“Data is the pollution problem of the information age, and protecting privacy is the environmental challenge” (Schneier, 2015, p.169). The existence and need of the right to privacy has been recognised worldwide. This was evident in India as well, as the right to privacy was recognised as intrinsically linked to the right to life. However, with the advent of the digital age, previously established conceptions of privacy have been shattered. In the physical world, there existed physical boundaries such as the confines of one’s home that helped to protect one’s privacy. Moreover, the limits and scope of one’s privacy was well defined. However, in the cyberspace, these boundaries are blurred. This is because of the interconnected nature of this new platform. This problem is further compounded by the collection of data about individuals by governments and companies online.

In this context, the need to balance the scope of this individual right with larger notions of public safety and welfare has been an issue of much debate. Recent regulations such as the General Data Protection Regulation (GDPR) of the European Union seemed to be setting the tone for a global move towards increased individual privacy. However, this tide has been upset by the unexpected and unprecedented impact of the coronavirus. The most recent strain of the coronavirus causes the disease COVID-19 which has spiralled into a global pandemic. It is highly infectious and there exists no vaccine that can prevent the spread of this disease. Several global leaders, including Nicole Romain, the spokesperson of the EU’s Fundamental Rights Agency, have spoken about the importance of certain measures that might abridge individual’s right to privacy during these times (Nicholas, 2020). This report will explore the impact of COVID-19 on data and individual privacy, with specific reference to the country of India.

On April 2, 2020, the National Informatics Centre under the Ministry of Electronics & Information Technology (MeitY) in India launched the AarogyaSetu application to trace and analyse the movement of users to effectively identify potentially infected persons. It does so through the use of Bluetooth and GPS technology. Such contact tracing applications are common across the world, with countries like China, South Korea, Israel and Singapore, to name a few, effectively employing these applications to curb the spread of the virus.

However, as soon as the application was released, there were widespread concerns about its use because of the vague privacy policy and consequent privacy implications of the same. In response to these questions, the MeitY released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 on May 11, 2020. A close analysis of this protocol reveals several legal and technical loopholes that can cause serious privacy concerns.

First and foremost, with regard to the collection of data, Paragraph 5(b) of the Protocol states that only such data will be collected that “is necessary and proportionate to formulate or implement appropriate health responses” (Ministry of Electronics and Information Technology, 2020, p.2). The scope of the term “appropriate health responses” is defined under Paragraph 2 and includes a large number of government activities. The definition is extremely broad, employing terms like “prevention and management of the COVID-19 pandemic” and “performance of statistical analysis” (p.1). The vague nature of this purpose facilitates the excessive collection of data as it is easy to justify it under the aforementioned broad and ill-defined purpose (Summary and Analysis of “Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020”, 2020).

Once collected, the Protocol, in Paragraph 5(d) and 5(e), mention the storage and data retention policies. Data collected is stored locally on the mobile phone of the user unless such data is necessary for formulating and implementing appropriate health responses. In that case, the data gets uploaded to the server (Ministry of Electronics and Information Technology, 2020, p.2). Once again, this clause suffers from the broad and ambiguous definition given to the phrase “appropriate health responses”. However, it is pertinent to note and appreciate the fact that of the 96 million users of the app, only 12,000 users (0.1%) had their data uploaded to the server (“Aarogya Setu data only shared with government officials directly involved in Covid-19 interventions, ‘highly encrypted’, says NITI Aayog CEO”, 2020). This shows that the government has been prudent in this regard. However, the scope for misuse of this section cannot be ignored.

The data retention policy, however, does not include such flaws of ambiguity. Paragraph 5(e) of the Protocol limits the number of days that different types of data can be stored and also prescribes the permanent deletion of this data upon expiry of that period (Ministry of Electronics and Information Technology, 2020, p.2).

The Protocol, in Paragraph 5(f) mentions that the data collected “shall be securely stored by the NIC” (p.2). However, the storage protocol of the Indian government has been questioned and criticised by several leading experts in the intelligence sector. These experts include Pukhraj Singh, a cyber threat intelligence expert, who was involved in the detection of the breach at the Kudankulam Nuclear Power Plant as well as two former intelligence officers who have held senior positions in the National Intelligence Grid (Natgrid) and the National Technical Research Organisation (NTRO) (Dasgupta, 2020). This data may be exploited by individual hackers who can steal valuable information about a person’s medical records or by the government of a foreign state who can use the demographic data to their advantage. The inadequate explanation concerning the protection of the collected data is also a matter of grave concern.

The Protocol proceeds to elaborate upon the different agencies that will have access to the data collected. In Paragraph 6(b), the Protocol says that the data shared will be “deidentified data”, that is, all the data collected about a person will be given a unique digital ID and there will be no indication to their identity (Ministry of Electronics and Information Technology, 2020, p.3). However, the NIC makes use of a static digital ID, rather than a dynamic digital ID, for this purpose. This can easily be matched with other identifiers to reveal the identity of a person (Summary and Analysis of “Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020”, 2020).

Therefore, much of the controversy surrounding AarogyaSetu revolves around ambiguously worded clauses in the Protocol and poor data protection practices. Another important factor that must be considered, however, is the future implications of this data collection. As explained in the Joint Statement published by more than 100 NGOs across the world on April, 2, 2020, any extension of surveillance powers must be time-bound and use of any collected data must only be for the purpose of combatting the global pandemic (Amnesty International, 2020).

This is a form of violation of one’s privacy that is easily understood. According to a report published by the Office of the High Commissioner for Human Rights, the different forms of violations of privacy in the digital age include search and seizure of digital property, profiling of marginalised groups, biometric dangers, censorship and business surveillance (Goldstein et al., 2018, p.2-3). The danger posed by applications like AarogyaSetu lies in the potential for profiling of marginalised groups and the biometric dangers associated with the application. However, it is also necessary to consider such forms of violation of privacy as censorship during the global pandemic.

During this period, the government has cracked down on the spread of “fake news” in the country. As of April 29, 2020, there were 640 cases registered against persons under the Epidemic Diseases Act, 1897, various provisions of the Indian Penal Code and the Disaster Management Act, 2005, for allegedly spreading “fake news” about the coronavirus (“Police crackdown on Covid-19 ‘misinformation’, activists concerned”, 2020). It is definitely necessary to keep a check on the spread of such news as it is extremely likely that such news can lead to spread of communal hatred (Zubair, 2020). However, the process followed by the authorities in India is problematic and a gross violation of privacy because of the nature of the term “fake news”. This term is undefined in India, which can lead to the misuse of the same to avenge personal and political vendettas. As Pratik Sinha, the founder of a fact-checking website AltNews points out, messages on social media often receive thousands of forwards. However, only one or two people get arrested and he says that there is almost always a political slant to such arrests (Dore, 2020). This has led to the arrest of several activists who are critical of the government’s response to coronavirus. Apart from this, the government has also been accused of using the cover of coronavirus to execute a string of arrests against protesters and activists as well (“More Than 300 Activists, Scholars Condemn Arrests, Harassment of Anti-CAA Protesters”, 2020).

Extensive monitoring of social media platforms to identify and consequently censor information sets a dangerous precedent. It is not the necessity of combatting the spread of “fake news”, but the subjectivity of the very term that is being questioned. Therefore, most of the concern around this form of violation of privacy revolves around the future implications of present action. The question of whether states will use the example of this time period to expand censorship laws is one which is in hot debate, with several writers of the view that this will indeed be the case (Meyer, 2020).

The biggest implication for data and individual privacy during COVID-19 is that it opens up to governments different methods and avenues to increase surveillance and control over the digital lives of citizens. Once these capabilities become evident, it is easier for these governments to manufacture use case scenarios in the future (Hutchinson, 2020). The most evident example of this is the increased surveillance that Americans have been placed under post the terrorist attacks of 11 September, 2001. That particular crisis served as an entry point for more pervasive and invasive forms of snooping by the government (Singer and Sang-Hun, 2020). A similar example is evident in Israel as well. During the 1948 War of Independence, several restrictions on the press and on individual liberties were placed as a temporary measure. However, 70 years later, long after independence was won, many of these restrictions continue to be in place (Harari, 2020).

Yuval Noah Harari, a historian, voiced this concern too.

“Even when infections from coronavirus are down to zero, some data-hungry governments could argue they needed to keep the biometric surveillance systems in place because they fear a second wave of coronavirus, or because there is a new Ebola strain evolving in central Africa, or because… you get the idea” (2020).

As citizens, it is our duty to remain vigilant and aware of the data that is being collected and the use that it is being put to. The possibility for misuse of personal data as well as the innumerable examples of it must serve as a constant reminder to us to both be cognizant of the data we give others access to, and the policies of that entity with regard to use of this data. Thus, the impact of COVID-19 on data and individual privacy can potentially be chilling and far-reaching, with the potential for misuse of certain ambiguous clauses and the possibility of this event acting as a precedent. It is imperative that we remember the warning of Yuval Noah Harari and ensure that this does not become the norm.

Bharath Pottekkat is a law student at Jindal Global Law School. A passionate student of constitutional rights and the interaction of political figures with these rights, Bharath has previously published an article about the Citizenship Amendment Act, 2019. He follows the national and international political scene with great earnest and hopes to contribute to the discourse surrounding the same.


Aarogya Setu data only shared with government officials directly involved in Covid-19 interventions, ‘highly encrypted’, says NITI Aayog CEO. Times of India. (2020). Retrieved 25 May 2020, from https://timesofindia.indiatimes.com/india/aarogya-setu-data-only-shared-with-government-officials-directly-involved-in-covid-19-interventions-highly-encrypted-says-niti-aayog-ceo/articleshow/75672278.cms.

Amnesty International. (2020). Joint civil society statement: States use of digital surveillance technologies to fight pandemic must respect human rights. Retrieved from https://www.amnesty.org/download/Documents/POL3020812020ENGLISH.pdf

Dasgupta, B. (2020). Protection or threat? Experts say Aarogya Setu poses national security risk. Hindustan Times. Retrieved 25 May 2020, from https://www.hindustantimes.com/india-news/aarogya-setu-protection-or-threat/story-QmpSP3H60ohkLV3l5ywhBI.html.

Dore, B. (2020). Fake News, Real Arrests. Foreign Policy. Retrieved 25 May 2020, from https://foreignpolicy.com/2020/04/17/fake-news-real-arrests/.

Goldstein, K., Tov, O., & Prazeres, D. (2018). The Right to Privacy in the Digital Age (pp. 2-3). Office of the High Commissioner for Human Rights. Retrieved from https://www.ohchr.org/Documents/Issues/DigitalAge/ReportPrivacyinDigitalAge/PiratePartiesInternational.pdf

Harari, Y. (2020). Yuval Noah Harari: the world after coronavirus. Financial Times. Retrieved 25 May 2020, from https://www.ft.com/content/19d90308-6858-11ea-a3c9-1fe6fedcca75.

Hutchinson, A. (2020). Digital Data Tracking and Privacy: The Future Implications of COVID-19. Social Media Today. Retrieved 25 May 2020, from https://www.socialmediatoday.com/news/digital-data-tracking-and-privacy-the-future-implications-of-covid-19/575480/.

Internet Freedom Foundation. (2020). Summary and Analysis of “Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020” [Ebook]. Retrieved 25 May 2020, from https://drive.google.com/file/d/1CsDRlMDvqAH1Dq2xU5nP7GxdnDPIKhWp/view.

Meyer, D. (2020). More surveillance and less privacy will be the new normal after the coronavirus pandemic. Fortune. Retrieved 25 May 2020, from https://fortune.com/2020/04/20/privacy-surveillance-coronavirus-pandemic-covid-19-tracking/.

Ministry of Electronics and Information Technology. (2020). Notification of the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 in light of the COVID-19 pandemic. New Delhi.

More Than 300 Activists, Scholars Condemn Arrests, Harassment of Anti-CAA Protesters. The Wire. (2020). Retrieved 25 May 2020, from https://thewire.in/rights/caa-protesters-jamia-statement.

Nicolas, E. (2020). Coronavirus: Are we trading privacy for security?. EU Observer. Retrieved 25 May 2020, from https://euobserver.com/coronavirus/148041.

Police crack down on Covid-19 ‘misinformation’, activists concerned. Hindustan Times. (2020). Retrieved 25 May 2020, from https://www.hindustantimes.com/india-news/about-500-cases-lodged-in-india-for-social-media-posts-on-covid-19/story-PBaxt7oNs9IdPNUCVRiUUM.html.

Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (p. 169). W. W. Norton & Company.

Singer, N., & Sang-Hun, C. (2020). As Coronavirus Surveillance Escalates, Personal Privacy Plummets. The New York Times. Retrieved 25 May 2020, from https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html.

Zubair, M. (2020). Disabled Muslim man hounded for accidentally dropping currency, accused of spreading coronavirus. Alt News. Retrieved 25 May 2020, from https://www.altnews.in/disabled-muslim-man-hounded-for-accidentally-dropping-currency-accused-of-spreading-coronavirus/.



Comments are closed.