New Delhi: Data collected via the Aarogya Setu application cannot be shared with other parties beyond what is specified in the privacy policy presented to users, the Karnataka high court has ruled.
According to a report in the Indian Express, the high court has also restrained the Centre and the National Informatics Centre from sharing data of users obtained via the app without their consent in response to a petition filed by privacy activist Anivar Aravind.
“Prima facie, we hold that there is no informed consent of users of Aarogya Setu app taken for sharing of response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, as there is no reference to the said protocol in the terms of use and privacy policy available on the app,” a division bench of Chief Justice Abhay Sreenivas Oka and Justice Viswajith Shetty said.
“Till further orders, we hereby restrain the Government of India and National Informatics Centre, the eighth and seventh respondents, respectively, from sharing the response data by applying the provisions of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, issued vide order dated May 11, 2020 unless the informed consent of the users of Aarogya Setu app is taken,” the court said.
The court, however, declined to stay the use of the app or use of data of the users already collected through it. During the pendency of the petition, the petitioner had sought a direction from the court to restrain the Centre from proceeding with the app and with the data collected, in any manner, whether the collection of data from the members of the public is stated to be voluntary or involuntary.
Also read: Centre Apologises for ‘Irresponsible Submissions’ Regarding Aarogya Setu Before CIC
The court also said that the Centre and the National Informatics Centre can file an affidavit to satisfy the court regarding the legal sanctity of orders issued by the chairperson of the Empowered Group on Technology and Data Management. It also held that the informed consent of the app’s users should be taken for sharing data, as laid out in the protocol.
The court noted that sharing users data with third parties for research, state governments, public health institutions, etc. – as laid down in protocols for the usage of the app by the chairperson of an Empowered Group on Technology and Data Management – was not included in the privacy policy that was presented to users when they had initially downloaded the app.
The division bench further said that the Centre had not clarified whether the powers of the chairperson are binding under the Disaster Management Act, 2005. “There is nothing on record to show that the powers of the authorities under the said Act of 2005 have been delegated to the said Empowered Group,” it said and added that as per the protocol issued by the group, the reason for collecting data by the app shall be clearly stated in the privacy policy but the policy made no reference to the purpose.
“The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India. Therefore, prima facie, the said protocol regarding sharing of ‘response data’ cannot be permitted to be implemented,” the court observed.
Last year in October, the Karnataka high court had held the government could not deny any service or benefit to citizens for not installing the Aarogya Setu app on their phones in the absence of any legislation.