Interim Order by the Karnataka High Court in Anivar A Aravind vs. Ministry of Home Affairs (WP No. 7483 of 2020)

SFLC.IN’s advisory board member Mr. Anivar A Arvind had filed a petition in the Karnataka High Court challenging the voluntary-mandatory imposition of Aarogya Setu and invasion of privacy rights in the absence of specific legislation governing data collection and processing by it. He was represented by Senior Advocate Colin Gonsalves, counsels from SFLC.in, Advocate Clifton D’ Rozario, Advocate Avani Choksi, and Advocate Ali Zia Kabir in the matter. You can read the detailed updates of the proceedings and previous orders here.

After 19 hearings of the matter, the bench comprising Chief Justice Abhay Oka and Justice Vishwajit S. Shetty had reserved the order. The bench pronounced its interim order on 25^th January, 2021. The bench made the following observations regarding the case:

a. Records only prima-facie findings for interim relief:

The bench, while pronouncing the interim order, noted that they have not decided the main issues raised in the petition. Instead, they have recorded their prima facie findings for the purposes of relief sought in the interim prayers.

b. On informed consent with respect to privacy policy:

The bench while relying on Puttaswamy (2017) noted that the data controller is required to “give simple to understand notice to its information practices to all individuals in clear and concise language, before personal information is collected. The second principle is of taking individual consent only after providing notice of its information practices and to give an individual, choices of ‘opt-in/opt-out’ regarding providing personal information.”ⁱ

With respect to the privacy policy, the bench noted that there is a notice to the users about the collection, use and retention of their personal information. The bench also noted that this is in compliance with the Puttaswamy (2017) judgment. The bench observed that the privacy policy does provide sufficient options to a user to opt out of the process of installation of the App before uploading its personal data.

In SFLC.IN’s opinion, however, this does not amount to adequate notice or informed consent. The data retention period, as specified in the privacy policy is not in consonance with the data retention period as specified in the Protocol.

In addition to this, the Protocol has been said to be the governing framework for Aarogya Setu. Considering that the Protocol can be extended in every 6 months by the Empowered Committee, there is no sunset clause pertaining to data collected by Aarogya Setu. In addition to this, there is no way to ascertain if a user’s data is retained only for 6 months period or beyond that. Considering that the Protocol does not have statutory backing, the 6 months data retention period can be arbitrarily amended by the Empowered Committee.

Clause 7 of the Personal Data Protection Bill, 2019 states that informed consent includes information on entities with whom such data would be shared, cross-border transfer etc. This has clearly not been undertaken in case of Aarogya Setu. Although the law is still in the draft phase, this gives enough guidance on what is informed consent.

d. Restraining respondent no. 7 (National Informatics Centre) and respondent no. 8 (Union of India) from sharing response data without informed consent:

The bench has held that prima facie, there was no informed consent of users sought for sharing of response data as provided in the Protocol. The rationale behind this is that the privacy policy or terms of service of the App does not mention the Protocol, and are not in consonance with the Protocol.

Collection of response data and purpose of collection: The bench observed that while Clause 5(a) of the Protocol does specify that any response data and the purpose for which it has been collected by the National Informatics Centre shall be specified in the Aarogya Setu’s privacy policy, that has not been the case. The privacy policy is silent about response data and the purpose for which it has been collected.

Clause 6 and 8 of the Protocol – Conflict with the Privacy Policy: The bench noted that while Clause 6 of the Protocol does permit sharing of data by the National Informatics Centre with the entities mentioned therein including the state government, public health institutions etc. The Clause of the Protocol states that the National Informatics Centre can share the response data with third parties for research purposes.

However, this is in clear conflict with the privacy policy. The privacy policy states that a user’s data will only be shared with the government of India. In addition to this, Clause 6 and Clause 8 of the Protocol do not find mention in the privacy policy of the App.

Therefore, the bench noted that the collection of response data per Clause 5 of the Protocol, and sharing of response data per clause 6 and 8, is without user consent, and hence, is not informed consent.

Claim of Anonymisation not tested by any agency: While the bench noted that the Clause 8 of the Protocol does state that the response data is shared in anonymised form, nothing has been produced on record to prove that this is the case. Therefore, the bench observed that “sharing of health data of a citizen without his/her consent will necessarily infringe his/her right of privacy under Article 21 of the Constitution of India.”

Having noted this, the Court, in its interim order held that while a user’s informed consent was sought with respect to data collection, purpose and retention with respect to the privacy policy, there was no informed consent of users taken for sharing of response data as specified in the Protocol . The Court held that there is no reference of the protocol in the privacy policy.

e. Statutory powers of the empowered group:

The bench also noted that prima facie it has not been substantiated by the respondents that the empowered group has any statutory authority under the National Disaster Management Act, 2005 or any other legislation to notify the Protocol. It also observed there is no evidence on record substantiating the powers of the authorities mentioned in the NDMA, 2005 which can be deleted to the empowered group.ⁱⁱ

f. Denial of benefit or any services to a citizen by state or state instrumentalities:

The bench noted that the Central Government has clarified and assured that no individual would be denied any benefits or services provided by state or state instrumentalities on the ground that such individual has not downloaded Aarogya Setu.

It is to note that the Karnataka High Court had passed an order in this regard on 19^th October, 2020 stating that in the absence of a legislation, central and state government or their agencies or instrumentalities cannot deny any benefit or service to a citizen for not installing Aarogya Setu. The bench also reiterated this in its interim order dated 25^th January, 2021.ⁱⁱⁱ

You can read the interim order here.