Scientia Est Potentia
Greater the power, more dangerous is the abuse.- Edmund Burke

On account of controlling the ongoing pandemic crisis due to the highly contagious COVID-19 virus, India too has developed a contact tracing solution app (by Ministry of Electronics and Information and National Information Centre)

The app works by constantly exchanging Bluetooth signals and tracking the user's device location to detect other app user who are in close proximity and raise an alert in case of presence of COVID-19 carrier nearby.

The Government has been actively involved in mandating the usage of the app to control the crisis. Contact tracing apps have seen to be showing some success in flattening the curve in countries like Taiwan, and Singapore. However these countries are backed by stringent data protection laws to safeguard the individuals privacy rights, officiating the potential of such apps. However the absence of stringent data protection laws in india and the apps vague terms of usage policy concerning the privacy of the users is a burning issue which needs to be addressed forthwit in order for it to be effective.

2. Concerns relation to privacy due to the Deviation from the so-called Privacy friendly model:

• Staying lean: all the data collected deliver actual value i.e nexus between data collected and the objective sought to be achieved
• Build security: protect of the data collected
• Engage the users: consumers are informed and empowered.

2.1 Staying lean

The foremost impetus for the development of this particular app is is mainly aimed towards aiding situational awareness via contact tracing and Bluetooth low energy beacons. The BLE ( Bluetooth low energy) beacons help in social tracing of the user's where the respective devices exchange:

• Media access control
• Distance between the devices
• Device ID
• GPS lartitutde and longitude
• Signal strength
• Time at which the device was seen
• Bluetooth model name and number.

On the contrary the trace together App collects:

• Random device
• Signal strength
• Time at which the contact device was seen

Thus the trace together app has a much more minimalist approach towards data collect with maximized result thus proving to be more efficient compared to the Indian counterpart.

Here comes the question of why the GPS data was even collected:

The collection of GPS related information is clearly against the established global standards of privacy focused model apps. Also the use of GPS location isn't of much use in indoor based location such as in a metro. Besides in a mass setting scenario, Bluetooth usually precedes in terms of privacy concerns.

Although some might argue that the GPS enabling fetuses come as part of an enhanced feature of the application allowing mapping of hotspots. However, not much significance can be emphasized upon the value of the information related to the location of where the infection has been passed on few weeks ago. The more needful information is to locate and quarantine the individual for which the phone number of the person is more than sufficient which is collected by both the apps.

Additionally a few personal information which are relevant during the testing or the quarantine phase of the individual are collected by the Aarogya setu app which is not relevant to contact tracing and thereby isn't required by the trace together app.

The possibility of false positives cannot be ruled out in cases of sharing or switching of the devices. Since the mechanism of working of the app is algorithmic based on the information being continuously fed to the app, hence there is a plausible anticipation of false positves. This is concerning ,since such an event of false positive affects upon the civil liberties of others who might come in contact with such misleading cases.

2.2. Building security:

The Aarogya setu app is widely being endorsed by the Prime Minister. Thereby it should be considered as a critical infrastructure having wide adoption. Anything which has a wide adoption potential , must have a proportional amount of protection associated with it to safeguard it from abuse.

However the security concerns comes into play since there are no specified legal framework defining the functioning of the app beyond the terms of services and the privacy policies.

Issues regarding the security of the data of the users can be sub categorized under the following sub headings:

• Information collection:
  Concerns regarding collection of the data is ambiguous. Though the Government mentions that the data is collected would be residing in the device locally however in certain cases the data could be transferred to a cloud server. The information and description of such exceptional cases are abstruse and insignificant. Also the host of such cloud servers are not specified. The functioning of the app is based on data sharing between the devices Majorly all the apps with risks of privacy metrics share data involved in an encrypted and anonymous manner. The impugned app in question is abstruse about it's terms of data sharing.
  
  Another issue accorded to the issues of information collection is that the stamped records of user contacts has been assured to be updated and deleted every 30 days in the terms of service, howsoever nothing has been mentioned about the anonymize and aggregated ,encrypted data set collection and storage. Thus for all we know the encrypted data could be used for purposes other than contact tracing.
   
• Institution divergence:
  In absence of categorical assignments of data handling and storage guidelines and authority over the data procured from the app , the issue of institution divergence arises. Although the Government sources have mentioned that the health related aspect of the app is handled by the Ministry of health and family Welfare while the data related aspects of the app is to be handles by Ministry of electronics and IT information (MEITY), yet there is no ensurement of exclusivity of the mentioned data handlers. However, it has been mentioned in the terms and conditions of the app that data is primarily to be used for medical purposes which might be repurposed for other legal purposes as well. Thus, indicating that the data can be steered by other departments other than the Ministry of Healthcare and Family as well as MEITY. Thus the vague specification about reins of control, manipulation and operation of the data only adds to the concerns of data overreach. The ambiguity in relation to such institution divergence thus relives the Government of India from any liability in case of misuse or in case of mala fide data breach by any other unauthorized agency.
   
• Purpose limitation:
  The scope of purpose with respect to which the data is to be used is extremely obscure in the terms and condition of the app. Also the absence of a legal framework defining the periphery of scope of such data to be used does nothing but only adds to the privacy concerns.
  
  The vague language of the terms and conditions implicate that the data use in addition to the medical purposes can sought to be used for other legal purposes too, thus expanding the scope for such data use.
  
  Whereas in it's Singapore counterpart, it's clearly mentioned that the app's data is not to be used for other purposes than disease control and also is not to be used for law enforcement as well as any other legal manifestations. Aarogya Setu however lacks such guidelines which enables it to amplify the scope of repurposing the available data of the users for other legal manifesto.
  
  The amalgamated risks associated with such data collation, institution divergence and purpose limitation is that once it's on the central database, it might entangle with other databases , thus giving a broader access to such personal data risking the privacy of the individuals.
   
• Issues regarding transparency:
  Apart from the ambiguity in terms of purpose and manifestations of data collation as well as the players regarding the handling and usage of such data, there is lack of transparency of with regards to information about the app too. The only information available to the app is at the front end mentioned about the types of services it's equipped to provide. Any information regarding the source or frequently Asked Questions (FAQs) with regard to the functioning of the App is not provided.
  
  The source code of Trace together from which Aarogya Setu was inspired, is available at GitHub along with a section answering frequently asked question enabling transparency regarding the app which lacks in the impugned Indian counterpart. The availability of source code enables ethical hackers to identify malicious cyber attack and prevent them. Unavailability of such source codes makes the apps prone to cyber threats jeopardizing the information of the as a result compromising with their privacy rights.

2.3 Engaging User:

The sole goal of the purpose of user engagement is to increase trust which players a conclusive role in maximizing the use of the app's potential. In the app created by other East Asian countries, the users are better informed of the app's policy of use.

Furthermore , the users are better informed of the apps technical specifications via the open source code. Also, it has been laid down in the public forum of the apps usage in correlation with the health aspect after engaging is multiple rounds of discussion with various health care front liners.

Contrarily, in the app endorsed by the Indian Government, no such acts of engaging the users to be better informed has been taken care of. Also the app lacks having an open source code making the data disclosed more vulnerable to hackers. Apart from that the app's vague policy terms regarding privacy concerns and the data storing is of not much help.

3. Existing legal framework related to privacy:

3.1 Concept of Privacy:

The right to privacy has been evolved under the Indian constitution as a part of article 21. Thus, the right to privacy is embodied as a vital appendage to of right to life enshrined by article 21 which is a fundamental right under the Indian constitution.

Since the right has evolved under article 21 (right to life and liberty) , thus it can also be subjected to the reasonable restrictions as applicable to Article 21. The article being a part of Article 21, is as well as a part of Part III of the Indian constitution under fundamental rights which are judicially enforceable. Thus, the cases infringing such right to privacy can be subjected under judicial scrutiny under the constitutional framework.

3.2 Evolution of right to privacy via case laws:

In the case of Kharak Singh v State of U.P( 1962): The dissenting opinion of the minority verdict established privacy as a fundamental right. The position of right to privacy was established both under the garb of personal liberty under Article 21 of the Indian constitution as well as freedom of movement under Article 19 of the Indian constitution.

In the case of Govind v State of M.P:

it was stated that the right to privacy emanated from the right to life as well as personal liberty under article 21, as well as the right to freedom of movement under article 19.This right subsists along the frontiers of personal intimacies of home, marriage, family, motherhood, and procreation. Similarly like other fundamental right, the right to privacy is also limited by the reasonable restrictions which includes “compelling state interest”.

R.Rajagopal v. Union of India:

A right to privacy is guaranteed under Article 21 embedding right to personal liberty under the Indian Constitution . It was recognized that right to privacy subsists to safeguard the privacy with the family, marriage, procreation, motherhood, child beating. Thus, no one has the right to publish anything jeopardizing this right unless the right to privacy has been compromised in mainly three possible ways:

• When voluntary consent is given by the individual to be a part of the associated controversy violating the privacy of the individual
• When the published work related to the alleged privacy infringement is with respect to materials already in private domain except classified confidential matters
• The individual is a public servant and the matter of controversy related to his/her discharge of official duties.

The case of District registrar and collector, Hyderabad and another v Canara Bank and another(2004) held that the right of privacy enshrined under the garb of fundamental rights deals with privacy issues of the following nature:

1. Legislative provisions
2. Administrative/executive orders
3. Judicial Orders

It also held that right to privacy is only applicable to persons and not places.

In the case of People's union for civil Liberties v Union of India (1996) laid down guidelines for interception provision to safeguard privacy and introduce proper checks and balances for the same. It was laid down such as:

• Home secretaries and central state governments can only issue interception orders
• Before approval of such interception order, information regarding the necessity of such orders and scope of alternative means to acquire such information needs to be investigate and considered upon
• The interception order generated should be specific. It means that the interception order should specifically contain the names and addresses of the persons who are to be intercepted and the order should in no way be generic
• A limitation cap regarding the validity of such order has been specified to be 2 months

Thus, the case laid down that privacy being a fundamental right under the garb of right to life has to be protected However, it is subjected to the reasonable restrictions in compliance with the interest of the state validating the interception orders of information on in some cases covered by the reasoning of reasonable restriction.

Petronet LNG LTD v Indian Petro Group and another established that the right to privacy as a fundamental right can only be availed to natural persons and citizens and not to corporation, companies or non state individuals or actor. Thus natural persons are protected by this right and legal persons cannot avail the benefit of protection under this right.

Selvi and others v. State of Karnataka and others (2010):

The Indian criminal law and evidence law mandates with respect to interference the bodily and physical privacy. In this case distinction was drawn between physical and mental privacy. It elaborates on the intersection of the two provision of right to privacy under Article 21 and article 20(3) emobying the rule of self incrimination.

Both the sections are to be read in harmony with one another ,thus the right to self incrimination doesn't mean that it will encroach upon the individual's private choice to make a statement against himself in contrary to his free will. Thereby the individual can't be subjected to techniques such as Brain activation profile test, narco-analysis and polygraph examination text against his consent since it violates the sutures of mental privacy enshrined under right to privacy under Article 21 of the constitution.

In the case of Unique Identification Authority of India & Anr. V. Central Bureau of Investigation (2014) , it was held that the biometric information secured from one person for a specific purpose under the specified authority i.e. unique identification authority of India in this case should not be allowed to transfer any other data to any other agency without the written consent of that person.

The jus cogen establishing the right to privacy as an irreversible and irrefutable part of right to life and liberty enshrined under article 21and a part of right to freedom of movement under Part III consisting of Fundamental right of the Indian constitution was set out in the Aadhar Judgement case of Justice K.S. Puttuswamy & Anr.v. Union of India (2015) .

Article 12 of the Universal Declaration of human Right and Article 17 of the international Covenant on Civil and Political Rights sets out the principles of privacy provision in it's respective articles. India has been a party to both the the international conventions.

3.3 Existing Data protection Laws safeguarding privacy concerns in India:

Surveillance concerns:

Two of most important laws concerning a few privacy related aspect is Information Technology Act, 2000 and the Indian telegraph act,1855.

Section 5 of the Telegraph Act enables the Central Government and the state govt to declare interception orders under mainly two mainly two circumstances namely a) in case of public emergency b) it's in the national interest of sovereignty, security or in interest of foreign affairs of the state.

Section 69 of the IT Act expands the grounds on which an interception order which could be given with respect to digital communications. The grounds cover the instances under the Indian Telegraph Act along with additional issues such a in cases of investigation of offences too.

The IT act doesn't restrict the interception orders only in cases in public emergency and safety. It has a wider ground for issuance of interception orders than the Telegraph act.

Section 69B of the IT act permits authorized authorities to monitor and collect data in relation to cyber security. The term cyber security has been defined in 2(nb) of the IT Act.

Section 69 and 69B of the IT act also has provision so as to comply agencies/individuals for aiding the purpose of the interception order by providing required aid to the concerned authority failing to do which will lead him to face subsequent charges.

Rule 419A of the Indian Telegraph Rules(1975) mentioned the authorities having the competency to issue such interception order on valid grounds.

The Unlawful Activities Prevention Act(1967) amended in 2019 to combat terrorism enables information collected via the interception of such communications under IT or Telegraph Act to be produced as evidence.

Section 26 of India Post Office Act allows for the interception of postal articles by direction issued by authorized Central And State Government officers in interest of public safety, tranquility or any kind of public emergency.

Section 91 of the Code of Criminal Procedure states that any Indian Court of an officer of law enforcement can access to stored data for purpose of investigation, trial, inquiry or any other kind of proceeding under the Code of Criminal Procedure.

Section 92 of the CrPc allows allows District Magistrates and Courts to produce things or articles as required for an investigation, trial or proceeding under the code by the telephone or postal authorities. The above two sections are ambiguous in the fact that it doesn't define the boundaries of authorities classified under postal or telegraph authorities. In this respect ISPs might be covered under the ambit to be included under such authorities increasing the privacy concerns of individuals subscribed under the reign of such service providers.

The Indian Wireless Telegraphy Act, 1933 under section 3 states that possession of wireless telegraph apparatus without license is considered an offense. Hence the monitoring, intercepting and surveilling of communications via operations of such unauthorized wireless pharmacies is a violation under the act.

3.4 Existing Data protection laws:

Under the current Indian legal framework , the Information technology protection Act has a few provision protecting the personal and sensitive data collected via electronic resources.
Section 43(a) to (h) if the IT act Concerned with the protection of electronic data, attracts civil prosecution in cases of cyber contraventions. Section 63-74 of the same act attracts crimal action to certain cyber offences specified under the act.

Section 43 of the act ensures protection of personal and sensitive information collected, processed or stored by corporate entities.

Major requirements curved out to protect such data as mentioned under this act are:

• The corporate must entail a privacy policy to those provider of information which must be consented in the form of a letter, fax or email under rule 5(1).The purpose of the information collection along with the information of the recipient agency for information collection is informed to the individuals consenting.
   
• Sensitive personal information must only be collected for lawful and necessary purposes.
   
• Individuals providing such information can opt out of services prior to the collection of such information as well as the sensitive information once provided, can be updated and corrected under rule 5(6) of the constitution.
• Conditions under which body cooperates receiving the information can disclose the same are mandated under rule 6(1) .Rule 8 prescribes that the body cooperated must lay down security rules , policy standard and practices to safeguard the protection of such information assets.

Non compliance with the few safeguards mentioned to protect the privacy under this act attracts civil and a few criminal liability as mentioned under respective sections of this Act.

Another Act to protect data to some extent is the Copyright Act of India, 1957 which offers intellectual property right [protection to creative work. Literary works subsists under such creative works. Statutorily computer databases exhibiting the creativity of the players involved in compilation, verification and presentation of such data bases are considered as literary works under such an Act. Even though there is a difference between database protection and data protection. Data protection pertains to protect the privacy of individuals while database protections soughts the protection of the creative investment as a whole.

4. Need for Data protection Bill:

India doesn't have a comprehensive legal framework for protecting data of individuals. No comprehensive authority or processing measure of the data with regards to the safeguard of privacy has been defined under the Indian legal framework policies. Moreover, the scope and the extent to which personal data can be protected along with privacy under the exisiting legal framework is ambiguous and narrow.

There is an urgent need to expand the scope of personal data protection to protect the individuals and redefining the ambit under which such data information needs to be compromised , thus strengthening the grounds of reasonable restrictions which can compromise the privacy of such informations.

Furthermore an all encompassing act covering the following principles and the points needs to be covered under one conclusive act for efficient safeguard to data privacy:

• Accountability: the legal regime should be accountable for all personal information in it's position.
   
• Purpose Specification: strict identification for the purposes for which the specified data is being collected for at the time or before the time of collection.
   
• Consent and notification: Proper notice of the purpose for which the data is to be used to for should be provided to the individual enabling him to make a consented choice of sharing his data for the specifies pruposes except under certain specified circumstances.
   
• Collection Limitation/Minimalistic approach of data collection: The data collected should only be limited specifically to the identified purpose for which the iformation is being collected. The collected data should be absolutely necessary for the purpose and not otherwise.
   
• Disclosure and Limitation clause: The information so collected should only be divulged only on the basis of the identified purpose and not otherwise except without the individual's consent.
   
• Deletion: The information should be deleted when such is no longer required for the mentioned purpose. Storage of information creating a information pool is to be prevented.
  

4.1 The Data Protection Bill:

Clearly there is a burning need for the enactment of a data protection bill upholding the privacy rights and protecting information of inviduals and agencies in this digitally advancing environment boosting the data economy.
The Data Protection Regime's goal is to widen the scope of the data protecting legal framework in a comprehensive manner. Enforcement of such an Act is to ensure the protection and processing activities of data carried out by both Government as well as private entities.

The current draft of Personal Data Protection Bill, 2019(PDPB) intends to replace the Draft of Privacy Bill proposed in 2017. Inspite of the legislature intent and the aspects of privacy and data protection sought to be covered by these bills are significantly different, yet a few provisions of the PDPB overlaps with that of the Privacy bill.

However, the probability of the Privacy Bill to see the light of the day as an Act seems bleak and diluted while the PDPB is a more recently passed proposition in 2019, which is supposed to be further processed in the Parliamentary sessions of 2020. Thereby exploring the provisions of PDPB which might aid in the efficient functioning of the rising dependence on apps and technology in the light of current pandemic and post-pandemic scenario due to COVID-19.

4.2 Influence of other countries' legal provision ensuring privacy and safeguarding of data:

Owing to our colonial history, ours is country which too follows a legal system based on common law structure. Hence it's an inveterate nature of the policy framers to draw inspiration from the existing legal framework of privacy policies of such common law countries such a US and the UK. The US doesn't seem to have a comprehensive specified set of rights or principles or an Act in respect to the use, collection and disclosure of data. Instead the privacy protection in the US attains a colour of liberty protection under a few sector specific regulations.

Moreover the approach of data protection varies for the public and private sector. The role of the Government in maintaining the privacy of individuals seems to be more stringent than the private counterparts in the US. The activities and powers of the Government is specified by broad extensive legislation such as the Privacy Act, Electronic Communication Privacy Act. Howvever for the Private sector, a few legislations are available such as the Federal Trade Commission Act. However, they are highly sector specific thus limiting the safeguard measure to protect the privacy.

Post Brexit, the UK doesn't follow directly the principle of the GDPR (General Data Protection Regulation). The Government in tandem with the requirements for the EU's GDPR via the DPA(Data Protection Act) issued a new regime known a the UKGDPR.

It has been seen that the US approach to data management and privacy is not efficient under it's legal framework in absence of any comprehensive law. The EU's approach has been seen to be way too stringent ensuring data management an protection that it defies the purpose for which such information were sough to be disclosed in the first place.

The current PDPB strives to find a middle ground between these to extremities to address the concerns of inefficiency as well as extreme stringency.
The PDPB is mainly influenced by th EU's GDPR.

The bill soughts to encompass the following features:

• Technology agnosticism
• Holistic Application
• Informed consent
• Data minimization
• Controller accountability
• Structured Enforcement
• Deterrent penalties.

4.3 Elements of the bill:

The above features are enshrined in following provisions of the bills:
PDPB ensure categorical division of data in personal and sensitive. Under section 49 of the bill the proposition of Data Protection Authority is mentioned while section 60 promulgates the powers and the function of such authority with respect to the categorization of data and prevention of it's misuse , ensuring compliance with such provision under PDPB and well as to encourage data protection awareness.

Controller accountability and holistic approach is ensured under section 3 of the bill which embodies the concpet of data fiduciary officers.

4.4 Shortcomings of the Bills:

The Bill mainly adopts a preventive format to protect the right to privacy instead to protection of informational privacy. Informational privacy is being viewed as a subset to the right to privacy. The bill reinstates the evolved jurisprudence on privacy that privacy being a right protecting other ends to being an end itself. Thus, the bills mainly focuses on regulating practices related to use of data the content of the data itself.

Moreover the practice of regulating privacy issues via informing users via disclosure claueses is becoming ineffective on account of the technological advances since individuals take less responsibility while sharing there data.

Also, complians to the preventive framework adds to an extra cost to the small businesses. In India most of the business are small business, thus, it might impact the economy negatively.
Finally, the bill while diluting property rights in data, menacingly increases the state's surveillance power without adequate checks and balances. Such an effect intends to have undesirable consequences in the economy, thus, unfulfilling the whole purpose of informational privacy boosting the data economy.

Conclusion:
Indian internet users are currently estimated to be around 450 million with a growth rate of 7-8 percent in the numbers, ensuring digital revolution has permeated India as well . Moreover in the wake of this current ongoing situations on accound of COVID-19 transactions and corporations are becoming prevalent in the online platform. Furthermore , the healthcare has taken up a new turn in increased dependency on app based features. The Government of india has been quite actively endorsing the mandate of usage of this app.

Even though it cannot be denied that the app has an outstanding potential to combat the current crisis via contact tracing solutions, yet without the absence of a comprehensive legal framework , the efficiency of the app gets depleted. Thus, India needs to enforce a consolidated, comprehensive data Protection Act to address the growing digital economy amalgamating various sectors to safeguard the fundamental privacy rights of the people.