Tuesday, May 12, 2020

Who has legal liability if Aarogya Setu Data is compromised?



The Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 was notified by Ministry of Electronics and Information Technology on 11 May 2020. This has again led to new debate regarding whether after this notification Aarogya Setu app Data is safe? Adv Dr Mahendra Limaye, a cyber legal consultant, analyzed the notification and his reading of the notification is as below.
Functioning of Aarogya Setu app as per notification relates to technology and data management and certain necessary steps required to be taken to ensure its effective operation to detect and mitigate the spread of Covid 19 pandemic and enhance government preparedness at all levels. So the aim and object of the Aarogya Setu App was never a question and it is much applauded move by the government.
In order to ensure secure collection of data, protection of personal data of individuals and efficient use and sharing of personal or non-personal data for mitigation and redress this notification was specially issued. So we must understand that this notification was fall out of many objections raised towards security of the personal data collected through this app and about accountability of the data collected through this app and specially when some hacker claimed about vulnerability of this huge database. This response also shows government’s responsive approach to security concerns raised about the app and this is welcome move.
The notifications says that in order to formulate appropriate health responses for addressing the COVID-19 pandemic, data pertaining to persons who are infected, at high risk of being infected or who have come in contact with infected individuals is urgently required. This data includes demographic data, contact data, self assessment data and location data, collectively called ‘response. The demographic data includes the name, mobile number, age, gender, profession and travel history of an individual. Contact data covers data about any other individual that a given individual has come in close proximity with, including the duration of the contact, the proximate distance between the individuals and the geographical location at which the contact occurred. Self assessment data means the responses provided by that individual to the self assessment test administered within the Aarogya Setu mobile application. Finally Location data means data about the geographical position of an individual in latitude and longitude. So the broad categories of data collected through this app by government is once again made public by this notification.

The notification also states that the Ministry of Electronics and Information Technology, Government of India (“MeitY”) is designated as the agency responsible for the implementation of this Protocol and its developer, the National Informatics Center shall, under this Protocol be responsible for collection, processing and managing response data collected by the Aarogya Setu mobile application.

So it is highlighted that MeitY will be only supervising authority. So the government has brought NIC in picture for protection of entire data in the capacity of developer and made its role minimal in capacity of implementer.



Highlights of Principles for collection and processing of response data:
a. Any response data and the purpose for which it is collected by NIC shall be clearly specified in the Privacy Policy of the Aarogya Setu mobile application.
b. NIC shall collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.
c. NIC shall process any data collected by it in a fair, transparent and non-discriminatory manner.
d. Contact and location data shall by default, remain on the device on which the Aarogya
Setu mobile application has been installed after such data has been collected. It may be uploaded to the server only for the purpose of formulating or implementing appropriate health responses.
e. Contact, location and self assessment data of an individual that has been collected by NIC shall not be retained beyond the period necessary to satisfy the purpose for which it is obtained which, unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted. Demographic data of an individual that has been collected by NIC shall be retained for as long as this Protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier.
f. The response data shall be securely stored by NIC and shall only be shared in accordance with this Protocol.

Principles for sharing of response data have also been stated which highlights that 1) Response data containing personal data may be shared with various government agencies/bodies where such sharing is strictly necessary to directly formulate or implement an appropriate health response.2) Response data in de-identified form may be shared with various bodies with whom such sharing is necessary to assist in the formulation or implementation of a critical health response.3) NIC shall, to the extent reasonable, document the sharing of any data and maintain a list of the agencies with whom such data has been shared.

Obligations of entities with which response data is shared are like use of such data strictly for the purpose for which it is shared, the data accessed and used by such entities should not be retained beyond the period necessary to satisfy the purpose for which it is shared, in any circumstance; such data shall not ordinarily be retained beyond
180 days from the date on which it was accessed, after which such data shall be permanently deleted etc.

The main concern is who is liable for any privacy violations committed through security breach of Aarogya Setu App? This notification does not provide any clarity to said concern. It was clarified that any violation of these directions may lead to penalties as per section 51 to 60 of the Disaster Management Act, 2005 and other legal provisions as may be applicable. Legal position for the protection of sensitive personal information under section 43A of Information Technology Act 2000 is that state cannot be made responsible in case of breach of data or lapse in protection of sensitive personal data. Through this Notification State has clarified that it is acting only in supervisory capacity and National Informatics Center, which is developer of the Aarogya Setu app will own entire responsibility as far as security and sharing of Response Data is concerned.
As regards section 51 to 60 of the Disaster Management Act they have one important protection as related to breach of data and the protection is “ unless he proves that the offense was committed without his knowledge or that he exercised all due diligence to prevent the commission of such offense”.

In case of any data breach through Aarogya Setu app defense will be always available that all due diligence was observed to prevent the commission of offense like Data Theft etc. So in my view this notification clearly fails to provide any specific measures which government has suggested for protection of Data of millions of Aarogya Setu app users. Also the other question remains is whether the provisions of the Disaster management Act can be enforced after Disaster is over? If data breach is reported after present pandemic is over then whether these provisions can be enforced, remains a question in my mind.     


Advocate Dr. Mahendra Limaye

About the author- Advocate Dr Mahendra Limaye is Cyber Legal Consultant and Cyber Law practitioner in India. He specifically practices in Information Technology Act based litigation's before Civil as well as Criminal Courts in India. He has obtained his doctorate on topic Fundamental Rights and Cyberspace. He can be contacted on mahendralimaye@yahoo.com or + 919422109619.

No comments:

Post a Comment