Covid-19: Aarogya Setu needs legislative backing

The government’s decision to make the coronavirus (Covid-19) tracking application, Aarogya Setu, mandatory in many spheres of life brings constitutional challenges such as the right to privacy of citizens.

The Supreme Court (SC) has deliberated on the issue of privacy on numerous occasions. In Govind Vs State of MP in 1975, the Court recognised that the right to privacy is a part of a citizen’s personal liberty. The Court also held that this right deserved to be examined with care and must only be denied when an important countervailing interest is shown to be superior. In 1996, in PUCL Vs Union of India, the Court formulated guidelines imposing substantive and procedural restraints, while holding that the right to privacy includes informational privacy and confidentiality. However, in the 1998 Mr X Vs Hospital Z case, the Court’s view was that the right to privacy is not absolute and is subject to restrictions as may be lawfully imposed for prevention of crime or disorder, or protection of health or morals, or protection of rights and freedoms of others.

In 2017, in the KS Puttuswamy Vs Union of India case, a nine-judge SC bench held that a “menu” of tests should be applied, depending upon the rights that may be infringed. It recognised the importance of a data protection law and its absence as a void in the enforcement of privacy laws. It held that there should be a rational nexus between the objects sought and the means adopted to achieve it, to ensure the extent of interference is proportionate to the need for such interference.

The Centre’s directions are executive in nature, deriving their power from the Disaster Management Act, 2005, which doesn’t have any provision to deal with surveillance. However, as the statute is worded in the broadest possible terms and, as it is meant to deal with emergent and unforeseen situations, the authority given can be construed liberally. Still, the Act and the directions thereunder have to be tested on the touchstone laws infringing fundamental rights.

The app has not specified the security practices it follows to protect the collected data. A mere declaration that data, being encrypted, is secure is not sufficient. The app requires the user’s Bluetooth and locations services to be switched on at all times. It is not clear if the collected data – or, specifically, the locational surveillance – will be shared with any other agency. In 2018, the ministry of home affairs had authorised 10 agencies to intercept and monitor information and individuals. As most of them are intelligence agencies, they are not liable to disclose information.

Currently, there is no legal framework that governs the app beyond its privacy policy and terms of use. The terms and conditions clearly state that the user “agrees and acknowledges that the Government of India will not be liable for any unauthorized access to your information or modification thereof”.

The app does not satisfy the menu of tests laid down in the Puttuswamy judgment. It also does not comply with the requirements of the Information Technology Act, 2000 or the Indian Telegraph Act, 1885 as far as protections against surveillance are prescribed under these statutes. The lack of regulatory measures, absence of clear legislative authority, and multiple levels of delegation make the app susceptible to misuse.

It is similar to the situation when the government had made the Aadhar cards mandatory, without necessary legislation. Once the government brought the Aadhar Act, it allowed citizens to approach the Court, which eventually stuck down parts of the Act it construed extra-constitutional.

In the absence of any anchoring legislation, the government’s decision to make the app mandatory lacks legislative competence, besides failing the test of proportionality. The burden is now on the government to prove that the app satisfies the test of proportionality. As the app is mandatory, it could, in essence, allow the government to use it as a surveillance tool – to keep track of social contacts and whereabouts of any user – which would be a clear violation of citizens’ right to privacy.

Amit Anand Tiwari is an Advocate on Record, Supreme Court

The views expressed are personal