The Ministry of Home Affairs, in a confusing order, announced on May 1, 2020, that the Aarogya Setu mobile application, the COVID-19 contact tracing app, is mandatory for all private and public employees. The head of every organisation would be responsible for ensuring “100% coverage of the app among employees”, it said.
Two weeks before this order, the Prime Minister in his address to the nation on April 14, urged all Indians to download the mobile application to fight Coronavirus.
The order on May 1 was issued under the National Disaster Management Act (NDMA), 2005. According to the order, districts would be divided into Red, Green and Orange Zones by the Ministry of Health and Family Welfare. In areas demarcated as containment zones within red and orange zones, local authorities had to ensure “100% coverage of Aarogya Setu app”.
The question arises if the government can ‘legally’ enforce it. The simple answer is no.
The National Disaster Management Act, which the government has used to issue these guidelines, falls under the concurrent list. This means the Central government can pass guidelines and then request states to follow those guidelines as much as possible. “There are two aspects here. The first is that everyone in the containment zone should have the app and the second is for workplaces. Legally, the government cannot ask anyone in the country to download an app to give sensitive details – name, gender, age, preferences. The government cannot take this data without your consent, which is what is happening right now,” said Shashank Mohan, project manager at Centre for Communication Governance, National Law University-Delhi.
The NDMA cannot be such a law, writes Constitution expert and lawyer Gautam Bhatia, because it says absolutely nothing about the circumstances, manner, and limitations under which the government is authorised to limit or infringe civil rights (in this case, the right to privacy).
What is stuck in the crosshairs is how the government is going to implement 100% coverage of the app among private employees and those who do not own smart phones in containment zones.
While a public employer is considered as the state under the Constitution, nuances of a private employer’s adherence to the guidelines remain complicated. “In case of both public and private employee, under the Personal Data Protection Bill (that is being considered by a Joint Parliamentary Committee), only certain data can be processed by the employer without the consent of the employee and that is mostly for processing salaries. But, when it comes to sensitive data, the employer has to take consent of the employee. Health comes under sensitive data,” added Mohan.
Will the employer have to buy these phones for the employee? No one is sure. A businessman who did not want to be identified asked, “How can I as the CEO of my food company, say, ensure that my employees keep the app downloaded and switched on? Phones are simply not allowed on the floor in food factories. Just as in jewellery, watches, shoes, electronic hardware, machining workshops and many other IT and ITES companies. They are allowed in perhaps accounting, HR, admin and other functions in such companies. So, how do we resolve the 100% coverage issue?”
He said that his lawyer informed him that he cannot force his employees to give the management their phone passwords. “It is possible that someone may take me to court and successfully sue me for breach of privacy if I were to force them to open their phones to show me the Aarogya Setu app. What about when the employee leaves the workplace? What about employees who are on the field even if the phones are not given by the company?”
The businessman wanted to know if the employee did not have a smart phone, was he allowed to fire the employee as the law states 100% coverage, so not having a smartphone is “apparently a breach of law”? He wondered if he had to spy on his employees to check, they may lie about not having a smartphone.
He was worried that if the app was hacked in and the employee suffered some harm or damage to their reputation, would he be taken to court or who would be responsible because the app states that the government could not be held responsible.
According to Supreme Court’s privacy judgement of 2017, the apex court had noted that while privacy is a fundamental right, none of our rights under the Constitution are absolute. Justice DY Chandrachud, who was one of the nine judges in the case, had said that in case of a health epidemic like dengue, the government might be in a situation where they want to collect data to monitor and manage the epidemic. “In such a case, the government has to anonymise the data to use it,” Justice Chandrachud had written.
The larger principle which comes out of the judgement is that there should be a four-step process through which the government can limit our privacy. “Firstly, it has to be coming from a law. Second is the necessity principle. For the achievement of a legitimate state aim, the state will have to limit your privacy. The state has to show the legitimate aim. The third principle is the proportionality principle – there has to be necessary nexus between what the state wants to achieve, and the methods employed by it. The fourth step is procedural safeguards – each step violating privacy must be safeguarded by checks, including grievance redressal systems,” underscored Mohan.
The data collection practices of the Aarogya Setu app fall short of constitutional standards.Bhatia writes in his blog that it has been well-established under Indian constitutional jurisprudence – most recently in the Aadhaar judgment – that once a violation of privacy has been demonstrated, the burden of justification (under the proportionality standard) shifts to the State.
“In other words, it is for the State to show that the suitability and necessity prong of the proportionality standard are satisfied.” Bhatia explains that a necessary corollary of this is that the State cannot mandate the use of a privacy-infringing app before it is first demonstrably established that a relationship justifying its use actually exists.
Even if the state says it is necessary for handling the pandemic and it’s a proportionate measure along with manual contact tracing, neither does the NDMA nor the Epidemic Diseases Act, which the states follow, authorise the government to collect such data to achieve this objective.
Supreme Court has said all data is owned by the person themselves, so if the person doesn’t want to let the government process their data, they should have the opt-in and opt-out condition. But, in case of Aarogya Setu mobile application, the data cannot be deleted. “If they force people, it is unconstitutional and then it opens it up to a challenge in the Supreme Court,” pointed out Mohan.
The government has to show a rational co-relation between controlling coronavirus with the usage of an app. In several countries, including Singapore and South Korea, where contact-tracing apps have been put to use, it has not supplanted on-ground contact tracing efforts. It has only supplemented them.
The epidemic is a thin disguise for outright coercion to download this app. The Delhi-Haryana border at Gurgaon has been blocked and we are told that the police is letting people pass through only if they have the Aarogya Setu app on their phones, said Kalyani Menon-Sen, an independent researcher and feminist activist.
“Like Aadhar, this is just one more tool of digital-surveillance that the governments is deploying in pursuit of its agenda of total control.” Sen asserts. “They claim it will stop the spread of COVID-19 but refuse to explain how….”
All and any questions and critiques of this app are brushed aside with the assurance that it is safe but no information or evidence is ever provided to back that assurance. The bulldozing tactics that worked with Aadhaar are being used again. The public has been well-conditioned to blindly follow orders, pointed out Sen.
Across the world, such technologies are untested and still in the experimental stage. The Aarogya Setu application was developed under the guidance of National Informatics Centre through a public-private partnership.
To be effective, the app must help those who are most vulnerable to the virus, but most of them do not have smartphones. India has more than 1.3 billion people, but less than 400 million are smartphone users. This means that the smartphone penetration in the country stands at 28%, which may include multiple devices for same people. People in the initial development of the application have stated that at least 50% of the population must download the app for it to be an effective solution.
What is also worrisome is the app’s invasion of privacy as its policy aims to confuse than clarify. Initially, it states that the personal information is stored on the device itself, but later it states that this data could be stored externally in a cloud server and be used by the central government whenever it wants.