Mandatory imposition of Arogya setu App: Legal angle

Reading time: 8-10 minutes.

Aarogya Setu (literally, disease-free bridge) is an Indian COVID-19 mobile application monitoring established by the National Informatics Centre under the Ministry of Electronics and Information Technology of the country.

Its main aim

The stated aim of this app is to spread awareness of COVID-19 and link important COVID-19-related health services to the Indian people. This app increases the Department of Health’s initiatives to contain COVID-19 and communicates best practices and advisories. It is a tracking app that uses the GPS and Bluetooth functions of the smartphone to track coronavirus infection. The software is available for smartphone operating systems running Android and iOS. With Bluetooth, by searching through a database of known cases across India, it attempts to determine the risk if one has been near (within six feet of) a COVID-19-infected human.

The extension of another two weeks of the “nationwide lockdown” has brought with it a slew of further directions under the National Disaster Management Act. Many of those directions are exacerbating existing issues. Unlike previous directives, for instance, this one actually imposes a physical curfew (between 7PM and 7AM), and requires local authorities to pass appropriate orders to enforce it. This specific path lies in the intersection of rule by executive order and the federalism undermining it. However, in this post I would like to briefly consider Guideline 15 of Annex 1, which prescribes the use of the government’s contact tracing app – Aarogya Setu For both public and private workers, which obliges employers to have 100 percent coverage.

To those who have followed the many twists and turns of the Aadhaar saga, this metamorphosis would have a familiar ring from “voluntary” to “voluntary-mandatory” to “effectively compulsory” – the pandemic possibly only accelerated the speed of transition from a few years to a few weeks. However, Aarogya Setu’s compulsory implementation by executive order suffers from severe legal challenges.

Technicality

There are four sections to Aarogya Setu:

 1. Your status (specifies the chance for the user to get COVID-19),

2. Self Assessment (let the user know the risk of an infection),

 3. COVID-19 Update (actualizes local and regional cases COVID-19) and

 4. E-pass (to be operationalized yet)

Tell how many Covid 19 positive cases are likely to occur within a 500 m, 1 km, 2 km, 5 km and 10 km radius from the user.

The software is designed on a framework that can provide an Application Programming Interface (API) so that the functionality and data available in Aarogya setu can be used by other computer programs, mobile apps, and Web services.

Arguments made in the plea against mandatory imposition

The legal basis for the government’s pandemic management plan was the National Disaster Management Act, which has an umbrella provision that requires disaster management instructions and guidance to be given. Previously, I addressed the separation of powers and other political concerns that require the use of ambiguous legislation that facilitates disaster management. However, when it comes to the breach of rights, the issue is even more acute: Part III of the Constitution demands that even before we get to the debate of whether or not a violation of rights is permissible, there must be a statute that permits it. Any such legislation must be clear and transparent with regard to the rights it intends to infringe, the grounds for violation, the procedural protections it provides, and so forth.

The NDMA cannot be such a law since it says nothing about the conditions, manner and limits in which the government is allowed to restrict or infringe civil rights (the right to privacy in this case). The enabling provisions do not help as, as mentioned above, they are too vague to enable just about any regulation that (the executive believes) is necessary to tackle the catastrophe. If the NDMA was actually adopted as the basis, then this would essentially remove the necessity for legality in its entirety and across the board: there could, hypothetically, be one single paragliding law that could do so. It believes that serving the public interest is fair “and removing any further need for legislation in toto. Yet this is the very concept of rule by government, rather than rule by force by statute.

It should be remembered that the argument I am putting forward here is a very fundamental one. For example, last week, Kerala’s high court refused to allow the government to cut salaries without specific legislation authorizing it (the court correctly observed that the existing provisions of the Epidemic Diseases Act and the Kerala COVID-19 Ordinance were far too generic to allow such a move). Far more can be written about the Kerala high court’s judgment, but for now, it’s enough to say it’s not just a simple proposal under Indian law, but a simple proposal everywhere. The Israeli High Court of Justice-not exactly known as a hotbed of radical jurisprudence with bleeding heart.   It was held a few days ago that the Shin Bet could not engage in surveillance without statutory authorisation.

A few months ago, Kenya’s High Court held that GPS co-ordinates and DNA samples could not be obtained under a general rule, but would require “anchoring legislation” to do so, at the very least. Relevant legislation’s provision is not a mere procedural quibble but a critical constitutional issue. One, of course, is the question of the separation of powers: if the state is going to give its people an invasive data-collection app, then the least that could be done is to be approved by the elected representatives of the people in parliament. However, equally significantly, a hypothetical “Aarogya Setu rule” would inevitably have to demonstrate conformity with the standards of data security by constitution.

A clear example of this-again-is Aadhaar’s history: once it became evident to the government that it had to pass an Aadhaar Act, There had to be thought, too. Setting out these provisions in legislation also allowed an informed appeal to be brought before the Court, where at least a portion of the Act was found to be unconstitutional. Just one paragraph, blithely mandating Aarogya Setu via an executive order is ripping the constitutional system to shreds.

Arguments for mandatory imposition

Given the government’s penchant for ordinances (for example, the Kerala government issued an order to circumvent the high court’s judgment on salaries), it is unlikely that the requirement of legislation will present an effective check on executive abuse. However, that makes it necessary to emphasize that serious substantive constitutional issues exist with the compulsory use of the Aarogya Setu app.

As is well established, the principle of proportionality for deciding whether or not a violation of the right to privacy is justified has four prongs: validity (requirement of a statute with a valid purpose), Suitability (the government’s intervention must be sufficient to resolve the issue, i.e. a reasonable relationship must exist between means and ends), necessity (i.e., it must be the least restrictive alternative) and proportionality stricto sensu (a balance must be struck between the degree to which rights are infringed and the legitimate intent of the State).

By now, there is comprehensive literature on the topic of the very usefulness of contact-tracing apps to counter a pandemic like COVID-19. As this Brookings Paper on the inaccuracy of these applications shows, Contact tracing is successful where there is large-scale testing capability and less spread (the first condition definitely does not occur in India today); there is a high risk of false positives and false negatives, something that gets worse as population size grows (recent instances in India attest to this); the absence of full smartphone penetration may defeat the aim. Information and technology minister Ravishankar Prasad has taken to twitter, saying the app has been praised globally.

“Aarogya Setu is a strong companion who protects people. It has a robust data protection architecture.” While the government says the Bluetooth-based app’s aim is to secure and prevent the spread of COVID-19, a Bengali advocate and IFF signatory, Vinay K Sreenivasa points out that the self-assessment function defeats the objective and is ‘counter-productive’ “The program relies on users to correct symptoms when a carrier is asymptomatic. From the point of view of public safety, it’s catastrophic,” he says. He adds that people could let down their guard in public places with the false sense of security that the app will offer, which is risky. Data research points out that ‘consent process,’ a key aspect of data protection, has been thrown out of the window.

Therefore, whether the second limb of the proportionality test – suitability / rationality – is met is an open issue. When we come to the need prong the problem becomes more serious. The data collection activities of the Aarogya Setu app have already been thoroughly addressed and how they fall short of constitutional requirements. Now, it is not my intention here to participate in a thorough technical debate on whether or not the Aarogya Setu application complies with the third limb of the principle of proportionality. There is, however, a wider legal argument to remember. This is the burden issue: According to Indian constitutional jurisprudence, most recently in the Aadhaar judgment – it is well established that once a prima facie breach of privacy has been demonstrated, the burden of justification will be imposed. (Under the standard of proportionality) shifts towards the state. In other words, it is for the state to demonstrate that the suitability and necessity prong of the standard of proportionality are satisfied.

Critical analysis

 A significant corollary of this is that the state cannot require the use of a privacy violating device as far as the suitability prong goes unless it is first demonstrably proven that a mean-end relationship does actually exist. So if there is a non-trivial likelihood – as the Brookings analysis shows – that the app in question cannot achieve the very (legitimate) purpose for which it is intended, it cannot be made mandatory.

Secondly, as far as the necessity prong is concerned, it creates a constitutional obligation on the state to be transparent about the basis for choosing this app, so designed. Were we considering less intrusive alternatives? If so, have they been found to be unsuitable for the objective? If not, why have they been turned away? And if not, why not have a compulsory sunset clause here?

Again, this is not a revolutionary legal proposition: in the Aadhaar judgment, the compulsory linking of bank accounts with Aadhaar was struck precisely on the grounds that less restrictive alternatives existed, and that the government had failed to give any justification for not considering them.

It is safe to claim that if the government is not even able to prove that it has opted for a more invasive data collection device over a less invasive option (that exists), then it is in no way a legally acceptable decision.

Conclusion

 The government directive mandating Arogya Setu to all public and private employees suffers from serious legal flaws. The first limb of the proportionality test fails in the absence of a specific anchoring legislation. And for more practical purposes, the government bears the responsibility of demonstrating that the design of the device meets both the suitability and the requirement prongs of the check – a responsibility that remains uncharged up to now (indeed, it goes by Lightened ministerial comments on how the software will continue to be in operation for two years, the government seems to have very little appetite to even seek to discharge the burden).

Within three days of its launch, Arogya Setu crossed 5 million downloads making it one of India’s most successful government apps. It became the world’s fastest-growing smartphone app beating Pokémon Go, with more than 50 million installs, 13 days after its launch in India on 2 April 2020. In an order released on 29 April 2020, the central government made it compulsory for all employees to download and use the app, they had to check their status on Aarogya Setu and only turn to Aarogya when the device is secure or low-risk.

Author: Heena Kakkar from Faculty of Law, SGT University.

Editor: Akshat Mehta from Institute of Law, Nirma University.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s