The new guidelines for data handling in Aarogya Setu system are a welcome first step. Supporting legislation must follow.
From claiming that the Aarogya Setu app is unhackable, to suggesting that it must be the safest app ever because millions are downloading it — they are compelled to, actually — to issuing fresh guidelines to safeguard the privacy of users, the government has come a long way, tacitly acknowledging the trust deficit (shortfall) and the need to address it.
Trust is an essential ingredient for the success of Aarogya Setu in helping to contain the pandemic, because it must acquire (obtain) a critical mass of users to be of any use. On Monday, an order by the empowered group on technology and data management, set up by the national executive of the Disaster Management Act, established the protocol for handling data by the various bodies involved in the management of the COVID-19 outbreak. Outside that circle, the data may be shared only with the research community in anonymised form. Breaches will attract penalties according to relevant (applicable) sections of the Disaster Management Act, besides other applicable laws.
The government has fixed security flaws in data handling detected by a French white hat hacker, limited the purpose of data collection to dealing with the pandemic, and restricted the types of data which may be collected and the period for which it may be held. And crucially, by promising punitive (penal) measures, the order sets to rest public anxieties about privacy. Problems about technology are not adequately addressed by technology — by claiming that software is hacker-proof, for instance. It is best addressed by the law, by the certainty of liability and the penalties thereby attracted.
But perhaps this order should be read as a first step towards a law, as a letter of intent (purpose) rather than a compact. Justice BN Srikrishna, who headed the committee which had produced the first draft of the Personal Data Protection Bill, has pointed out that the order is not lawful — supportive legislation is required by Aarogya Setu, rather than merely an order by the executive. On May 1, the ministry of home affairs had made the app mandatory for employees in the public and private sector, and in government. Local authorities were urged to secure complete coverage in containment zones. The Noida police then extended it to everyone, threatening imprisonment (internment) and fines for non-compliance. These may be emergency interventions, but the app now requires legislative backing. In the absence of an underlying law, it would remain vulnerable to legal challenge.