Aarogya Setu: Is Govt. Data Protector or Violator?

Possible misuse of sensitive personal data was the main ground for blocking Chinese web-applications, wherein the government invoked the power under Section 69A of Information Technology Act, 2000 (hereinafter referred to as the IT Act), terming it as a threat to the sovereignty and integrity of the country.

Sensitive personal data can be used as a weapon due to its inherent characteristic of allowing you to launch an attack through sheer narrative power. This has been established in various cases where its use in causing riots, influencing the election outcomes, disinformation campaign during the war, shaping the ideologies by terrorist and anti-national groups, etc. has been extensively witnessed. China, in particular, has used this unique advantage, offered by the increasingly creative ways data can be used, not only to gain international dominion but also, more specifically, in the present Indo-China rift, to influence Indian population through its malicious propaganda. The question then arises – What prohibits the Government from taking action against the Government departments, when the government itself has recognized that such breaches do indeed pose a threat to the sovereignty and integrity of the country? In recent times, there have been many data breaches reported in media whereby sensitive personal data was alleged to be breached and/or misappropriated including those of servers belonging to the NIC, SBI, ISRO, Nuclear Plant, etc. which could have been exploited for causing the threats to the Sovereignty, Security and Integrity of the State. There cannot, after all, be any other plausible reason not to register cases against and seek the accountability of the government officers for their failure to protect the sensitive data.

The Aarogya Setu episode can be safely termed as one of the biggest data breaches in recent times due to several factors. Probably, the most important of those factors is that it contains the most sensitive health data, belonging to the largest segment of the population. Surprisingly, the departments which are associated with the protection of the sensitive data of the country, creation of laws & rules and also for enforcement of data protection are now failing to even explain what the SDLC cycle of the Aarogya Setu App was, who were the minds behind developing, encoding, etc. of the application. Such failure, in itself, represents the risking of sensitive personal data of citizen to some of the gravest acts which are illegal in nature and makes the stakeholders liable for civil damages as well as criminal punishment. The failure to provide information about encoding and developing of the App speaks for itself, and lends credibility to the possibility that the privacy policy of the application is hypothetical and false, and that its security features are misleading. Such a miserable state of affairs with respect to the managing of Aarogya Setu App clearly indicates that the allegations of the security flaws – made by the French ethical hacker Robert Baptiste – cannot immediately be dismissed to be false. Further it also raises huge question-marks over the statement given by Shri Ravi Shankar Prasad wherein he had stated that “the Aarogya Setu is a powerful companion which protects people, and that it has robust data security architecture. Those who indulged in surveillance all their lives won’t know how tech can be leveraged for good!” The Aarogya Setu episode can probably be termed as a grave breach of fundamental right to privacy. Such breach, in turn, threatens, on a massive scale, and in esoteric manner, the constitutionally guaranteed right to life & liberty. The Government Departments are taking the advantage of the protection available to them under Section 43A of the IT Act, under which the definition of ‘body corporate’ does not include government departments. However, after the declaration by the Supreme Court in the KS Puttaswamy judgement, of ‘Right to Privacy’ being a fundamental right, the government department should have acted more responsibly in protecting the fundamental right and ensuring that any failure occurring is treated with utmost stringency. However, Section 72A of the IT Act does provide a criminal remedy as well, in case of a data breach wherein Government Departments can also be prosecuted.

The current episode of Aarogya Setu App’s potential privacy breach attracts the criminal offence under this provision – Section 72A – and the government must act to protect the fundamental right of the people, in the larger interest of the society. An in-depth probe is also required to determine whether the misappropriated data has landed into the hand of adversaries who may use it not only for offences against the citizens of India but also against the nation as a whole, using such misappropriated data as a weapon for spreading their ideology, propaganda and for their misinformation campaign in general. It is an undisputed fact that the government and its departments are the biggest collector of sensitive personal data. Hence, it has also been quite evident that any regulation or law or policy to protect the sensitive personal data would be toothless in its attempt to protect the fundamental right of privacy, until it makes the government departments responsible as well, liable in enforcing a citizen’s right to privacy. The registration of criminal cases, tracing the offenders and the destination of the data, etc., could unearth the real threat and would enable the government to act proactively to uphold the right enshrined in Part III of the Constitution.