Written by Apurva Vishwanath | New Delhi | Updated: May 12, 2020 

 Former Supreme Court Judge Justice B N Srikrishna at Idea Exchange (Express file photo)

Former Supreme Court Judge B N Srikrishna, who chaired the committee that came out with the first draft of the Personal Data Protection Bill, termed the government’s push mandating the use of Aarogya Setu app “utterly illegal”.

“Under what law do you mandate it on anyone? So far it is not backed by any law,” the former judge said

On May 1, the Ministry of Home Affairs, in its guidelines after the nationwide lockdown was extended, made Aarogya Setu App mandatory for employees of private and public sector offices. It also asked local authorities to ensure 100% coverage of the app in containment zones. The guidelines were issued by the National Executive Committee set up under the National Disaster Management Act (NDMA), 2005.

The Noida police then said that not having the Aarogya Setu application would be punishable with imprisonment up to six months or fine up to Rs 1,000.

“The Noida police order is totally unlawful. I am assuming this is still a democratic country and such orders can be challenged in court,” he said.

Justice Srikrishna said that the guidelines cannot be considered as having sufficient legal backing to make the use of Aarogya Setu mandatory. “These pieces of legislation — both the National Disaster Management Act and Epidemic Diseases Act — are for a specific reason. The national executive committee in my view is not a statutory body,” he said.

In July 2017, while the Supreme Court was still examining whether the right to privacy would constitute a fundamental right, the government had appointed Justice Srikrishna to head the committee on data protection. The committee of experts and officials held public hearings across the country and submitted a report in July 2018, in which it also proposed a draft data protection law. The Bill is yet to be brought to Parliament for approval. The report recommended that “processing of personal data must only be done for clear, specific and lawful” purposes. The committee recommended several rights for the data principal (whose personal data is collected) – from revoking consent granted for processing data, notifying a breach to having their incorrectly processed data rectified by the authorities.

The Supreme Court in the landmark 2017 ruling that recognised the fundamental right to privacy laid down a three-fold test to examine constitutionality of government actions that could invade a citizen’s right to privacy. The first condition is that the action taken must be under a law duly passed by Parliament and the government will have to show it had a “legitimate state interest” to violate the right to privacy apart from having considered all less intrusive measures before violating the right.

On Monday, the Aarogya Setu Data Access and Knowledge Sharing protocol was issued, setting up principles for collecting and processing of data. The protocol is an “order” by the Empowered Group on Technology and Data Management set up by the National Executive of the Disaster Management Act.

Justice Srikrishna said that the protocol would not be adequate to protect the data. “It is akin to an inter-departmental circular. It is good that they are keeping with the principles of the Personal Data Protection Bill but who will be responsible if there is a breach? It does not say who should be notified,” he said.

In a webinar organised on Monday by Daksha Fellowship, a legal education group, he called the new protocol a “patchwork” that will “cause more concern to citizens than benefit.”

“It is highly objectionable that such an order is issued at an executive level. Such an order has to be backed by Parliamentary legislation, which will authorise the government to issue such an order,” said Justice Srikrishna.

“If it is traced to NDMA, the NDMA has no provision for constitution of an empowered group. (Under) what provision of law is this order issued? I cannot understand … If there is a breach of data here, who is answerable, what action has to be taken and (who is) accountable for the data breach. This should really have been traced ideally to PDP (Personal Data Protection) or through NDMA by an appropriate amendment,” he said.

— with inputs from Aashish Aryan