Legal experts point out liability concerns with the Aarogya Setu App

MUMBAI | DELHI: A clause limiting the government’s liability to user data for its Aarogya Setu contact tracing app has made some legal experts question whether, in case of unauthorised access to the information, a legal recourse would be the only option available, especially since the app has been made mandatory for a significant section of citizens.

According to the app’s terms and conditions, the user “agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof.”

Although the liability clause is standard practice to indemnify companies or institutions, experts have expressed concern since the government has required all employees of private companies to compulsorily download the app once they start working from offices when the ongoing nationwide lockdown is lifted.


“This also goes against the provisions of the IT Act and the proposed Personal Data Protection Bill as the app service provider would fall under the definition of an intermediary and (is) obligated to ensure the security of the data collected and (is) liable for loss of it under the intermediary guidelines,” said Salman Waris, Partner at Tech Legis Advocates and Solicitors.

Delhi-based legal non-profit Software Freedom Law Center also pointed out loopholes with regard to its liability clause. “This means that there is no liability for the government even if the personal information of users is leaked,” it said.

In case of data breach, the judiciary is the only port of call, other privacy experts said.

“There should be a legislative framework for contact tracing,” a Delhi-based privacy expert said.

An official of the Ministry of Electronics and IT, however, pointed out that such clauses are standard across the industry and that the liability is “never unlimited” in any government or private contract.

“Everyone is careful about the data and if anyone misuses the system, action will be taken against the person, but that does not mean that we take the entire liability on ourselves,” the person said.

So far, 90 million people have downloaded the app, while data of only those who have tested positive for Covid-19 infections are uploaded to the server in an encrypted format, he added.

“Even if we take the highest number, which is 46,433 positive cases so far, it is just 0.05% of people whose data is going on the server. Our objective is to only protect people and if the technology allows it, it is fair,” he pointed out.

The developers of Aarogya Setu app also argue that they have adopted the best privacy practices from across the world.

“Thinking through the nuances and translating intention to policy takes time, so we went with this because the imperative was to get the app out and save lives, with the understanding

that we will keep refining both the product and the policy,” said Lalitesh Katragadda, founder of Indihood, who led a volunteer group of 15 engineers that built the app and is maintaining it.

Katragadda, who set up Google’s India operations nearly two decades ago, said the app is designed to meet the highest standards of privacy.

“We have as much of the data of the user on the device as possible and very little on the Cloud. Our privacy policy has a clear purpose limitation — it will be used only in response to the Covid-19 crisis,” he said. “If you look at any internet company in the world, whether it’s Facebook or Google, they don’t have clear purpose limitation on how the data is used and how long it is stored.”

South Korea and Singapore have enacted privacy laws that have specific conditions for contact tracing apps developed to track the spread of the pandemic.

For instance, according to the Personal Information Protection Act (PIPA) in South Korea, individuals also have the Right to be Forgotten, among other data ownership rights.

On the other hand, the UK has taken an approach of processing data centrally than on individual devices.

Source Article

Lois C. Ferrara

Next Post

Aarogya Setu app has no vulnerability; no data, security breach has happened

Wed May 6 , 2020
The developers of the Aarogya Setu App said that there was no security vulnerability in the contact tracing application after a French security researcher Robert Baptiste, better known as Elliott Alderson, pointed that it could potentially leak data of the nearly 9 crore users who have downloaded the app “No […]