As society is struggling to stay on top of the COVID-19 pandemic, there is a major responsibility on the governments to effectively deal with this public health crisis, in such a manner that it does not restrict the civil liberties of its citizens. The use of technology as a part of disaster-response cannot be denied, one must continue to survive with due care and caution as there are pointed out drawbacks regarding the regulations in India in regard to the use of such technology.
Amid this lockdown due to the threat of COVID-19, there has been a large impact on the Indian economy including organized and unorganized sectors of the society. Increased government disease surveillance in order to track its effect was said to increase the risk of institutionalized individual surveillance but the movement of individuals will also be heavily regulated to protect large swathes of the population from potential exposure to the infection.
The government has launched the Aarogya Setu app which is designed to allow users who have come into contact with COVID-19 and have tested positive. Thus this makes people trace, support, and get notified. However, the mandatory imposition of Aarogya Setu through executive decree suffers from serious legal problems.
Legislation: An effective way to ensure security
The question of the very effectiveness of contact-tracing apps to fight a pandemic is raised. They can be answered as there can be a high risk of false positives and false negatives, which get worse with the increase in population size or lack of smartphone penetration, which may defeat the purpose such as social stigmatization. The problem, however, is even more acute when it comes to the infringement of rights: Part III of the Constitution requires that even before we get into the debate of whether a rights violation is justified or not, there must exist a law that authorizes it.
The relevant legislation is not a mere procedural quibble but a critical constitutional issue. One, of course, is the question of the separation of powers: if the state is going to give its people an invasive data-collection app, suitability (the intervention of the government must be sufficient to resolve the issue, i.e. a fair relationship must be formed between means and ends), or proportionality stricto sensu (a balance must be struck between the degree to which the rights are infringed and the legitimate intent of the State).
Loopholes: A least seen
Legal non-profit Software Freedom Law Centre, headquartered in Delhi, has pointed out flaws with regard to its liability provision. “This ensures that there is no government liability even if the user’s personal information is leaked.”
A legal structure for contact tracing should be created. This can provide the users with certain stances to take against the false results created by the app and to localize decision making as it may not include the spam contacts and those which are illegally used to deceive others.
That, since there is no law backing Aarogya Setu, making it mandatory would be illegal. Anyone’s personal data cannot be taken away without his/her consent unless it is mandated under a statute. That, nevertheless, makes it important to stress that significant substantive constitutional issues remain with the compulsory use of the Aarogya Setu app .
The Centre has cited effective implementation of its healthcare response to Covid-19 as the rationale for coming out with Aarogya Setu. Further, it should be looked upon by several other recent orders invoking National Disaster Management Act (NDMA), 2005. Where this act allows the issuance of guidelines and directions aimed pandemic at addressing disasters, it was said that it cannot form a generic basis to issue any direction that impinges in the fundamental rights like in the current case, where nobody is liable for loss of any data, false information, or fake outcome by the app.
Pavan Duggal, a lawyer at the Supreme Court and cyber-law specialist, said that “the latest guideline highlighted provides people with an escape if they do not want to use the app. First, it is not mandatory , and that they clarified. Second, the word used is ‘should’. It is more of an advisory. Hence, by making it an advisory and not making it compulsory, the government encourages people to take a step forward to continue with the use of the app but also clarifies that there will be no disciplinary action.
The privacy triple test
According to the triple test, privacy can be invaded to a ‘permissible limit’ if:
- It’s a welfare measure backed by law,
- There is a ‘legitimate state interest’, and
- The measure passes the ‘test of proportionality’.
Right now, Aarogya Setu does not meet some of these demands.
Privacy protection in the form of encrypted signatures was a primary consideration while developing the app. As it is not a statutory body and cannot legally make orders. It can only advise the government. And the process should also involve engineers, lawyers and designers to conduct the test.
Even if the government does wish to make it mandatory, the required legislation needs to be passed. “Such legislation will need to provide for a rational correlation to mandate the installation of the app and data collection with the objective that it intends to achieve,”
- Legality (requirement of law, with a legitimate purpose),
- Suitability (Action by the Government must be sufficient to resolve the issues, i.e. the logical relation between means and ends must be established)
- Necessity (i.e., it must be the least restrictive alternative), and
- There must be a balance between the extent to which rights are infringed and the State’s legitimate purpose.
That Aarogya Setu impinges On Privacy?
The core contention in the use of technology in battling such public crises is the infringement of the privacy of citizens.
The mandate to use Aarogya Setu App passes the tests laid down by the Supreme Court and does not amount to an unreasonable invasion of the right to privacy.
If the Aarogya Setu app is misused, people would not trust other government initiatives that require health records, even if they are careful including consultations conducted and respect for privacy.
This has been lately recognised in the following principles:
The Proportionality Principle
Due to the lack of a comprehensive data protection legal framework in India, the only authoritative standards are the principles propounded in the Puttaswamy judgment 
In this case, the Supreme Court highlighted that data protection is an essential part of information privacy. It stated that any illegal intervention of such privacy must satisfy three requirements, namely – there should already be a valid law, and proportionate legitimate state interest in the infringement of privacy. If the infringement of privacy was said to be the least-restrictive means to achieve state interest then it will be called proportionate.
At the outset, it must be noted that this collection of personal data by the government is not sanctioned by law, that is we have the right to privacy under article 21 of the Indian Constitution which has to be maintained within the hands of the public and is only conducted on an ad-hoc basis. In such unforeseen emergent circumstances, the Government of India has resorted to the provisions of Disaster Management Act, 2005 to order emergency measures. Nonetheless, no such directive has been given to diverge into the use of the application to collect personal data. It is troubling at the same time as every data fiduciary must process all personal data collected by any way in compliance with the law under the PDPB 2019. The lack of such an order allows the government more leeway about how to collect citizens’ personal data and removes any data processing from judicial oversight.
Thus, the Aarogya Setu app can lead to the proportionate infringement of the right to privacy of individuals if it is backed by law as a means to secure legitimacy and integrity among the government and the citizens when also followed by various principles of data protection.
The use of emergency measures must remain within the scope of emergencies; to risk the creation of an Orwellian state . Though the intentions of the government may be noble and legitimate, the Aarogya Setu app fails to satisfy the hooks of the privacy data protection providing that the central government is not liable to any of the fraud so occurred as mentioned in the new terms and conditions. But to be in the ambit of secured privacy data without any illegal intervention and the fake outcome it should happen with the necessary prevailing informational privacy framework. The government has already issued orders making the use of the application, in its present form, mandatory for employees in India. In the tough times of ongoing pandemic with such public crises, the right to privacy cannot be completely given up . Governments must find a middle ground to protect their citizens’ rights – both of health and privacy.
BY- M Pooja | Alliance university