Aarogya Setu App: Right to privacy angle

Reading time: 8-10 minutes.

On May 1st, 2020, the Central Government mandated through a directive that all the employees of government and private companies download an app that had been made by the Indian Government called Aarogya Setu. This app was created by the government in order to be able to track patients of COVID- 19 and their contacts, upon an infection being reported. Further, people having their residence within all the containment zones created within the country would also be required to download the app.

The purpose of asking people to download this app on smartphones is simple. This App showcases the safety status in the area, and people would be permitted to go to work in the condition that the app displayed a ‘safe’ or a ‘low risk’ status. However, it is the other function of this App that calls into question the Right to Privacy of a person. The app also collects private information of a person without consent. The app uses Bluetooth and GPS tracking data of a person’s phone to track their movement and locate all people who have been within six feet of an infected patient’s vicinity, by scanning through a database containing the information of all infected patients.

A Petition was filed against the above-mentioned government Order on May 7th, 2020 alleging that the Order mandating the installation of the app on to the smartphones of all government and private company employees was violative of such people’s Right to Privacy. The Petitioners contended that the Aarogya Setu App compulsorily collects all the personal details of a person such as their name, age, phone number, sex, occupation, prior month’s travel history and the details of whether a person is smoker or not. Moreover, the app can continuously track the location of the person.

The 1st May Order also stated that the State Governments to file cases against violators of the lockdown rules, inclusive of not downloading the App, under Section 188 of the Indian Penal Code.

Prior to understanding the legal understanding of the right to privacy, one must understand the basic meaning of the word ‘Privacy’. Black’s Law Dictionary defines Privacy to be the “Right to be let alone or the right vested in a person to be free from unwanted publicity”. In the Indian legal paradigm, the right to privacy has been read under Article 21 of the Constitution of India, even though there is no explicit right that has been provided through the bare text of the Constitution.

Article 21 of the Constitution of India provides for a person’s Right to Life and Personal Liberty, and the Supreme Court of India in the year 2018 vide its judgement in the case of K S Puttuswamy v Union of India read the Right to Privacy to be a part of the person’s fundamental Right of Life and Personal Liberty. The Supreme Court of India included the Right to Privacy within the Constitutional Framework of the Country, since this right is part of the general principles of The Universal Declaration of Human Rights, 1948 under Article 12 of the Declaration and is an obligation to all the Parties of the International Covenant on Civil and Political Rights under Article 17. This is an important judgement because it recognises the right of a person to be left alone, at the choice of the person without there being any mandatory influence to share his information or associate with anyone. Moreover, with the increase in the online presence of people around the world, it becomes extremely important for people to be allowed to choose what information they are willing to share and what they are not willing to share.

Salient features of the right to privacy

Through the judgement in the case of K.S. Puttuswamy, the right to Privacy has become an inalienable right. Even though the same was not originally a part of the Constitution, the Right to Privacy is now protected under the Constitution of India and is Preserved by the Judiciary, which acts as the guardian of the Constitution. It has also been held by the judgement in the aforementioned case that the Right to Privacy is integral to other fundamental rights as well, such as the right to freedom of forming associations, right to equality etc., because the right to privacy has one common property to all the fundamental rights protected under the Constitution of India, i.e. the preservation of the dignity of a person.

The right to privacy is intrinsic to the protection of the dignity of a person because of the choice that needs to be afforded to them about maintaining their private information, private. The Right to privacy protects the privacy of the human body against any form of violation and/ or restraints of body movements. The Second right afforded herein is the right to privacy over a space such as personal relationships and family. The next form of Privacy that has been afforded to under the judgement is the right to privacy over communication, i.e. the right to have complete control of the communication and the right to protect and prevent access to their communications.

Another means of privacy that is offered under this fundamental right is that of decision making, and the right to make decisions that are intimate to a person, to the exclusion of all others. Moreover, people are also awarded the right to control activities that even occur in public. Associational Privacy is also something that is afforded to the people. People must have complete privacy over their choice of people to interact with. Lastly, privacy is also accorded to in terms of protection of intellectual property.

These forms of Privacy are accorded to by the judgement, with its reference to a diagram which is mentioned in an article which the judges have relied upon. Any alleged infringement of the fundamental right must pass the tests laid down under Article 14 and Article 21 of the Constitution of India i.e. the need for a law, express arbitrariness and proportionality of application.

Salient features of the Aarogya Setu app

Speaking of the several noteworthy clauses of the “Aarogya Setu App”, clause 1 (d) of the Policy of the app addresses the locational features of the individual for places which he has visited onto the Server. In the following provisions of clause 3(d), the information is proposed with two categorical alternatives, firstly, the information does not get uploaded onto the portal and is purged within thirty days. Secondly, in the event of negative coronavirus symptoms, the data will be purged from the server within forty-five days and on account of positive results, within sixty days. However, if any person’s information has been uploaded onto the App portal, there is no guaranteed deletion of the same and it will hold information indefinitely.

There exists a similar system in China which posits a much clearer algorithm of working out the colour coded signals of “yellow” and “orange”. The determination of the “yellow” colour indicating positive symptoms is marked arbitrarily making mandatory transfer of personal localised information on the Server. Clause 1 (a) and (d) which deal with very basic information about the individual are theoretically safeguarded by clause 2 of the policy which says in sub-clause 2(e), the basic information of the person will be used only in the ways mentioned in the clause and not in any other way as may be. Until that purpose is realised, it will remain on the Server for an indefinite period. The greatest flaw of this app when in comparison to the MIT and Singapore technology is that the data present on the App is not even encrypted into DiDs.

The Aarogya Setu app vis a vis right to privacy

The Aarogya Setu app is one that has a questionable premise. It is an app that can be used to track the movement of the people, more so, without asking for their consent. The Aarogya Setu App, and its current mandate of use do not offer a person the right to opt-in to the security and privacy violations that the app tends to commit to. With recent judicial luminaries such as Former Supreme Court Judge B N Srikrishna, the chair of the committee that drafted the Privacy Protection Bill 2011, stating that the government’s move was “utterly illegal” (as reported in Indian Express 12th May, 2020, 1:31:56 pm, by Apurva Vishwanath), the true ends of this right need to be justified. The protection of data is guided by the Aarogya Setu Data Access and Knowledge Sharing Protocol, which is considered to be an order that has been issued by the Empowered Group on Technology and Data Management. This body has been set up under the Disaster Management Act.

Critical analysis

This case of the Aarogya Setu app is one that has to be carefully noted and the extent of its capabilities fully understood. The app has been introduced to us at a time wherein the world is passing through a phase that is causing economies to collapse and entire legal systems to break down, due to the pandemic. Even though this battle seems like it can be won only through effectively tracing contacts and adopting social distancing measures, the facilitators of these mechanisms such as this app need to be studied carefully. Once a person has downloaded this app on to their phone, and given their personal details, their movements, the people they associate with and the activities they indulge, practically becomes government knowledge. It is important to consider whether such an aggressive means of the violation of the right to privacy is in fact, good for the country, or the population. Usage of the Aarogya Setu App directly points to the violation of the right to privacy of a person and this is an argument that cannot be refuted, especially considering how aggressive the measure is.

Whether the same is unconstitutional or not has a lot of factors affecting it. One of the most important tests to be applied herein is that of proportionality. It needs to be seen whether the restriction that has been imposed on the right to privacy is reasonable to the end it seeks to achieve, i.e. the prevention of the spread and containment of the COVID-19 virus. Without the development of a vaccine and practically no other way to tackle the virus, it seems that the only means of containing the spread of the virus is through aggressive contact tracing and social distancing, which are the main goals of this app. In this scenario, the reasonability of this app also highly hinges on whether the protection of data collected is comprehensive and strong. However, with a protocol being issued by a body set up under the Disaster Management Act, the standards of protection of data are not trustworthy. The same was vocalised recently by Hon’ble Justice Srikrishna as well. So the question one must ask herein is, if the security of their data gives them enough reason to believe in the proportionality of the measure.


The current times cannot be predicted. It is confusing, hard and taxing on every person due to the uncertainty that the situation has created for us. In times like this, it is the government’s job to ensure that the people of the nation are cared for. While fundamental rights violations such as these are bound to create fear about the legitimacy of governmental action, the intention behind the same must be noted. The intention behind the app is the containment of the spread of the virus. However, plausibly good intention without effective means of implementation simply means the endangering of the lives of every citizen in the country with a possible massive data leak. Checks and Balances are the language of a democracy, with words intentions being the building words of the language, and the effective implementation being the cohesiveness that binds the intentions together

Authors: Ajeeth Srinivas. K from School of Law, CHRIST (Deemed to be University) and Sonal Sinha from Symbiosis Law School, Hyderabad.

Editor: Muskaan Garg from Jindal Global Law School, O.P. Jindal Global University, Sonipat, Haryana.