Former Supreme Court Judge, Justice B N Srikrishna, who led the committee that released the first draft of the Personal Data Protection Bill, described the government’s aim to make Aarogya Setu app mandatory for everyone as “utterly illegal”.
“Under what law do you mandate it on anyone? So far it is not backed by any law,” said the now-retired judge.
The Ministry of Home Affairs made Aarogya Setu App mandatory for employees of private and public sector offices, in its guideline issued on May 1st, 2020. It required local governments to make sure that there was not a single person who did not have the app on their smartphones in the containment zones as determined by the government. These guidelines were released by the National Executive Committee mandated under the National Disaster Management Act (NDMA), 2005.
The police of Noida then issued a statement that if a person did not have the Aarogya Setu app on their smartphone, it would be punishable with imprisonment (6 months) or a fine (Rs. 1000)
“The Noida police order is totally unlawful. I am assuming this is still a democratic country and such orders can be challenged in court,” said Justice Srikrishna.
Justice Srikrishna mentioned that the guidelines issued by the police cannot be judged as having satisfactory legal backing to mandate the use of the app. “These pieces of legislation — both the National Disaster Management Act and Epidemic Diseases Act — are for a specific reason. The national executive committee in my view is not a statutory body,” he said.
The Supreme Court in the landmark 2017 judgment that recognized the right to privacy as a fundamental right, established a three-pronged evaluation to test if actions taken by the government are constitutional and if they could invade a citizen’s right to privacy. The first condition is defined as “the action taken must be under a law duly passed by Parliament and the government will have to show it had a “legitimate state interest” to violate the right to privacy apart from having considered all less intrusive measures before violating the right.”
On 11th May 2020, the Aarogya Setu Data Access and Knowledge Sharing protocol was released, establishing some principles for the collection and processing of data. The protocol is an “order” by the Empowered Group on Technology and Data Management set up by the National Executive of the Disaster Management Act.
Justice Srikrishna opined that the aforementioned order will not be enough to protect the data. “It is akin to an inter-departmental circular. It is good that they are keeping with the principles of the Personal Data Protection Bill but who will be responsible if there is a breach? It does not say who should be notified,” he said.
In a seminar online organized on 11th May 2020 by Daksha Fellowship, a legal education group, he termed the novel protocol a “patchwork” which will “cause more concern to citizens than benefit.”
“It is highly objectionable that such an order is issued at an executive level. Such an order has to be backed by Parliamentary legislation, which will authorize the government to issue such an order,” said the former judge.
“If it is traced to NDMA, the NDMA has no provision for the constitution of an empowered group. (Under) what provision of law is this order issued? I cannot understand … If there is a breach of data here, who is answerable, what action has to be taken and (who is) accountable for the data breach. This should really have been traced ideally to PDP (Personal Data Protection) or through NDMA by an appropriate amendment,” he said.