codema.in

Urgent Endorsement request

AA Anivar Aravind Public Seen by 88


Apar Gupta

12:08 PM (1 hour ago)

to me, Devdutta, Policy

Dear Anivar,


I am sending below a request for endorsement by individuals or organisations to representation (developed in collaboration with labour unions) being sent to the Government on May Day. This concerns how their livelihood and participation in the workforce is being made contingent on the use of the Aarogya Setu App.


It would be great if the Indic Project and any of your partners (as individuals or organisations) can endorse this. Kindly also circulate it with individual members of your groups and email lists.


To endorse individuals or organisations can send, "I endorse the Representation against Mandatory Use of Aarogya Setu to protect privacy, autonomy and dignity of workers during COVID-19 outbreak" with Name/Affiliation to to policy@internetfreedom.in.


Further details


As you may be aware, some companies (specially some large technology companies) have made it mandatory for gig workers to download the Aarogya Setu mobile app and we fear that others may soon follow suit. The Aarogya Setu mobile app which collects sensitive personal data relating to a person’s health and movements does not adhere to data protection standards and there is no remedy available if it misidentifies a person as at risk of having COVID-19. The lack of transparency about the app’s underlying code and algorithms means that false positives could force workers to self-isolate and lose their income and freedom of movement as a consequence.


We have explained these privacy and exclusion concerns in greater detail in the representation we intend to send to the PMO's Office and Ministries of Labour, Electronics & IT, Home Affairs and Transport. The representation also seeks measures to provide financial relief and healthcare coverage to gig and platform workers during the COVID-19 outbreak. 


The representation is available here: [English Version] [Hindi Version]


We would be grateful if you could circulate this email in your networks. The letter is open for endorsement till 8:00 AM on Friday, 1 MAY 2020. Please let us know as soon as possible so we can effectively plan advocacy and outreach around it timing this for May Day.


Best,


Apar Gupta,

Executive Director, Internet Freedom Foundation

Full text of the letter:


By Email 



To:

Shri Narendra Modi

Prime Minister

Government of India 


1 May 2020                                                                                                     


Subject: Representation to protect privacy, autonomy and dignity of workers during COVID-19 outbreak


Respected sir,


  1. We, the undersigned organizations, collectives and individuals write this representation to your offices to express serious concern about violation of privacy of workers through mandated use of the Aarogya Setu mobile app. We acknowledge the severity of the COVID-19 crisis which has gripped the country and maintain that it is especially during such public health emergencies that we must ensure the privacy and dignity of essential frontline workers is protected.

  2. During the ongoing COVID-19 crisis, the government has embraced the use of technology for health surveillance and it launched a mobile app called Aarogya Setu for self-assessment and contact tracing on 02 April 2020. While the government initially claimed that the use of Aarogya Setu would be purely voluntary, downloading the app was soon made mandatory for all Central Armed Police Forces personnel and employees of Prasar Bharati. However, as per news reports, army personnel have been instructed not to use the Aarogya Setu app at office premises, operational areas and sensitive locations due to data security concerns.

  3. In addition to government employees, gig and platform workers employed by private companies like Zomato and Urban Company (formerly known as Urban Clap) are also now being forced to use the Aarogya Setu app and share sensitive personal information like health and location data with the government without adequate privacy protections. At present, the Aarogya Setu app is operating in a legal vacuum and its Privacy Policy and Terms of Service do not comply with data protection principles of purpose limitation, data minimization, storage limitation, accuracy, integrity and confidentiality, and transparency and fairness in processing.

  4. So far some companies, notably Zomato and Urban Company, have mandated use of Aarogya Setu for their delivery workers. As lockdown restrictions are gradually eased and other food delivery services, e-commerce platforms and ride hailing apps resume operations, they may take the decision to mandate use of Aarogya Setu for their workers. In the near future, mandatory use of Aarogya Setu may also extend beyond the gig economy and undermine the rights and interests of workers in the traditional economy such as factory workers.

  5. While many delivery personnel and drivers share location data with their companies as part of routine business operations, the privacy risks posed by the Aarogya Setu app are much higher for two reasons. First, the Aarogya Setu app will collect sensitive health data in addition to location data. Second, while location data was previously only shared with the employer, it will now also be available to government agencies through the Aarogya Setu app. Therefore, the intrusion on the privacy of gig and platform workers is significantly greater than ordinary workplace surveillance. In any case, companies already have access to data about the location of workers and their interactions with customers, and contact tracing is possible even without the Aarogya Setu app.

  6. It is pertinent to note that the Central Government has not mandated private companies to use Aarogya Setu and it remains a voluntary measure, however, in effect it is being made mandatory by such entities.  A news report titled ‘Draft e-com SOP: COO responsible for meeting norms, staff to download Aarogya Setu app’ published by the Economic Times on 19 April 2020 suggests that the Government had privately circulated a Draft Standard Operating Procedure for E-commerce with stakeholder companies which mandates use of Aarogya Setu by all workers. The Draft Standard Operating Procedure also holds the Chief Operating Officer of the company responsible for any failure to abide by these guidelines. Therefore, mandating use of Aarogya Setu appears to be a liability reducing measure by private companies and it amounts to the government indirectly mandating use of the app after publicly assuring citizens that it would not do so. 


  1. The Aarogya Setu app has been heavily criticized for failing to adhere to internationally recognized data protection principles endorsed by the Hon’ble Supreme Court in the landmark judgement in K.S. Puttaswamy v. Union of India (2017 10 SCC 1). In Puttaswamy (Privacy), the Court recognized that privacy was a fundamental right guaranteed under the Constitution of India. The Court further noted in the age of Big Data, collection and processing of personal data of individuals can reveal a lot about their lifestyle, choices and preferences. The Court acknowledged that in certain circumstances, the use of such technologies may be justified if the government was pursuing a legitimate goal. However, even in such circumstances, these technologies must be deployed in a necessary and proportionate manner.

  2. In order to satisfy the proportionality standard adopted in Puttaswamy (Privacy), the use of any privacy infringing technology must satisfy five criteria. First, it must have a legislative basis. Second, it must pursue a legitimate aim. Third, it should be a rational method to achieve the intended aim. Fourth, there must not be any less restrictive alternatives which can also achieve the intended aim. Finally, the benefits must outweigh the harm caused to the right holder. In the present case, Aarogya Setu fails the very first prong of the proportionality standard because it does not have a legislative framework to govern its functioning and to ensure adequate procedural safeguards. In the absence of a legislative guarantee containing a sunset clause, sensitive personal data about health and movement of gig workers collected by the Aarogya Setu app could be misused for profiling and mass surveillance even after the COVID-19 outbreak is over.

  3. In the specific context of health data, the judgement in Puttaswamy (Privacy) emphasized on the need for a data protection legislation to ensure that personal data was not used to discriminate against individuals on the basis of their health status. The Court further went on to note that the government may collect and process health data of individuals during epidemics to design appropriate policy interventions but such data must be anonymized.

  4. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 issued under Section 43A of the Information Technology Act, 2000 similarly classify health data as “sensitive personal data” and specify that health data can be collected and processed by body corporates only with the consent of the individual [Rule 5(1)]. The Rules also impose various obligations on body corporates relating purpose limitation [Rule 5(2) and 5(5)], notice [Rule 5(3)], storage limitation [Rule 5(4)], right to access and correction [Rule 5(6)] and right to opt-out [Rule 5(7)].

  5. The proposed Digital Information Security in Healthcare Act also lays down stringent safeguards to preserve the confidentiality of digital health data and associated personally identifiable information. The draft legislation recognizes that individuals must consent to collection and sharing of their health data and it outlines specific purposes for which health data can be utilized by different entities. Pertinently, the proposed Act permits use of digital health data for epidemic control only after it has been anonymized or de-identified and it prohibits employers from accessing the health data of workers under any circumstances. Therefore, even though India does not have a comprehensive data protection legislation at present, the importance of protecting health data of individuals has been recognized by the judiciary and the government.

  6. In addition to lacking legislative basis, the Aarogya Setu app deviates from international best practices for contact tracing apps and fails to comply with data protection standards for the following reasons:


  1. Lack of Consent : The use of Aarogya Setu cannot be considered voluntary anymore as it has been made mandatory for delivery workers. Therefore, there is no scope for delivery workers to refuse consent or opt-out.

  2. Lack of Data Minimization : Registration for the Aarogya Setu app requires sharing large amount of personal data: name, phone number, age, sex,  profession, countries visited in the last 30 days and smoking habits. This is inconsistent with the principle of data minimization.

  3. Lack of Transparency : While it is claimed that personal data collected by Aarogya Setu is aggregated and anonymized, there is no publicly available information about what processes and techniques are followed for aggregation and anonymization. This is relevant because there is high risk of re-identification unless personal data is properly anonymized. Therefore, the app must be subjected to thorough security testing by governmental and independent agencies.


  1. Lack of Algorithmic Accountability : The Terms of Service for Aarogya Setu exempt the government from any liability arising out of misidentification of an individual’s COVID-19 status. Therefore, individuals are left at the mercy of opaque algorithms which perform risk assessment and do not have any remedy in case of false positives. If gig and platform workers were falsely identified as high risk individuals by Aarogya Setu’s algorithm, they would be required to self- isolate and lose their income and freedom of movement.

  2. Unauthorized Data Sharing and Risk of Function Creep : There is no prohibition on sharing of personal data collected by the Aarogya Setu app with third parties. The government is allowed to share this personal information with “other necessary and relevant persons” for “necessary medical and administrative interventions.” The Privacy Policy for Aarogya Setu fails to specify which government departments will have access to personal data collected by the app. Therefore, sensitive personal data collected for contact tracing may also be used by law enforcement agencies for punitive purposes.

  3. Risk of external transfer and integration with other databases : Personal data collected by the Aarogya Setu may be transferred to an external cloud based server and there is no guarantee that it will only be stored locally on the individual’s device. Reports suggest that the data collected by Aarogya Setu is being integrated with other databases maintained by the Indian Council for Medical Research and Integrated Disease Surveillance Programme. This is worrisome because it is difficult to delete such integrated datasets and secondary inferences at a later stage.

  4. Classified as independent contractors, gig and platform workers do not enjoy the same level of income and job security as legally recognized employees. They are particularly vulnerable during the COVID-19 crisis when finding alternative employment is practically impossible and they lack bargaining power vis a vis companies or the government. Therefore, they should not be forced to download the Aarogya Setu app which lacks transparency and accountability in its present form.

  5. The International Labour Organization’s guidance on applicable labour standards during the COVID-19 pandemic dated 23 March 2020 also clearly states that governments must put in place measures to protect the privacy of the workers. It also instructs governments to ensure that health surveillance is not used for discriminatory purposes or in any other manner prejudicial to their interests. 

  6. In addition to these privacy concerns, there is also a need for governmental intervention to provide income security to gig and platform workers who have been unable to work during the lockdown or have witnessed a significant drop in their earnings due to low demand. Gig and platform workers are paid per delivery and they are not guaranteed a stable income. As a consequence, despite toiling for long hours during these difficult times, many gig and platform workers are still struggling to make ends meet because there are not enough deliveries for everyone.  Further,  personal protective equipment and medical insurance should be provided to gig and platform workers who are at risk of contracting COVID-19 due to exposure to many customers everyday.

  7. In collaboration with gig workers’ unions, Tandem Research and Centre of Internet & Society have developed a comprehensive charter of recommendations for COVID-19 relief measures to protect the socio-economic well being and health of gig workers, and we urge your Ministry to address these issues of financial relief and occupational health safety as well.

  8. Considering the damaging impact of the Aarogya Setu app and COVID-19 lockdown on the privacy, autonomy and dignity of workers, we urge your office to undertake the below mentioned measures in collaboration with the private sector.


  1. Take cognizance of privacy concerns associated with Aarogya Setu and issue an advisory clarifying that use of the app should not be made mandatory for workers in the gig economy and also the traditional economy. 


  1. In addition to (a), to ensure greater safety, rely on certain methods of risk mitigation such as working with companies to provide daily temperature checks and personal protective equipment to all gig and platform workers who continue working during the COVID-19 pandemic.


  1. Further, devise the right incentive structures both for companies and workers to ensure that gig and platform workers are able to sustain themselves during the lockdown and those displaying symptoms of COVID-19 are not forced to work to ensure their livelihood. This includes provisions for medical insurance and financial relief to all gig and platform workers who have been unable to work during the lockdown or have witnessed a significant decrease in earnings due to low demand.


Kind Regards,


(Names of signatory organizations)


CC:
Ministry of Labour & Employment

Ministry of Electronics & Information Technology

Ministry of Transport
Ministry of Home Affairs

PP

Pirate Praveen Fri 22 May 2020 8:08PM

We have only one more day before this will be send out to these organizations.