Pre-conditions to upload the location data collected every 15 minutes on government servers:According to Clause 1(d), the App has been authorised to collect user’s location data every 15 minutes and store it locally in user’s mobile device. However, it has laid down 3 pre-conditions when this information will be uploaded on the server along with the DID--
i. If the user has been tested positive for COVID-19; or/and
ii. if user’s self-declared symptoms indicate that it is likely to be infected with COVID-19; or/and
iii. If result of user’s self-assessment test is either yellow or orange.
It limits the purpose of information collected to--
i. generate reports, heat maps, and other statistical visualizations for the purpose of management of COVID-19;
ii. to provide general updates pertaining to COVID-19.
Co-relation of user’s DID with its personal information:
Clause 2(a) further clarifies that a user’s DiD will only be co-related with its personal information in order to-
i. communicate the probability of contracting COVID-19; and/or
ii. to provide information to persons carrying out medical and administrative interventions in relation to COVID-19. This has been limited to the information need by medical personnel to do their job.
5. Use of information collected from other users: Clause 2(b) provides that information collected from any other user’s mobile device shall be uploaded and stored on the server and be used to calculate the user’s probability of contracting COVID-19.
According to Clause 1(b), as soon as two users come within each other’s Bluetooth range, the DIDs will be automatically exchanged and time and GPS location when the contact took place will be recorded.
Since this data will be stored in the respective devices of both users in encrypted manner, in case of them tests positive for COVID-19, this data of contact between the two users shall be uploaded on the government server.
Clause 3(a) states that “all personal information collected from you under Clause 1(a) at the time of registration will be retained for as long as your account remains in existence and for such period thereafter as required under any law for the time being in force”.
This leaves a lot of ambiguity considering India does not have a Personal Data Protection legislation in place or a legislation on privacy.
Information collected from risk assessment tests and location data:
Clause 3(b) lays down certain conditions for data retention:
i.All personal information collected under Clause 1(b), (c), and (d) will be retained on the mobile device for a period of 30 days from the date of collection after which, if it has not already been uploaded to the Server, will be purged from the App.
ii.All information collected under Clause 1(b), (c) and (d) and uploaded to the Server will, to the extent that such information relates to people who have not tested positive for COVID-19, will be purged from the Server 45 days after being uploaded.
iii. All information collected under Clause 1(b), (c), and (d) of persons who have tested positive for COVID-19 will be purged from the Server 60 days after such persons have been declared cured of COVID-19.
Aggregated anonymised data to be retained:Provisions of Clause 3(a)are not applicable anonymized, aggregated datasets generated by the personal data of registered users of the App or any reports, heat maps or other visualizations created using such datasets.
Clause 3(a) is also not applicable on medical reports, diagnoses or other medical information generated by medical professionals in the course of treatment.
7. Rights of the user to add, remove or modify any information provided during registration:Clause 4(a) gives a user the option to “add, remove or modify any registration information that you have supplied”.
Clause 4(b) reads as“You cannot manage the communications that you receive from us or how you receive them. If you no longer wish to receive communications from us, you may cancel your registration. If you cancel your registration, all the information you had provided to us will be deleted after the expiry of 30 days from the date of such cancellation.”
Considering that the App does not provide an option to delete one’s account, it is ambiguous what will be considered as deletion of account, and if un-installation shall be considered as deletion.
Moreover, what will happen to the data of such user who has been tested positive for COVID-19 but later uninstalled the App. Will such person’s personal information be deleted after 30 days, and will such deletion of data be not in conflict with Clause 3(b) which mandates storage of personal data of COVID-19 positive person till 60 days after such person has been cured.
2. In case there is a requirement to accurately map places visited by the user, the DID associated with the information collected under clause 1(d) will be co-related with the user’s personal information collected under clause 1(a).
i. Aarogya Setu: Govt’s coronavirus tracker app gets 5 crore users in 13 days, 16 April, 2020. LiveMint. <https://www.livemint.com/news/india/aarogya-setu-govt-s-coronavirus-tracker-app-gets-5-crore-users-in-13-days-11587021032271.html >.
ii. Personal Data Protection and Privacy Principles, Adopted by the UN High-Level Committee on Management (HLCM) at its 36th Meeting on 11th October, 2018. United Nations. <https://www.unsceb.org/CEBPublicFiles/UN-Principles-on-Personal-Data-Protection-Privacy-2018.pdf >.
iii. Justice K.S. Puttaswamy (Retd.) v. Union of India, WP (Civil) No. 494 of 2012.