The government cannot make it mandatory for citizens to download the Aarogya Setu app, according to top legal experts.

Retired Supreme Court Judge BN Srikrishna, who had investigated the Mumbai riots of 1992-93 and helped draft data privacy and protection laws, told BusinessLine via email that since there is no law backing Aarogya Setu, making it mandatory would be illegal.

Anyone’s personal data cannot be taken away without his/her consent unless it is mandated under a statute that satisfies the triple test laid down in the Supreme Court judgment in the Puttaswamy Aadhaar case, said Srikrishna.

The Centre has been seen pushing the app for mandatory use by people to board trains and flights. Also, some companies are making it mandatory for their employees to download and use the app.

Aarogya Setu can be used as a contact tracing mechanism to identify Covid-19 patients in a specified radius.

Centre’s stance

The Centre has cited effective implementation of its health response to Covid-19 as the rationale for coming out with Aarogya Setu. It should be looked upon like several other recent orders invoked under the National Disaster Management Act (NDMA), it says. The Act allows the issuance of guidelines and directions aimed at addressing disasters.

“That cannot form a generic basis to issue any direction that impinges in fundamental rights like in the current case, where nobody is liable for loss of data or false results by the app,” said Mishi Choudhary, Technology Lawyer and Managing Partner at Mishi Choudhary and Associates.

The privacy triple test

According to the triple test, privacy can be invaded to a ‘permissible limit’ if: a) it’s a welfare measure backed by law, b) there is a ‘legitimate state interest’, and c) the measure passes the ‘test of proportionality’.

Right now, Aarogya Setu does not meet some of these demands. For example, what happens if the data is leaked? Srikrishna is of the view that there is no mechanism to monitor leakage and no clarity on who is answerable if there is one.

The government maintains that the app is helping contain the pandemic. Ajay Sawhney, Chairman of the Empowered Group on Technology and Data Management, , has announced guidelines for the collection, processing, storage and sharing of ‘anonymised’ data. He has further said privacy protection in the form of encrypted signatures was a primary consideration while developing the app.

However, there are questions around the legal standing of the empowered group itself. “It is not a statutory body and cannot legally make orders. It can only advise the government,” said Srikrishna.

Meanwhile, the Kerala High Court has passed an order that the information gathered on patients through the app should be used exclusively for handling the pandemic, and nothing else. .

Unprecedented times

“So far, courts have also taken a prima facie view that in these unprecedented times it may not be appropriate to interfere with the orders of the government,” said Anu Monga, Partner, IndusLaw.

Even if the government does wish to make it mandatory, the required legislation needs to be passed. “Such legislation will need to provide for a rational correlation to mandate installation of the app and data collection with the objective that it intends to achieve,” said Nirupam Lodha, Partner, L&L Partners.

The process should also involve engineers, lawyers and designers to conduct the test, said experts.

“They require access to the source code both on the client side and the server side, and also the schema of all the relevant databases,” said Sunil Abraham, Endowed Professor - Digital Policy and Design Practices, University of ArtEZ.

So far, about 9.8 crore people have downloaded Aarogya Setu and the same service will soon be made available in feature phones. It is built around the data related to less than 13,000 users who tested positive. Alerts have been sent to about 1.40 lakh users.

comment COMMENT NOW