- Home
- /
- News Updates
- /
- Sharing Citizens' Health Data...
Sharing Citizens' Health Data Without Their Informed Consent Infringes Right To Privacy Under Article 21 : Karnataka HC In 'Aarogya Setu' Case
Mustafa Plumber
26 Jan 2021 7:04 PM IST
The Karnataka High Court, in its interim order restraining the Government of India and National Informatics Centre (NIC) from sharing the response data of users of Aarogya Setu app, observed that sharing of health data of citizens without their informed consent will violate right to privacy under Article 21 of the Constitution. A division bench of Chief Justice Abhay Oka and Justice...
The Karnataka High Court, in its interim order restraining the Government of India and National Informatics Centre (NIC) from sharing the response data of users of Aarogya Setu app, observed that sharing of health data of citizens without their informed consent will violate right to privacy under Article 21 of the Constitution.
A division bench of Chief Justice Abhay Oka and Justice S Vishwajith Shetty noted "The information contains data about the health of the user which all the more requires the protection of right to privacy."
"The sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India", said the court.
The petition filed by cyber security activist Anivar A Aravind had specifically sought an order restraining the respondents during the pendency of the petition from proceeding with the Aarogya Setu app and with the data collected, in any manner, whether the collection of data from members of the public is stated to be voluntary or involuntary.
Senior Advocate Colin Gonsalves appearing for the petitioner had heavily relied on the judgment of the Supreme court in the case of Justice K.S. Puttaswamy (retired) –vs Union of India. He had pointed out the provision regarding sharing of response data containing personal data by NIC with various Government departments and Public Health Institutions of the Government.
Further, he submitted that there is no sunset clause for the data collected. The sunset clause provides that unless specifically extended by the Empowered Group on account of the continuation of COVID-19 pandemic in India, the said protocol will be in force for six months from the date on which it was issued.
Additional Solicitor General M B Nargund had said "The claim of the petitioner that all personal data of the users of Aarogya Setu app is shared has no foundation at all, inasmuch as, all the safeguards have been provided. He submitted that Aarogya Setu app is one of the important tools for locating those who are infected with COVID-19."
Findings of the Court
The court examined the additional affidavit filed by the Central government in which mention of the order dated 11th May, 2020 issued by the Chairperson, Empowered Group on Technology and Data Management by which, the Aarogya Setu Data Access and Knowledge Sharing Protocol 2020 has been introduced.
The affidavit mentioned that for the purpose of addressing the pandemic, NIC shall collect only such response data as necessary. In the App, specific provisions are also made for maintaining the privacy of App Users.
The bench said:
"The role of the Empowered Group is of identification of problems/difficulties, finding out solutions, formulating contingency plan etc. There is nothing placed on record to show that the Chairperson, Empowered Group on Technology and Data Management is empowered to pass any order which will have a binding effect."
It added:
"Prima facie, it is not shown that this Empowered Group has any statutory power either under the said (Disaster Management) Act of 2005 or any other Act to pass such an order. There is nothing on record to show that the powers of the authorities under the said Act of 2005 have been delegated to the said Empowered Group."
The bench noted that Clause 5(a) of protocol clearly stipulates that any response data and the purpose for which it is collected by NIC shall be clearly specified in the Privacy Policy of Aarogya Setu App. Perusal of Privacy Policy available on the App. shows that there is no reference incorporated therein to collection of response data by NIC and purpose of collection.
Clause 8 permits NIC to share the response data for research purposes with third parties. It is pertinent to note that there is no reference to the said Clauses 5, 6 and 8 in the privacy policy or terms of service available on the app itself.
The court said :
"Thus, the collection of the data as per clause 5 and sharing of response data as per Clauses 6 and 8 is being done without the consent of the user, much less, an informed consent. Though Clause 8 provides for the anonymisation, there is nothing on record to show that the claim of anonymisation is tested by any agency."
The bench concluded by saying:
"The users are not even informed about the said protocol and the provisions therein about sharing of the response data before he uploads his personal information. Secondly, it is not the case made out by the Government of India that the informed consent of the user is obtained to sharing of the response data, as provided in the said protocol. Prima facie, we find that the sharing and use of the response data as per the said protocol will infringe the right of privacy of the users, thereby amounting to violation of the rights guaranteed under Article 21 of the Constitution."
Read the operative portion of the Karnataka High Court order retraining sharing of the response data of persons collected through Aarogya Setu @SetuAarogya https://t.co/wfWHnd6uzc pic.twitter.com/DaQB12SAvo
— Live Law (@LiveLawIndia) January 25, 2021
Accordingly, the court passed an interim orderr to restrain the Central Government and the National Informatics Centre(NIC) from sharing the response data given by an individual in the 'Aarogya Setu' app with other government departments and agencies, without obtaining informed consent of the users.