Mandatory use of the Aarogya Setu app is illegal: Justice B N Srikrishna

Former Supreme Court Justice B N Srikrishna at Idea Exchange (file photo Express)

Former Supreme Court Justice B N Srikrishna, who chaired the committee that came up with the first draft of the Personal Data Protection Bill, called the government’s push for the use of the Aarogya Setu app “completely illegal.”

“What law does someone order it under? So far it is not backed by any law, “the former judge told The Indian Express.

On May 1, the Home Office, in its guidelines after the national blockade was extended, made the Aarogya Setu app mandatory for employees of public and private sector offices. He also asked local authorities to guarantee 100% coverage of the application in containment areas. The guidelines were issued by the National Executive Committee established under the National Disaster Management Act (NDMA), 2005.

Noida police later said that not having the Aarogya Setu application would be punishable by a prison sentence of up to six months or a fine of up to Rs 1,000.

“The Noida police order is totally illegal. I assume that this is still a democratic country and that those orders can be challenged in court, ”he said.

Judge Srikrishna said the guidelines cannot be considered to have sufficient legal backing to make the use of Aarogya Setu mandatory. “These laws, both the National Disaster Management Law and the Epidemic Diseases Law, are for a specific reason. The national executive committee, in my opinion, is not a statutory body, ”he said.

In July 2017, while the Supreme Court was still examining whether the right to privacy would constitute a fundamental right, the government appointed Judge Srikrishna to head the data protection committee. The committee of experts and officials held public hearings across the country and presented a report in July 2018, in which it also proposed a draft data protection law. The bill has yet to be submitted to Parliament for approval. The report recommended that “the processing of personal data should only be carried out for clear, specific and legal purposes.” The committee recommended several rights for the data manager (whose personal data is collected), from revoking the consent given for data processing, to reporting a violation until authorities rectify their incorrectly processed data.

The Supreme Court in the landmark 2017 ruling that recognized the fundamental right to privacy established a triple test to examine the constitutionality of government actions that could invade citizens’ right to privacy. The first condition is that the action taken must be under a law duly approved by Parliament and the government will have to demonstrate that it had a “legitimate state interest” to violate the right to privacy, in addition to having considered all the least intrusive measures before of violating the law. .

On Monday, the Aarogya Setu Data Access and Knowledge Sharing protocol was issued, which sets out the principles for data collection and processing. The protocol is an “order” of the Empowered Group of Technology and Data Management established by the National Executive of the Disaster Management Law.

Judge Srikrishna said the protocol would not be adequate to protect the data. “It is similar to an interdepartmental circular. It is good that they comply with the principles of the Personal Data Protection Bill, but who will be responsible if there is a violation? It does not say who should be notified, “he said.

In a webinar organized by Daksh on Monday, an advocacy group called the new protocol a “mosaic” that “will cause more concern to citizens than benefit.”

“It is highly objectionable that said order be issued at the executive level. Such an order must be supported by parliamentary legislation, which will authorize the government to issue such an order, “said Judge Srikrishna.

“If you go back to NDMA, the NDMA has no provision to form an empowered group. (Under) what provision of law is this order issued? I can’t understand … If there is a data breach here, who is responding, what action needs to be taken and who is responsible for the data breach. This really should have been ideally traced back to PDP (Personal Data Protection) or via NDMA via an appropriate amendment, ”he said.

– with contributions from Aashish Aryan

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For the latest news from India, download the Indian Express app.

© The Indian Express (P) Ltd