Law

The Mandatory Imposition of the Aarogya Setu App Has No Legal or Constitutional Basis

Even a hypothetical “Aarogya Setu law”, were the government to introduce it, would have to demonstrate constitutional compliance with respect to data protection principles – a difficult task given the app's features.

The extension of the “nationwide lockdown” by another two weeks has brought with it a slew of further directions under the National Disaster Management Act. Many of these directions exacerbate existing problems. For example, unlike previous directions, this one actually does impose a physical curfew (between 7PM and 7AM), and directs local authorities to pass necessary orders implementing it. This particular direction lies at the intersection of rule by executive decree and the undermining of federalism. In this post, however, I want to briefly consider Guideline 15 of Annexure 1, which mandates the use of the government’s contact tracing app – Aarogya Setu – for all private and public employees, and obligates employers to ensure 100% coverage.

To those who have followed the many twists and turns of the Aadhaar story, this metamorphosis from “voluntary” to “voluntary-mandatory” to “effectively mandatory” will have a familiar ring – the pandemic probably just accelerated the pace of transformation from a few years to a few weeks. The mandatory imposition of Aarogya Setu through executive decree, however, suffers from serious legal problems.

The absence of anchoring legislation

The legal framework for the government’s pandemic management strategy has been the National Disaster Management Act, which has an umbrella clause permitting the issuance of guidelines and directions aimed at addressing disasters.

I have discussed previously the separation of powers and other democratic problems that come with using vague enabling legislation to anchor a wide-reaching executive response. When it comes to the infringing of rights, however, the problem is even more acute: Part III of the Constitution requires that even before we get to the discussion of whether a rights violation is justified or not, there must exist a law that authorises it. Any such law has to be specific and explicit with respect to the rights that it seeks to infringe, the bases of infringement, the procedural safeguards that it establishes, and so on.

The NDMA cannot be such a law, because it says absolutely nothing about the circumstances, manner, and limitations under which the government is authorised to limit or infringe civil rights (in this case, the right to privacy). The enabling clauses do not help, because – as pointed out above – they are generic enough so as to permit just about any decree that (the executive believes) is required to tackle the disaster.

If the NDMA was indeed accepted as the basis, then this would effectively subvert the legality requirement entirely and across the board: there could, hypothetically, be one single umbrella legislation that stipulates that “the government may do anything that it believes is reasonable to achieve the public interest” , and do away with any further need for lawmaking in toto. This, however, is the very definition of rule by executive, instead of the rule by and of law.

It should be noted that the proposition I am advancing here is a very basic one. Last week, for example, the high court of Kerala refused to allow the government to cut salaries without specific legislation authorising it (the court correctly observed that the existing provisions of the Epidemics Diseases Act and the Kerala COVID-19 ordinance were far too generic to authorise such a step). A lot more can be written about the judgment of the Kerala high court but for now, suffice it to say that this is not just a basic proposition under Indian law, but a basic proposition everywhere. The Israeli High Court of Justice – not exactly known for being a hotbed of bleeding-heart liberal jurisprudence – held a few days ago that the Shin Bet could not engage in surveillance without authorising legislation. A few months ago, the High Court of Kenya held that GPS coordinates and DNA samples could not be collected under cover of a general law, but – at the very least – would require “anchoring legislation” to do so.

Watch | Why is the Supreme Court Not Enforcing Peoples’ Rights, Asks Justice Lokur

The requirement of specific legislation is not a mere procedural quibble, but a crucial constitutional point. One, of course, is the separation of powers issue: if the state is going to mandate an intrusive, data-collecting app upon its citizens, then the least that ought to be done is that it be authorised by the citizens’ elected representatives, in parliament.

Equally importantly, however, a hypothetical “Aarogya Setu law” will necessarily have to demonstrate constitutional compliance with respect to data protection principles. A good example of this – again – is the history of Aadhaar: once it became clear to the government that it actually had to pass an Aadhaar Act, the accompanying infrastructure – including limitations upon the use of Aadhaar – also had to be considered. Writing out these provision in law also enabled an informed challenge in Court, where at least a part of the Act was struck down for being unconstitutional. Blithely mandating Aarogya Setu in one sentence through an executive decree tears the constitutional architecture to shreds.

The proportionality test(s)

Given the government’s penchant for ordinances (the Kerala government has, for example, issued an ordinance to get around the high court’s salaries judgment), the requirement of legislation is unlikely to present an effective check upon executive abuse. That, however, makes it important to highlight that there exist serious substantive constitutional concerns with the mandatory use of the Aarogya Setu app.

As is well known, the proportionality standard for adjudicating whether a violation of the right to privacy is justified or not has four prongs:

  • legality (requirement of a law, with a legitimate purpose),
  • suitability (the government’s action must be suitable for addressing the problem, i.e., there must be a rational relationship between means and ends),
  • necessity (i.e., it must be the least restrictive alternative), and
  • proportionality stricto sensu (there must be a balance between the extent to which rights are infringed and the State’s legitimate purpose).

There is, by now, extensive literature on the question of the very effectiveness of contact-tracing apps to fight a pandemic such as COVID-19. As this Brookings Paper on the inaccuracy of such apps shows,

  1. contact tracing is effective where there exists large-scale testing capacity and less spread (the first condition certainly does not exist in India today);
  2. there is a high risk of false positives and false negatives, something that gets worse as the population size increases (recent examples in India bear testimony to this);
  3. the absence of complete smartphone penetration can defeat the purpose (particularly true for India) (the authors also point out other risks, such as social stigmatisation).

It is, therefore, an open question whether the second limb of the proportionality test – suitability/rationality – is satisfied.

The problem grows more severe when we come to the necessity prong. The data collection practices of the Aarogya Setu app – and how they fall short of constitutional standards – have already been discussed extensively. Now, it is not my purpose here to engage in a detailed technical discussion about whether the Aarogya Setu app complies with the third limb of the proportionality standard or not. However, there is a broader legal point that needs to be noted. This is the issue of burden: it is well-established under Indian constitutional jurisprudence – most recently in the Aadhaar judgment – that once a prima facie violation of privacy has been demonstrated, the burden of justification (under the proportionality standard) shifts to the state. In other words, it is for the state to show that the suitability and necessity prong of the proportionality standard are satisfied.

No transparency

A necessary corollary of this is that as far as the suitability prong goes, the state cannot mandate the use of a privacy infringing app before it is first demonstrably established that a means-ends relationship actually exists. Thus, if – as the Brookings analysis shows – there is a non-trivial likelihood that the app in question cannot achieve the very (legitimate) purpose that it is designed for, it cannot be made mandatory.

Secondly, as far as the necessity prong goes, it creates a constitutional obligation upon the state to be transparent about the basis for choosing this app, designed in this way. Were less intrusive alternatives considered? If so, were they found non-suitable for the goal? If not, why were they rejected? And even if not, why is there not a mandatory sunset clause here?

Once again, this is not a radical legal proposition: in the Aadhaar judgment, the mandatory linking of bank accounts with Aadhaar was struck down precisely on the basis that there existed less restrictive alternatives, and that the government had comprehensively failed to provide any reasons why they had not been considered. It is fair to say that if the government cannot even show why it has chosen a more intrusive data collecting app over a less intrusive alternative (that exists), then it is in no sense a constitutionally justified decision.

Conclusion

The government directive mandating Aarogya Setu for all public and private employees suffers from serious legal flaws.

In the absence of a specific anchoring legislation, it fails the first limb of the proportionality test. And on more substantive grounds, the government bears the burden of showing that the design of the app satisfies both the suitability and the necessity prongs of the test – a burden that, thus far, remains undischarged (indeed, going by blithe ministerial statements about how the app might continue to be in use for two years, there seems to be very little appetite in the government to even attempt to discharge that burden).

There would, therefore, appear to be excellent legal grounds for a challenge to the NDMA Direction; of course, the prospect of any such challenge succeeding at a time when the court appears to have withdrawn itself from its task of rights adjudication, is another matter.

Gautam Bhatia is a lawyer and legal scholar. His book, Offend, Shock, or Disturb: Free Speech under the Indian Constitution, was published by Oxford University Press in 2016. His latest book is The Transformative Constitution: A Radical Biography in Nine Acts (HarperCollins, 2019). This article first appeared on the author’s website, Indian Constitutional Law and Philosophy.