Justice BN Srikrishna Questions Data Collection Protocol Of Aarogya Setu App
The recently released protocol to determine how data is collected, shared and processed by the Aarogya Setu app has come under criticism from Justice BN Srikrishna, who also questioned the manner in which the order has been passed.
Justice Srikrishna, one of the key architects of the draft Personal Data Protection Bill, was speaking at a webinar organised by the Daksha Fellowship where he questioned the authority by an empowered group to issue such an order.
“It’s highly objectionable that such an order is issued at an executive level. Such an order has to be backed by parliamentary legislation which will authorise government to issue such an order,” Justice Srikrishna said. “The Disaster Management Act has no provision for constitution of an empowered group. What provision of law is this order issued? I cannot understand.”
The Aarogya Setu app was launched by the central government on April 2 to aid contact tracing of people infected by the novel coronavirus. India witnessed its first case of Covid-19 on Jan. 30, and the total number of people infected by the pandemic now stands at more than 70,000, of which at least 44,029 are active cases, according to the Union health ministry.
Prime Minister Narendra Modi had set up 11 empowered groups headed by secretaries in the central government to manage various steps being taken to control the pandemic’s spread. The protocol for data regulation of the Aarogya Setu app was issued on Monday by the empowered group on technology and data management.
The protocol designates the Ministry of Electronics and Information Technology as the supervisory authority to implement the protocol and the National Informatics Centre is made responsible for collection, processing and managing data collected by the application.
It lays down principles for:
- Collection and processing of response data.
- Sharing of response data.
- Obligations of entities with whom response data is shared.
- Violations: Any violation of these directions may lead to penalties as per the provisions the Disaster Management Act, 2005 and other legal provisions as may be applicable.
- Principles for sharing of response data for research purposes.
- Sunset Clause: Unless specifically extended by the empowered group on account of the continuation of the Covid-19 pandemic, this protocol shall be in force for six months from the date on which it is issued.
Justice Srikrishna said he’s not questioning the utility of the app but said since the Right to Privacy has been declared a fundamental right by the Supreme Court, it’s important to question the process by which this app is empowered to collect private data.
“Right to Privacy is declared a fundamental right by the Supreme Court of India and you cannot touch it. A bureaucrat can only issue order curtailing this right if he is empowered by a law passed by the parliament and one which is held to be constitutionally valid,” Justice Srikrishna told BloombergQuint over the phone.
The protocol also fails to address concerns about liability in the case of a data breach, he said. “Where is this in the protocol? I didn’t find any mechanism for accountability in the event of a data breach. In the entire protocol I did not find anything,” he said.
Justice Srikrishna also said the use of the app should not be made mandatory in the absence of a valid law. “You insist I buy a smartphone, you insist I must download this app and then collect the data then I will ask you under what law are you doing this?’’
The Aarogya Setu app faced criticism after certain government departments issued orders to make its download mandatory. A public interest litigation in the Kerala High Court challenged the directions making the app mandatory for a certain class of citizens.
On May 12, Indian Railways put out a tweet saying it will be mandatory for people to download the Aarogya Setu app before commencing their journey. The railways will partially resume passenger trains from Tuesday.