Anu Shrivastava and Keith Varghese
Advocates*
Introduction:
The Ministry of Home Affairs (“MHA”) has been undertaking numerous measures to tackle the coronavirus epidemic (“COVID 19”). The usage of Arogya Setu mobile application (“the App”) to undertake contact tracing of the patients and restricting the spread of COVID 19, is one of the measures adopted by the MHA. The usage of the App was not mandatory until the lockdown was extended vide the MHA guidelines dated May 01, 2020. In these guidelines, the MHA made the usage of the App mandatory for private sector employees and citizens residing in containment zones. The head of the respective organization had been made responsible to ensure 100% coverage of the App among the employees. Local authorities had been given the responsibility of ensuring 100% coverage of the Arogya Setu and any non-compliance with the Guidelines would attracts proceedings under the Disaster Management Act, 2005[1] (“DMA”) and Section 188 of the Indian Penal Code, 1860.
New set of guidelines were issued by the MHA on May 17, 2020[2] and subsequently on May 30, 2020[3] (“revised Guidelines”) in supersession of the earlier guidelines. The usage of the App was no longer mandatory but was recommended for employers and workplaces on “best efforts” basis. While the mandatory usage of the App may be an advisory for the private sector but, law enforcement agencies may still emphasize on people commuting from homes to offices on installing the App. Further, for public sector and government institutions, employees may be under strict instructions to use the App. The usage of the App has been made compulsory by the Indian railways for persons availing transportation services through special trains.[4] The Ministry of Civil Aviation vide order dated 21.05.2020 has encouraged the use of the App for air travel but has also provided that in case the App is unavailable a self-declaration form could be used instead.[5] Given that the Government has been constantly recommending the use of the App, it is important to consider the legal issues surrounding the App from the perspective of the right to privacy as a fundamental right.
Operation of the App and the data that it collects:
According to the privacy policy of the App, the information stored on the Server is hashed with a unique digital id (“DiD”). When two registered users come within Bluetooth range of each other their Apps automatically exchange DiDs and record the time and GPS location at which the contact took place. While the App collects location data continuously, the information is uploaded on the Server along with a DiD only if the user tests positive, or if the symptoms indicate a likelihood of COVID infection, or if the self-assessment test does not indicate that the User is “safe”.[6] The privacy policy also provides that the location and Bluetooth data uploaded on the Server gets deleted within 45 days if the user is not COVID positive and within 60 days if the user is tested positive and cured for COVID. However, data such as name, age, phone number, sex, profession and travel history is retained for as long as the user’s account remains active.
On May 11, 2020, the Ministry of Electronics and Information Technology released the Arogya Setu Data Access and Sharing Technology Protocol, 2020[7] (“Protocol”) which specifies that the National Informatics Centre (“NIC”) would be responsible for collection, processing and managing the data collected through the App. The Protocol also provides for limitations on sharing of data, ensures that data is collected only to the extent necessary and proportionate for framing appropriate health responses and allows a user to request for deletion of their data. However, under the Protocol retention of data is allowed for a maximum of 180 days. The Protocol allows demographic data of the individual to be retained for as long as the Protocol remains in force. While the Protocol and the privacy policy provide some measures to secure the personal data shared by an individual, they are not fool-proof and have their limitations. Apart from the fact that experts have raised technical issues on the security and privacy of data maintained on the App, legal scrutiny is also invited for the App and the Protocol for not complying with the threshold of reasonable restrictions in limiting an individual’s privacy.
Right to Privacy under the Indian Constitution:
A bench comprising of nine-judges of the Supreme Court of India in Justice KS Puttaswamy (Retd) v. Union of India[8] (“Puttaswamy I”) was called upon to decide if there was a right to privacy under the Indian Constitution. The Court held that though not expressly provided for under the Constitution, the right to privacy emerges from Article 21 and is recognized by other fundamental rights contained in Part III of the Constitution. The right to privacy is not an absolute right and is subject to reasonable and permissible restrictions to be understood in the context of Article 21, i.e. an invasion of privacy must be justified on the basis of a law which stipulates a procedure that is fair, just and reasonable. This law would have to meet the three-fold requirement of legality, legitimate state aim and proportionality.
Based on the dicta on right to privacy as contained in Puttaswamy I, the Supreme Court in KS Puttaswamy v. Union of India[9] (“Puttaswamy II”) adjudicated on the constitutional validity of the Aadhar scheme. The Court adopted the following stages or tests to determine the proportionality of a measure which invades privacy: (i) the measure must serve a legitimate goal (legitimate goal stage); (ii) it must be a suitable means of furthering this goal (suitability or rational connection stage); (iii) there must not be any less restrictive but equally effective alternative (necessity stage); and (iv) the measure must not have a disproportionate impact on the right-holder (balancing stage).
Applying the tests for restricting the right to privacy to Arogya Setu app:
Three fundamental objections can be raised against the Government/ respective Ministries recommending or mandating the use of the App: (i) the restrictions imposed by the App on the right to privacy are not backed by any law therefore the legality test is not met; (ii) the measures which restrict privacy through the App fail to satisfy the proportionality test; and (iii) the measures do not provide for adequate procedural safeguards and there is nothing to ensure security of the data collected through the App.
No “law” to back the App:
The nine judges in Puttaswamy I had concurrently held that akin to Article 21, no person should be deprived of the right to privacy except in accordance with the procedure established by “law”. Justice Chelameswar in a separate and concurring judgment held that the reference to “law” in this context would mean a valid legislation.
In Kharak Singh v. State of U.P.[10], the Supreme Court was considering the legality of certain regulations under the U. P. Police Regulations which allowed the police to open “history sheets” containing personal records of criminals and place them under surveillance. The regulations were sought to be justified on the ground that they had been framed in the interests of the general public and public order. The Court held that even if the regulations were to be justified, they should have had reference to a valid law be it a statute, a statutory rule or a statutory regulation. It was further held that the regulations were executive or departmental instructions framed for the guidance of police officers and did not satisfy the requirement of “a law” which the State is entitled to make in order to regulate or curtail fundamental rights. The Kerala High Court[11] recently stayed an executive order of the state of Kerala on deferment of salaries, on the grounds of it being without an anchoring legislation or statute. The Kerala High Court also stated that the deferment of salaries order does not trace its sources to any of law including the Epidemic Diseases Act or DMA. It further held that in the absence of an anchoring legislation, executive orders couldn’t be passed which affected the rights of the citizens.
The revised Guidelines have been issued by the Union Home Secretary of the MHA acting as the Chairperson of the National Executive Committee (“NEC”) under Section 10 of the DMA. The revised Guidelines may have a legislative backing in the DMA but neither the revised Guidelines nor DMA provides for sufficient procedural safeguards while recommending the usage of the App. Any “law” which infringes fundamental rights should also contain sufficient inbuilt procedural safeguards to rule out arbitrary exercise of power.[12] Certain safeguards are provided under the Protocol but the Protocol has not been formulated by a body directly constituted under the DMA.
It is important to note that unlike the revised Guidelines, the Protocol has been promulgated by the Chairperson of the Empowered Group 9 on Technology and Data Management and not by the NEC. Unlike the NEC which is a body constituted directly under the DMA, these Empowered Groups have been constituted by the NEC with the specific mandate to identify problem areas and provide effective solutions, delineate policy, formulate plans, strategize operations and ensure effective implementation of plans and policies.[13] Neither Section 10 of the DMA nor the mandate of the Empowered Groups, confer powers upon the Empowered Group 9 on Technology and Data Management to make a law or issue executive orders which have the force of law. The Protocol, at best could be considered to be instructions and guidelines for the operation of the App. The fact that India doesn’t have a law which provides for data protection and privacy places further burden on the Protocol and the revised Guidelines to ensure that the requirements for restricting privacy are strictly met.
It could be argued that the Protocol and the revised Guidelines are administrative or executive orders and therefore satisfy the requirement of law under Article 13 of the Constitution. However, a reading of Puttaswamy I suggests that the law which restricts the right to privacy must provide for a robust regime and stipulate a procedure that is just, fair and reasonable. This can be achieved only through a statute passed by the Parliament, or at least an ordinance providing for a detailed procedure.
Proportionality: Necessity and balancing stage
The revised Guidelines may be considered as ultra vires for another reason – that they do not meet the test of proportionality which mandates that the least restrictive choice of measures have been adopted while regulating the exercise of fundamental rights. Proportionality involves the ‘balancing test’ which permits scrutiny of excessive and onerous penalties or infringement of rights or interests and a manifest imbalance of relevant considerations, and the ‘necessity test’ which requires infringement of human rights to be through the least restrictive alternatives.[14]
Puttaswamy I gives an example of a case before the Court of Justice of the European Union[15] (“CJEU”) where a measure had been struck down because it did not conform to the requirements of the proportionality test. In this case, a directive had been challenged before the CJEU which required telephone and internet service providers to retain details of internet and call data for 6 to 24 months. The objective of the directive was to ensure that the data is available for prevention, investigation, detection and prosecution of serious crimes. While the CJEU agreed that the directive had a legitimate objective in mind, the directive failed at satisfying the proportionality test.
The App constantly monitors the location of an individual in order to notify the user if they come in close proximity of a COVID-19 positive patient. According to the Protocol, the objective of the App seems to be to collate demographic, location, contact and self-assessment data to enable the governments to formulate appropriate health responses for COVID-19. The question to be determined here is if there was any other equally efficacious and less restrictive means to allow governments access to data for formulating adequate health responses. An alternative would have been for the government to access the information relating to COVID-19 positive patients from hospitals, or adopt the method of door to door survey and conduct contact tracing which could have been equally effective. Concerns have also been raised regarding the accuracy of the App and low rate of mobile phone and internet permeability in India. This further pushes for the need to adopt less intrusive methods which are independent of access to smartphones and free from the inaccuracies of self-assessment tests.
Lack of procedural safeguards and security:
The recognition of the right to privacy as a fundamental right ensures that the individual’s data and privacy are secure from the State. Puttaswamy I recognises that privacy is based on the autonomy of the individual and postulates the reservation of a private space, i.e. a right to be left alone. The data parted with by a user on the App is maintained on a server that is managed and controlled by a Government agency, and this agency is responsible for collection, processing and managing the data collected through the App. There are no procedural safeguards under the revised Guidelines or the Protocol regarding the misuse in collection, processing and management of the data.
In the absence of procedural safeguards and a law on data protection, there is no mechanism to ensure that the NIC would share, collect and process data only in accordance with the Protocol. There are genuine security concerns and a fear of unauthorised access of data maintained on NIC by hackers. According to OECD Principles,[16] the basic requirements of security safeguards include physical measures, organizational measures (such authority levels for accessing data) and informational measures (such as continuous threat monitoring). These are missing from the Protocol and the privacy policy of the App which only give a bare statement that the data submitted through the App is anonymized and is secure. The EU GDPR provides for specific security measures that are to be taken while processing data, mandates notifying the user of a security breach and provides for security audits and inspection. The Protocol and the privacy policy do not meet any of these requirements and fail to provide adequate safeguards. The legal issues surrounding the App have once again brought to fore the urgent and imminent need for a robust law on data protection in India which is in line with the principles enumerated by the Supreme Court.
*The authors are litigating lawyers practising before the Supreme Court of India and Delhi High Court
[1] Sections 51 to 60 of the Disaster Management Act, 2005
[2] https://www.mha.gov.in/sites/default/files/MHAOrderextension_1752020_0.pdf
[3] https://www.mha.gov.in/sites/default/files/MHAOrderDt_30052020.pdf
[4] https://pib.gov.in/PressReleseDetailm.aspx?PRID=1625585
[5] https://www.civilaviation.gov.in/sites/default/files/Order_of_MoCA_dated_21st_May_2020.pdf
[6] https://web.swaraksha.gov.in/ncv19/privacy/
[7] https://meity.gov.in/writereaddata/files/Aarogya_Setu_data_access_knowledge_Protocol.pdf
[8] (2017) 10 SCC 1
[9] (2019) 1 SCC 1
[10] AIR 1963 SC 1295
[11] Kerala Vydyuthi Mazdoor Sangham & Ors. v. State of Kerala WP (C) TMP 182, 183, 184, 196 & 198 of 2020
[12] People’s Union for Civil Liberties (PUCL) v. Union of India, (1997) 1 SCC 301
[13]https://dst.gov.in/sites/default/files/MHA%20Order%20Dt.%2029.3.2020%20on%20%20Disaster%20Management%20Act%202005.pdf
[14] Kerala State Beverages (M&M) Corpn. Ltd. v. P.P. Suresh, (2019) 9 SCC 710.
[15] Digital Rights Ireland Ltd. v. Minister (2014), C-293/12.
[16] OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, available at http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm