Speaking at a webinar organized by Daksh, an advocacy group, on Monday, Former Supreme Court Judge, Justice BN Srikrishna said that mandating the use of Aarogya Setu app "causes more concern to citizens than benefit."
Justice Srikrishna is a pioneer in the data laws regime, having headed the committee of experts on data protection. Whilst the data protection laws were still under consideration by the said committee, the right to privacy of an individual was recognized by the Apex Court in K. S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
Adding to this celebrated ruling, the committee submitted a report and proposed a Draft Data Protection Bill in 2018 to bring about surveillance law reform in India, a bill that is yet to be placed before the Parliament.
Highlighting the three-fold test evolved by the Supreme Court in the Puttaswamy judgment, Justice Srikrishna said,
"It is highly objectionable that such an order is issued at an executive level…Such an order has to be backed by Parliamentary legislation, which will authorise the government to issue such an order."
As per the said case, the Government must ensure the following before it can lawfully invade the privacy of any individual:
However, in the present scenario the Government has mandated the use of the Aarogya Setu app for the purposes of contact-tracing, for all public and private sector employees by way of an executive order dated May 1, 2020, issued by the Ministry of Home Affairs, under the Disaster Management Act, 2005.
Disapproving of the same Justice Srikrishna said,
"…It [Govt order dated May 1, 2020] is akin to an inter-departmental circular. It is good that they are keeping with the principles of the Personal Data Protection Bill but who will be responsible if there is a breach? It does not say who should be notified."
No authority under Disaster Management Act
Though he recognized that contact tracing is "absolutely necessary", he also emphasized that the Central guidelines were "utterly illegal" as the Government does not have the power under the Disaster Management Act, 2005 to invade the privacy of an individual.
"If it is traced to NDMA, there is no provision there for constitution of an empowered group. So under what provision of law is this order issued? I cannot understand…," he said.
Lack of Accountability
He also pointed out that in the absence of a proper legislation in place, there was no accountability in the system in case of data breach.
"If there is a breach of data here, who is answerable? What action has to be taken? Who will held accountable for the data breach? This should really have been traced ideally to PDP (Personal Data Protection) Act or through NDMA by an appropriate amendment," he said.
Commenting on the absence of a "sunset clause" to the cease the operation of the app after the pandemic is over, Justice Srikrishna said,
"What starts off with great beneficial ideas, ultimately at the end of some period when the emergency ceases to exist, we will be into a regime which is disastrous for any citizen of a democracy."
"if Parliament is not in a position to act, then obviously an ordinance can be issued which may replaced after 180 days by parliament as soon as it starts functioning…had an ordinance been issued, it would have been easier to include safeguards."
The webinar titled "Data Governance & Democratic Ethos" was also attended by privacy laws expert and lawyer Rahul Matthan, who emphasized that all the principles for data protection, articulated by Justice Srikrishna had been incorporated, "to the best extent possible".
Data Remains on the user's phone
Explaining how the data collected from the app is handled, Matthan explained that the app "de-identifies" its users and the data by default remains on the phones unless the user is tested COVID positive.
"As soon as you register, your identity is stripped off, i.e. your phone number and you name is taken out and is replaced with a random number and in all your transactions with the app going forward, it's that random number that actually is used…
By default, data remains on the phone. So it's designed such that contact information whenever you meet someone is shared between the two phones…and there is only you who has that information; it's encrypted; you can't see who you have come in contact with. It's only if you turn COVID positive that the data is pulled from the phone and sent to the server."
Rigorous data deletion mechanism
"Data is deleted from your phone on a 30-days rolling cycle…If the data is pulled to the cloud and you don't turn COVID positive, you data is deleted in 45 weeks and if you do turn COVID positive, your data is deleted 60 days after you are declared to be healthy," Matthan added.
The Government order has also recently come under the scanner of the Kerala High Court which sought the response of the Central Government in a petition filed against the mandating the use of the app.