Pic Credits- https://entrackr.com
USER CONSENT: AN ABSTRACT OR A REALITY?
“The consent of the governed is more than a safeguard against ignorant tyrants; it is an insurance against benevolent despots as well.”
The entire edifice of this piece rests on this quote by the Father of Modern Journalism- Late Mr. Walter Lippmann. As practicing counsels, it is imperative upon us to discuss how the concept of “consent” evolved to become the driving force in the realm of the digital world. The genesis of the concept of consent finds its roots in the 108 year old judgment titled Schloendorff v. Society of New York Hospital. While passing the aforementioned judgment, it was observed that-
“Every human being of adult years and sound mind has a right to determine what shall be done with his own body; and a surgeon who performs an operation without his patient’s consent commits an assault for which he is liable in damages.”
108 years later, in this modern era of digitalization where digital economies are fueled by the flow of data, it is safe to say that every individual has a right to determine what shall be done with his/her personal data.
An Ernest Effort, Sans Legal Backing
Much hue and cry has been raised over the directive issued on 01.05.2020 by the MHA, making the use of the Aarogya Setu App mandatory. The directive reads as under-
“The local authority shall ensure 100% coverage of Aarogya Setu app among the residents of containment zones. Use of Aarogya Setu App shall be mandatory for all employees, both private and public. It shall be the responsibility of the Heads of respective organizations to ensure 100% coverage of this app among the employees”.
Such a directive was firstly violative of the fundamental principle of right to privacy as was envisaged by the Hon’ble Supreme Court of India in the landmark judgment titled “Justice K.S. Puttaswamy (Retd.) v. Union of India”. Secondly, the app also infringes upon the basic premise of data sharing agreements; by not obtaining the user consent and thereby coercing individuals to download the app under the threat of criminal prosecution. For instance, the Noida Police has made the installation of the app mandatory by making the non-installation of the app publishable with imprisonment up to six months or fine up to Rs 1,000.
Moreover, according to the App’s terms and conditions, the user “agrees and acknowledges that the Government of India will not be liable for…any unauthorized access to your information or modification thereof.” This in itself is alarming and is a matter of concern for all those individuals who are being made to download the app without actually acknowledging the terms and conditions of the app. Further, the provisions of the present law [Information Technology Act, 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011] are ill-equipped to deal with the situation in the event there is an unauthorized access to the user’s information. As per Section 43A of the IT Act, where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. A bare reading of this provision reflects that while the term “body corporate” can include in its ambit governmental bodies, the Aarogya Setu App merely mentions the ‘Government of India’ in the aforementioned terms and conditions of the app without specifying the department/body. Thus, the terms and conditions as stated in the app are cryptic and vague since there is no clarity whether the personal data of the users collected by this app, falls under the purview of Section 43A of the IT Act, 2000, or whether the Government of India can be held legally liable for any breach of data.
In addition to the IT Act, there are two draft legislations which must be given regard to: first, the Personal Data Protection Bill, 2019 (“PDPB”) which was recommended by a committee headed by the retired Supreme Court Judge, Justice B.N. Srikrishna in its report on “Data Protection Framework” submitted to the Government in August, 2017. The report, which focuses upon user consent being the centerpiece of data sharing, states that consent will be a lawful basis for processing of personal data. And second, Digital Information Security in Healthcare Act (“DISHA”) to provide a legal recourse in the event of data leak of the users. However, DISHA is in itself an incomplete legislation with several loopholes which the Personal Data Protection Bill, if passed, seeks to fulfill.
Considering the fact that the mandatory use of the app is not legally tenable and is inconsistent with the fundamental principle of data privacy rendering user consent meaningless, the MHA by way of its directive dated 17.05.2020 diluted its stance on the “mandatory” use of the App and stated that – “With a view to ensuring safety in offices and workplaces, employers on best effort basis should ensure that Aarogya Setu is installed by all employees having compatible mobile phones. District authorities may advise individuals to install the Aarogya Setu Application on compatible mobile phones and regularly update their health status on the app,”
However, it is imperative to note that while the term ‘mandatory’ may have been deleted from the guidelines for usage in the workplace, the app which is not backed by any law and its user not protected by any parliamentary legislation is still an essential criteria/requirement. The App is mandatory for central government employees and for travelers crossing several state borders within India. It has been made mandatory for select groups by the Airports Authority of India, by the Indian Railways, by sporting authorities, and by private companies such as Urban Clap and Zomato. In addition, guidelines released by the Central Industrial Security Forces (CISF) stated that having the Aarogya Setu App on one’s mobile phone was essential in order to board the Delhi Metro, once services resume, thus leaving people with no choice but to succumb to the directives of the MHA and download this app whilst they may not be willing to share their personal data.
Although it seems like the loosely worded directive dated 17.05.2020 issued by the MHA has eased the guidelines on the mandatory usage of the app, the ground reality narrates a different tale. In fact, the government is proposing that this app be used as an e-Pass in the post-lockdown phase, so there could be an increased pressure on everyone to have this app mandatorily installed on their smartphones sans their consent under the garb of “public security”, which is in conflict and utter disregard of the law laid down by the Hon’ble Supreme Court.
(This post has been authored by Damanjit Kaur and Shubham Sharma. Damanjit and Shubham are advocates practicing in the courts of Delhi )
Schloendorff v. Society of New York Hospital, 105 N.E. 92 (N.Y. 1914) ↑
Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 ↑
A Free and Fair Digital Economy Protecting Privacy, Empowering Indians, Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, available at: https://meity.gov.in/writereaddata/files/Data_Protection
_Committee_Report.pdf (2018) ↑
Tech Desk, Aarogya Setu App compulsory for air, train travel and more: Full list, The Indian Express, available at: https://indianexpress.com/article/technology/tech-news-technology/aarogya-setu-app-mandatory-air-train-travel-more-list-6413841/ (May 18, 2020) ↑