A Legal Framework for Digital Surveillance in the COVID-19 Pandemic
By Shashank Mohan and Divij Joshi
(Views expressed in this document are the authors’ own, and do not reflect the views of any organisation they are affiliated with. Comments are welcome at divij[dot]joshi[at]gmail[dot]com or shashank[dot]mohann[at]gmail[dot]com)
Governments around the world have struggled to contain and manage the COVID-19 pandemic, even as they significantly reorient technology and governance resources to respond to the outbreak of the disease. Alongside methods such as imposition of large-scale lockdowns, governments have rapidly repurposed digital technologies for surveillance to contain and respond to the COVID-19 pandemic. These technologies have primarily been utilised for three interconnected purposes — Digital Contact Tracing, Exposure Notifications, and as Digital Health Codes or Immunity Passports.
Aarogya Setu is one such digital surveillance technology, deployed by the Government of India for the purpose of digital contact tracing, which has been installed by upwards of 100 million people. It collects detailed information about individual location, movement and associations, correlated with their health information. Aarogya Setu has been a mainstay of the Government of India (as well as many state and local governments’) response to containing and responding to the COVID-19 pandemic, since April, 2020, raising distinct concerns of inefficacy, exclusion, non-transparency, and risks to fundamental rights and civil liberties.
Many of these concerns arise from the lack of democratic control or oversight over the development and deployment of Aarogya Setu. The Government has failed to communicate or test the reliability, efficacy or utility of Aarogya Setu. The procurement of the technology, and the use and sharing of personal information has been notably opaque. The centrality of digital technologies as a public health response disregards concerns about lack of smartphone and internet access faced by a majority of the population. This is compounded by conditions and sanctions imposed on persons who do not have access to the technology, by governments as well as by private persons, such as being barred from using forms of public transport.
Our analysis indicates deficiencies in the present framework for governance of Aarogya Setu. In our policy brief on Aarogya Setu and digital health surveillance technologies in India, we have focussed on issues of legal and constitutional concern in the manner of deployment of digital surveillance technologies in India during the COVID-19 pandemic, focussing particularly on Aarogya Setu. We have highlighted four specific areas of concern:
- Legality and Proportionality
- Data Protection
- Equity and Discrimination
- Transparency and Accountability
Our analysis indicates that the use of Aarogya Setu lacks a clear legal basis, does not meet standards of proportionality and necessity, and is plagued with issues of non-transparency and unaccountability. The lack of a clear regulatory and governance framework impedes the public health measures it is intended to assist in, and the lack of safeguards and protections for users of the technology has led to arbitrariness, discrimination, and exclusion, besides concerns about individual privacy and decisional autonomy.
The legal and regulatory framework for Aarogya Setu does not adequately address these concerns. In May, 2020, the Ministry of Electronics and Information Technology, under the ostensible authority of the Disaster Management Act, 2005, released the Aarogya Setu Data Access and Knowledge Sharing Protocol, with the aim of ensuring secure data collection by Aarogya Setu, protection of the individual’s personal data, and the efficient use and sharing of personal or non-personal data for mitigation and redress of the COVID-19 pandemic. Although one of the key aims of the Aarogya Setu Protocol is to ensure secure data collection and protection of user privacy, we believe that it falls short on certain core data protection safeguards.
Firstly, as the Aarogya Setu Protocol is in the form of an executive circular/ notification, it cannot be considered a law, as passed by Parliament. Second, the Protocol does not sufficiently lay down the exact purposes for which user data shall be used, thereby running the risk of ‘function creep’ of the information collected. Lastly, the Protocol does not demonstrate a rational nexus between usage of Aarogya Setu and containment of COVID-19 or illustrate how Aarogya Setu is the least privacy-intrusive option for building mitigation strategies against the spread of the virus, thereby failing on the test of proportionality. We argue that even if usage of Aarogya Setu is purely voluntary, it must be backed by a comprehensive legislation backed by Parliament, considering the relationship between the citizen and the State and the legitimate concerns of citizens and the State towards maintenance of public health.
To address these concerns, we have provided detailed recommendations to bridge the legal and governance concerns identified. To aid the central and state government in implementing an appropriate rights-based regulatory framework for these technologies, we have also drafted the Coronavirus Digital Technologies Bill, which incorporates our recommendations into the structure of a draft legislation. The Draft Bill implements rights based frameworks to address data protection, discrimination and exclusion arising from the use of digital surveillance technologies in the pandemic, and provides for an independent oversight and regulatory mechanism for accountability and transparency of when, how, and to what extent digital surveillance should be utilised in the context of the COVID-19 pandemic.
Accountability and transparency are integral to the appropriate and democratic use of technologies in responding to the COVID-19 pandemic. These technologies must exist within both technical and legal frameworks and institutions which can ensure their effectiveness and can encourage their trustworthy use among the population. The Government of India must recognise and rectify the harms arising from the irresponsible and undemocratic use of digital surveillance systems like Aarogya Setu, if it hopes to successfully leverage digital technologies to respond to the pandemic.
Our policy brief and draft legislation on Aarogya Setu and digital health surveillance technologies in India can be accessed, here — https://osf.io/c29e8.
