gazette of India Extraordinary, pt. II, § 3(i) (Oct. 27, 2009), https://perma.cc/373K-HESJ.

[25] Privacy International, State of Privacy India (Jan. 29, 2019), https://perma.cc/BFR3-3FXM.

[26] Abhik Sengupta, Government Launches Aarogya Setu COVID-19 Tracker App on Android, iOS, Gadges 360 (Apr. 2, 2020), https://perma.cc/7SEZ-X9RV.

[27] Aarogya Setu App: COVID-19 Tracker Launched to Alert You and Keep You Safe, National Informatics Centre, Ministry of Electronics & IT, https://perma.cc/44NU-YERK.

[28] Tushar Burman, Aarogya Setu, India’s Contact-tracing App, Goes Open-source, FirstPost (May 27, 2020), https://perma.cc/U3DP-Q7FE.

[29] Amit Anand Tiwari, Covid-19: Aarogya Setu Needs Legislative Backing, Hindustan Times (May 21, 2020), https://perma.cc/EM4K-NDHX.

[30] Aditi Agrawal, Aarogya Setu Updates Privacy Policy, Terms of Service: Reverse Engineering Not Banned, but Function Creep Now Legitimized, Medianama (May 24, 2020), https://perma.cc/89JY-6GKE.

[31] Disaster Management Act, 2005, https://perma.cc/S3B6-SWM9.

[32] Vidisha Singh, India’s Aarogya Setu Contact Tracing App – Compromising Privacy in a Pandemic?, Jurist (May 18, 2020), https://perma.cc/2A4X-VKRR.

[33] Press Release, Ministry of Electronics & IT,Government of India Launches ArogyaSetu App to Track Covid 19 Infection (Apr. 2, 2020), https://perma.cc/GW6E-56NK.

[34] Government of Assam, Frequently Asked Questions on Aarogya Setu App, Q3, https://perma.cc/AN8L-2HBA.

[35] Shubhang Gopal, Aarogya Setu: 9 Things You Must Know before Downloading the Contact Tracing App, The Indian Express (May 10, 2020), https://perma.cc/7X79-WA5T.

[36] Arogya Setu – Govt. of India Initiative to Fight against Corona Virus – Bluetooth Based COVID-19 Tracker Mobile Application, District Court, https://perma.cc/DK4J-LQRU.

[37] Government of Assam, supra note 34, Q2.

[38] Id.

[39] Id. Q4.

[40] Manavi Kapur, The Indian Government Fixes Privacy Flaws in Its Coronavirus App, Quartz India (Apr. 16, 2020), https://perma.cc/6EN2-SYKB.

[41] Government of India, Ministry of Home Affairs, Order No. 40-3/2020-DM-I(A) (May 1, 2020), https://perma.cc/6SW7-779L.

[42] Disaster Management Act, 2005, § 10(2)(I). 

[43] New Guidelines See Home Ministry Ease Up on Compulsory Use of Aarogya Setu in Offices, The Wire (May 17, 2020), https://perma.cc/JC3U-5JRR.

[44] Press Release, Extension of Lockdown up to May 31, 2020, Ministry of Home Affairs (May 17, 2020), https://perma.cc/CA6Y-W56S (emphasis added).

[45] Id.

[46] Government of India, Ministry of Home Affairs, MHA Order No. 40-3/2020-DM-I(A), (May 30, 2020), https://perma.cc/2TX9-W7UL.

[47] Andrew Clarance, Aarogya Setu: Why India’s Covid-19 Contact Tracing App Is Controversial,BBC News (Delhi) (May 15, 2020), https://perma.cc/K5TY-4TYZ.

[48] Neerad Pandharipande, ‘Indian Govt Should Convince Public on Aarogya Setup’s Efficacy rather than Forcing It on Them’: Cybersecurity Expert Elliot Alderson Tells Firstpost, Firstpost (May 23, 2020), https://perma.cc/A6S2-MRZ9.

[49] Covid-19 Contact Tracing App Aarogya Setu Has Alerted 1.4 Lakh Users: Official, LiveMint (May 12, 2020), https://perma.cc/AQ2S-QT6M

[50] Government Climbs Down on Aarogya Setu by Removing Mandatory Provision, LiveMint(May 30, 2020), https://perma.cc/F7UH-GVVZ.

[51] Government of India Ministry of Health and Family Welfare Guidelines for International Arrivals (May 24, 2020), https://perma.cc/HWV6-GL8L.

[52] Government of India Ministry of Health and Family WelfareGuidelines for Domestic Travel (Air/Train/Inter-state Bus Travel) (May 24, 2020), https://perma.cc/CVD9-BGNL.

[53] Text Bulletin Details: Morning News, All India Radio (May 25, 2020), https://perma.cc/LZ23-PFVE.

[54] Prabhakar Thakur, Aarogya Setu App Mandatory for Airline Passengers, No Entry Without ‘Green’ Status, NDTV’s Gadgets360 (May 21, 2020), https://perma.cc/HV5M-D84K.

[55] Id.

[56] Government of Assam, supra note 34, Q5.

[57] Id. Q6.

[58] Aditi Agrawal, supra note 30.

[59] Tripti Dhar, Aarogya Setu – Carrying Your Privacy in Your Hands?, PrivSec Report (May 29, 2020), https:// perma.cc/T6NJ-XE7T.

[60] Id.

[61] Aarogya Setu: Lack of Data Privacy Laws, Transparent Policies Make App Worrisome, Say MIT Researchers, First Post (May 11, 2020), https://perma.cc/E3S5-TUQE.

[62] Id.  

[63] Id.  

[64] Pandharipande, supra note 48.

[65] Id.

[66] Pranav Dixit, India’s Contact Tracing App Is All But Mandatory. So This Programmer Hacked It So that He Always Appears Safe, Buzzfeed News (May 12, 2020), https://perma.cc/9J5X-PZ4W.

[67] Patrick Howell O’Neill, India Is Forcing People to Use Its Covid App, Unlike Any Other Democracy, MIT Technology Review (May 7, 2020), https://perma.cc/Q5ZS-VZSL.

[68] Clarance, supra note 47.

[69] Anuj Srivas, Aarogya Setu: Six Questions for the Centre on the COVID-19 Contact Tracing App, The Wire (May 4, 2020), https://perma.cc/JDD2-QYEA.

[70] O’Neill, supra note 67.

[71] Tripti Dhar, supra note 59.

[72] MIT Researchers Downgrade Aarogya Setu App to One Star in Review, The Quint (May 22, 2020), https://perma.cc/EF6B-HFCA.

[73] Tripti Dhar, supra note 59.

[74] Id.

[75] Anand Venkatanarayanan, Op-ed, Covid-19: How the Aarogya Setu App Handles Your Data, BloombergQuint (Apr. 17, 2020), https://perma.cc/Q5DN-URWE.

[76] Press Release, Ministry of Electronics & IT,Aarogya Setu Is Now Open Source (May 26, 2020), https://perma.cc/CCD6-GDWZ.

[77] Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, https://perma.cc/WPH6-S6CY.

[78] Ikigai Law, A Summary of the Aarogya Setu Data Access and Knowledge Sharing Protocol (May 11, 2020), https://perma.cc/MLH8-XPLD#acceptLicense.

[79] Vidhi Centre for Legal Policy, Aarogya Setu’s Data Access and Knowledge Sharing Protocol, 2020 (May 11, 2020), https://perma.cc/V4J7-9G5X.

[80] Ikigai Law, supra note 78.

[81] Vakasha Sachdev, Does Govt’s New Data Protocol Address Concerns over Aarogya Setu?, The Quint (May 13, 2020), https://perma.cc/KM2E-R8BR.

[82] Aditi Agrawal, supra note 30.

[83] Kerala High Court Refuses Stay on Mandatory Use of Arogya Setu App, Hindustan Times (May 12, 2020), https://perma.cc/XBE9-2AS8.

[84] Aashish Aryan, Coronavirus Tracking Apps: States on Launching Spree; Privacy Concerns over Unfettered Access Raised, The Indian Express(May 20, 2020), https://perma.cc/6VNA-U236.

[85] Id.

[86] UP CM Yogi Adityanath Launches ‘Chikitsa Setu’ App to Ensure Safety of Frontline Workers, eHealth Network (May 20, 2020), https://perma.cc/UDJ5-9QVW.

Last Updated: 07/24/2020