The Karnataka High Court has ruled that data collected by the Aarogya Setu application cannot be shared with third parties beyond what is specified in the privacy policy presented to users. It restrained the Centre and the National Informatics Centre from sharing app data without the informed consent of users.
“Prima facie, we hold that there is no informed consent of users of Aarogya Setu app taken for sharing of response data as provided in the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, as there is no reference to the said protocol in the terms of use and privacy policy available on the app,” a division bench comprising Chief Justice Abhay Sreenivas Oka and Justice Viswajith Shetty said in its interim order.
The court was hearing a petition filed by data privacy activist Anivar Aravind, who has alleged violation of privacy of citizens through data collection and sharing done by the Arogya Setu app.
“Till further orders, we hereby restrain the Government of India and National Informatics Centre, the eighth and seventh respondents, respectively, from sharing the response data by applying the provisions of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, issued vide order dated May 11, 2020 unless the informed consent of the users of Aarogya Setu app is taken,” the court said.
The court, however, said that the Centre and NIC can file an affidavit to satisfy it on the legal sanctity of orders issued by the Chairperson, Empowered Group on Technology and Data Management, and that the informed consent of Aarogya Setu app users will be taken for sharing of data as laid out in the protocol.
The court observed that aspects of data usage — such as sharing it with third parties for research, state governments, public health institutions, etc. — as laid down in protocols for usage of the app by the Chairperson of an Empowered Group on Technology and Data Management were not part of the privacy policy presented to users when they downloaded the app.
The bench observed that the Centre has not clarified whether the powers of the Chairperson of the Empowered Group on Technology and Data Management are binding under the Disaster Management Act, 2005. “There is nothing on record to show that the powers of the authorities under the said Act of 2005 have been delegated to the said Empowered Group,” it observed.
According to the protocol issued by the Empowered Group, the purpose for which data is collected by the app shall be clearly specified in the privacy policy but the policy makes no reference to the purpose, the court observed.
“The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India. There-fore, prima facie, the said protocol regarding sharing of ‘response data’ cannot be permitted to be implemented,” the HC observed.
Source Link