by Vrinda Bhandari and Faiza Rahman.
The Aarogya Setu app
Aarogya Setu is a contact tracing app that was launched by the government on April 2, 2020, as a tool to combat the COVID-19 crisis. Although initially meant to be voluntary, some government organisations, state governments, and eventually the Ministry of Home Affairs ("MHA") began mandating the installation and use of the Aarogya Setu app for their employees soon after. In a welcome move, on May 17, 2020, when the MHA issued fresh lockdown guidelines, it changed the directive for downloading the app from mandatory to a "best effort basis". However, there is still some uncertainty about the meaning of these guidelines, since the Indian Railways, and the Delhi Metro continue to require residents to download the app in order to use their services. Recent reports also indicate that the installation of Aarogya Setu will be compulsory for all air passengers above the age of 14 years. Therefore only time will tell as to whether downloading the app will de facto become mandatory. The Aarogya Setu app provides a good practical framing, to think deeply about coercion in a liberal democracy during a crisis.
There are four interesting aspects about the Aarogya Setu app.
- The use of state coercion. The level of coercion in play has been significantly diluted by the latest MHA guidelines where the softer words "best effort" are used. However in the case of air and rail travel, there is uncertainty about whether passengers will be prohibited from travelling, if they have not downloaded the app.
- The problem of privacy and security. The issues have been been discussed extensively in the Indian discourse [privacy, security].
- The lack of legislative foundations. A clear and specific legal basis for deploying and using the app - an anchoring legislation, with proper safeguards - would have helped allay some of the privacy and security concerns, and would have provided a proper avenue for grievance redress.
- Practical governance considerations. Governance related issues with the design and roll out of the app have come to the fore, especially the problems of lack of post-facto consultation, transparency, and accountability.
The first two problems (state coercion, privacy and security) have been extensively analysed by researchers in recent months. In this article, we focus on the latter two issues, aiming to obtain clarity on the issues and offer constructive policy proposals for the way ahead.
Underpinning all four issues, however, is the foundational problem of executive discretion in a crisis. While it true that the executive arm of the government has a greater ability to take emergency measures during a pandemic, it does not mean that the role of judicial review is or should be reduced to nought. We start by exploring these foundations.
Principles of evaluating executive action during a crisis
We are in the middle of a COVID-19 pandemic, which is one of the worst global health crises in a century. More than 60 countries have responded by invoking some form of emergency powers to deal with the crisis. These emergency responses have resulted in hitherto unacceptable restrictions on freedoms and civil liberties and a curtailment of the right to privacy. In India, we have witnessed among other things, the deployment of drones to monitor people's movements, the publication of the names of individuals on quarantine lists, and the roll out of a centralised contact tracing app. When government actions have been challenged in court, the courts have generally taken the view that "extraordinary situations call for extraordinary measures". This reflects the general belief that the executive should be given more leeway during a crisis.
As plausible as that argument sounds, it is not entirely correct. As Wiley and Vladeck (2020) explain, COVID-19 reinforces the case for "regular" judicial review, and not a suspension of civil liberties in times of crisis. This is for three reasons. First, emergency powers are supposed to be exercised for a crisis that is finite and limited in duration (such as the Tsunami that led to the enactment of the Disaster Management Act, 2005 in India). By its very nature, the COVID-19 crisis, with fears of a second wave, does not lend itself to a near end-point, at least not till a vaccine is developed. A prolonged use of emergency powers risks normalising the centralisation of power and potentially damages the fabric of our democracy in the long run.
Second, there is an assumption (or fear) that if courts were to perform their role of judicially reviewing government action, they would easily strike down executive orders, thus impeding the government's fight against COVID. In a sound liberal democracy, this is not the case. The doctrine of proportionality requires the government to demonstrate, rather than simply cite, its compliance with the four prongs of (a) legality: existence of a law; (b) suitability: rational connection between the government measure and the aim to prevent the spread of COVID; (c) necessity: was there a less restrictive measure the government could have employed; and (d) balancing the public interest with the loss of liberty. In times of a public health crisis, a government may well be able to satisfy these tests for the unusual actions that it takes. But in a well functioning liberal democracy, it does need to provide adequate evidence and justification for its actions. Proportionality, and judicial review, thus only ensure that we do not cut a blank cheque to the government.
The judiciary is the only branch of the Indian state that has the structural power and institutional credibility to protect the Constitution, especially in times of crisis. A robust judicial response can lead to better governmental action and protection of democracy in the long run. For example, after the Kerala High Court stayed a government orders on the deferral of salary payment, the Kerala State government brought an ordinance -- thus achieving the same result, but through a better process.
Absence of a clear and specific law
Our analysis of the Puttaswamy (2017) verdict describes how any valid restriction on the fundamental right to privacy has to satisfy the four-pronged test of legality, legitimate aim, proportionality and procedural safeguards. The first prong of legality demands that any restriction on the right to privacy must be prescribed by a publicly available law. The principle of legality, however, does not mean the mere existence of a law. Especially, in the context of communications surveillance, the principle demands that this law ought to meet a standard of clarity and specificity that is sufficient to guarantee that individuals have advance notice of and can foresee the manner in which it will be implemented.
While the issue of mandatory download of the app is behind us, many statutory agencies and private organisations continue to coerce their users or employees to install the app. Hence, the need for a law remains. The collection of personal data of an individual, without their informed consent, undermines the principles of privacy, autonomy, and informational self determination, that have been emphasised in Puttaswamy. The various privacy and security concerns associated with the Aarogya Setu app, have been well documented, including by former intelligence officials. Consequently, any direction to mandatorily install the Aarogya Setu app in order to access any service, when it is known that the app continuously collects personal information such as location data through GPS and bluetooth, has to be traced to a valid law, if it is to satisfy the proportionality test.
Drawing a parallel with the Aadhaar experience is useful. Although initially set up on the basis of an executive notification passed by the Planning Commission, the UIDAI was eventually given a statutory basis through the passage of the Aadhaar Act in 2016. The enactment of the Aadhaar Act represents an implied, if belated, admission on the part of the government that citizens' privacy cannot be violated without an enabling legislative framework. At the same time, there is a precedent, in the Aadhaar story, of making Aadhaar de facto mandatory, even though the Aadhaar Act was clear that it was voluntary.
At present, the only possible legal basis for the Aarogya Setu app could come from the issuance of MHA Guidelines under the Disaster Management Act, 2005 or the issuance of an order under Section 144, Cr.P.C. (as in Noida) However, both these provisions are inadequate and unsatisfactory as legal foundations for the app. Let us analyse each of these.
Is the Disaster Management Act an adequate legal foundation for the app?
The MHA Guidelines draw their authority from Section 10 (2) (l) of the Disaster Management Act, 2005. However, this provision cannot satisfy the legality requirement since it is a broad, omnibus provision that simply gives the power to the government to "lay down guidelines for, or give directions to, the concerned Ministries or Departments of the Government of India, the State Governments and the State Authorities regarding measures to be taken by them in response to any threatening disaster situation or disaster." As the sentence shows, the law gives the power to coerce arms of the government, and not private actors.
The restriction of fundamental rights must be grounded in a specific legal provision that specifies the conditions under which the right can be infringed and sets out the procedural and substantive safeguards to protect privacy. As Justice Srikrishna has observed, the National Executive Committee set up under Disaster Management Act, that issued the May 1, 2020 Guidelines directing the installation of Aarogya Setu, is not a statutory body. In the present case, there is no evidence of any specific parliamentary approval having been sought for directing the mandatory installation of the Aarogya Setu app by all smartphone holders (apart from the fact that there is a lot of ambiguity around how these mandates will apply to the majority of Indians who do not own a smartphone).
The issue regarding the lack of legislative basis arose in another context before the Kerala High Court last month. In light of the COVID-19 pandemic, the Kerala Government had issued an executive order deducting the salaries of government employees. When the order was challenged on the ground of legality, the State Government tried to rely on the Disaster Management Act, 2005 as well as the Kerala Ordinance amending the Epidemic Disease Act, 1897 as providing adequate legislative basis for the government order. However, the High Court rejected the government's contention on the ground that, " the provisions that were read out, specifically Sections 38 and 39 of the Disaster Management Act 2005, do not specify or confer any power upon any Government to defer the salary due to its employees during any kind of disaster. Prima facie, I feel that law is found wanting to justify the issuance of [the order]." The government eventually passed an ordinance to achieve its intended aim.
There is also the issue of excessive delegation. Section 10 (2) (l) of the Disaster Management Act does not delegate the power to the National Executive Council to create a data collecting app, nor does it provide any guidance on the exercise of powers. For instance, in United Kingdom v. Malone, the European Court of Human Rights ("ECHR") held that the secret and opaque nature of communications surveillance meant that "it would be contrary to the rule of law for the legal discretion granted to the executive to be expressed in terms of an unfettered power". Consequently, the ECHR held that in order to satisfy the principle of legality, the law must indicate the scope of any such discretion conferred on the competent authorities and the manner of its exercise with sufficient clarity, having regard to the legitimate aim of the measure in question, to give the individual adequate protection against arbitrary interference.
On May 11, 2020, the government released the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 ("Protocol") for the "effective implementation" of the MHA Guidelines. This Protocol lays down certain principles regarding the collection, processing, and sharing of personal data. However, the Protocol does not have the status of law, nor can it derive any statutory backing from the Disaster Management Act, 2005. More importantly, it does not seek to confer any legal status to the app itself. There is no mechanism to verify that the app actually works as stated, and nothing prevents a change in the working of the app under conditions of non-transparency. Hence, the release of the Protocol cannot be seen as providing legal foundations for the use and deployment of the Aarogya Setu app.
Is Section 144, Cr.P.C., an adequate foundation for the app?
As an example, the Gautam Budh Nagar (Noida) administration in Uttar Pradesh had earlier passed an order under Section 144 of the Code of Criminal Procedure ("Cr.P.C."), mandating the installation of the Aarogya Setu app for residents of the entire district, under the threat of criminal sanction. In another welcome move, the orders under Section 144, Cr.P.C eventually lapsed.
It is an interesting intellectual puzzle, to analyse the ability of the executive to coerce private persons through this route. Section 144 of the Cr.P.C authorises the Magistrate to issue an order in urgent cases of nuisance of apprehended danger directing "any person to abstain from a certain act" or to take certain order with respect to certain property in his possession or under his management. The Calcutta High Court, in a series of decisions in the early 1930s, interpreted this provision to mean that a Magistrate is only entitled to make a restrictive order preventing the opposite party from doing an act. It does not enable him to make a mandatory positive order directing an individual to do a particular act. For instance, in Kusum Kumari Debi (1933), an order by the Magistrate directing the Petitioner to fill up an excavation at her own cost was held to be beyond the remit of Section 144, Cr.P.C, and the subsequent proceedings initiated under Section 188, I.P.C were quashed. Similarly, in B.N. Sasmal (1930), the Magistrate's direction under Section 144, Cr.P.C directing Sasmal to leave the Midnapur District for two months was quashed since it "was in effect not a direction to abstain from doing anything, but a direction upon a person to remove him self from the district." These judgments have subsequently been cited with approval by various High Courts (Ramanlal Patel (1971), Muzaffarpur Electric (1973).) Thus, any order passed by a Magistrate under Section 144, insofar as it directs individuals to download the Aarogya Setu app falls foul of the law.
The importance of a law and the process of legislation
In a constitutional democracy, the authority to coerce private individuals can only flow from a law that has been vetted and approved by democratically elected representatives of the people. While the executive is often charged with filling out the details missing in parliamentary legislations through rules and regulations, the democratic deficit of these instruments is undeniable i.e., these instruments are drafted and approved by members of the executive, bureaucrats or regulators, and not directly by representatives of the people. In contrast, legislations are often preceded by important deliberations, where elected representatives discuss competing policy choices to decide the best course of action, and negotiate middle roads based on the interests of different social groups.
A contact tracing law would regulate (a) the collection, storage, and use of personal data collected by the app; (b) serve as a check on governmental power; (c) enshrine critical privacy protections; (d) create mechanisms for independent oversight of the functioning of the app; and (e) provide a legislative basis for grievance redressal avenues. These elements are particularly important in India given the absence of a general data protection law. For instance, the Protocol states that any violation "may" lead to prosecution under the Disaster Management Act. However, it does not specify the conditions under which prosecution can take place; nor does it actually set up a complaint mechanism to provide an appropriate forum for grievance redressal (leaving aside the vexed question of how the Disaster Management Act will be used to prosecute privacy violations). Even the privacy policy only designates the Deputy Director General at the National Informatics Centre (NIC) as a grievance officer, without providing any further details or powers. Currently, the privacy protections guaranteed to citizens are based exclusively on the privacy policy, the terms of service of the app, and the new "Protocol", which add up to inadequate protections, which can be unilaterally changed by the executive, and lack mechanisms to ensure compliance by the state. This is incompatible with the protection of fundamental rights and the rule of law.
The need for a specific enabling legislative framework for contact tracing has also been reiterated in other countries. In Israel, the Supreme Court recently held that the Israeli Security Agency, the Shin Bet, required a law to continue using emergency powers (granted by the Cabinet) that allowed it to deploy phone location tracking and electronic contact tracing. In reaching its decision, the Court recognised that the State was monitoring individuals, without their consent, without any legislative framework in place.
Similarly, in the UK, the Parliamentary Joint Committee on Human Rights (2020) released a report stating that a contact tracing app should not be rolled out nationally "unless the Government is prepared to enshrine [intended privacy] protections in law", in the form of primary legislation. Legislative backing was deemed essential for the contact tracing app so as to provide the requisite "legal clarity and certainty" regarding the collection, storage, and use of personal data; whilst simultaneously increasing confidence and trust in the app; and an increase in uptake, which could improve the efficacy of the app. Notably, this demand to legislate specifically for contact tracing comes despite the U.K having a comprehensive data protection legislation.
One way forward: An ordinance
Given that the Parliament is not currently in session, the ongoing national lockdown and the urgency of the COVID-19 crisis, the Central Government should have used the ordinance making power under the Constitution, which is precisely provided for such occasions, to set out a legislative framework for the operationalisation of Aarogya Setu app in India. This would have ensured that ordinance either received the scrutiny and approval of the Parliament when it reconvened, or ensured that the ordinance lapsed if it was not approved by the Parliament. Various states like Uttar Pradesh and Kerala have been taking the ordinance route to address legislative lacunae during the COVID-19 crisis.
Addressing the procedural irregularities and governance related issues
Apart from the legal issues highlighted above, the operationalisation process exhibits a number of procedural irregularities and governance related issues. These can be addressed through the following steps:
- Need for public consultation: The conceptualisation, design, and implementation of the Aarogya Setu app was not preceded by public consultation. Given the urgent nature of the COVID-19 crisis, it is understandable that the Central Government was not in a position to hold detailed public consultations before designing and rolling out the app. However, the the government should still initiate a formal post facto consultation process to seek comments from civil society, technical experts and other stakeholders regarding, inter alia, the technical and legal framework, and deployment issues with the app. Given low state capacity in India, such consultation processes are particularly valuable in identifying errors and offering solutions.
- Enhancing transparency regarding design and deployment choices: So far the Aarogya Setu app has been accompanied only by (a) terms of service (b) privacy policy and (c) the Aarogya Setu Protocol. There is a foundational problem, located in health policy: What is the overall plan for contact tracing, and what is the role that the app will play in this? Can the complex problem, of public administration and state capacity for contact tracing in an epidemic, be short-circuited by using an app? How do we know that there are commensurate benefits, for contact tracing, in return for intruding into the lives of private persons? It is not obvious that the app will help improve public health, and the case needs to be made for it, where an intelligent balance is struck between cost and benefit. There is a `technology theatre' streak in Indian public policy, where solving complex problems is avoided by building and exhibiting a piece of software.
For instance, it is unclear why the makers of Aarogya Setu chose to collect location data through both GPS and bluetooth when similar apps, built by some of the best technologists in the world, are choosing to use only Bluetooth signals from phones to detect encounters and do not use or store GPS location data. An explanatory memorandum detailing the reasoning behind the various design choices could go a long way in increasing trust in the app and consequently enhancing its uptake.
A similar trust building measure, that will show the extent to which the actual operations of the app are aligned with the claims made in documents, will be the release of source code. In fact, even with the latest revision to its privacy policy, the source code has not been released. As an example, contact tracing apps being designed by the U.K and Singapore have made their source code public, thereby enabling greater scrutiny from the technical community, and building confidence that the high level documents are being adhered to in the implementation.
Confidence would be enhanced if small pilots were rolled out prior to large scale deployment, with extensive involvement of researchers in public health, computer engineering, and civil liberty. As an example the NHS contact tracing app being proposed in the U.K is first being trialled in Isle of Wight on a purely voluntary basis. This has helped identify significant glitches with the app.
- Setting in place an open and transparent audit mechanism: Confidence will be enhanced by releasing periodic audit reports detailing key insights obtained from analysis of the data collected by the app. For instance, it will be useful for the public and technologists to know details such as the total number of COVID-19 positive cases detected with the help of the app, the number of false positives or false negatives thrown up by the app, the number and nature of user complaints received etc. Publicly available periodic audit reports of this nature will increase confidence in the operation of the app, ensure transparency in its governance, and help evaluate success or failure of the app.
Conclusion
Courts of law are more deferential to the executive in an emergencies. However, it is also widely known that "temporary" leeways granted to the executive during emergencies have a tendency to transform into permanent fixtures that last long beyond the actual duration of the crises (Harari, 2020). This is because governments often use crises as an opportunity to expand and further centralise their powers. Interestingly, while the Aarogya Setu protocol has a sunset date, which is subject to extensions, there is no clarity on how long the app itself will remain operational. The Union Minister for Information and Broadcasting has also indicated that the app may continue to function for one or two years. Dangerous precedents occur in dangerous times.
On May 5, 2020, a writ petition was filed before the Kerala High Court challenging the MHA directive mandating the use of Aarogya Setu by public and private employees on the grounds that it was violative of the right to privacy and personal autonomy. In response, while the Kerala High Court declined to grant any interim relief on the plea, it directed the Central Government to file a statement on the measures taken to protect the privacy of person's whose data is collected by the app. While the new MHA guidelines have since moved away from making the app mandatory, news reports suggest that the access to important services is increasingly being made contigent on the mandatory installation of the app by users.
When faced with a war, a terrorist attack, or a pandemic, there is an instinctive response in India to be deferential to the executive. However, the founders of the Republic did not intend for colonial rule to be replaced by the rule of officials. The Constitution of India does not see liberal democracy as a luxury to be enjoyed in good times. Apart from freedom being valuable in and of itself, there is also a strong pragmatic value in emphasising checks and balances. Under conditions of low state capacity, unchecked power leads to more mistakes. The quality of work in public policy goes up through the operations of checks and balances, and this is even more valuable in difficult times.
References
Paul Daly, The Covid-19 Pandemic and Proportionality: A Framework, Administrative Law Matters (2020).
Sidharth Deb, Privacy prescriptions for technology interventions on Covid-19 in India, IFF Working Paper No. 3/2020 (2020).
Tom Ginsburg and Mila Versteeg, State of Emergencies, Part II, Harvard Law Review Blog (2020).
Oren Gross, Emergency Powers in the Time of Coronavirus ... and Beyond, Just Security (2020).
Yuval Noah Harari, The World After Coronavirus, Financial Times (2020).
Joint Committee on Human Rights, Human Rights and the Government's Response to Covid-19: Digital Contact Tracing United Kingdom Parliament (2020).
SFLC.in, Our concerns with the Aarogya Setu App (2020).
Joelle Grogan, COVID-19 and States of Emergency: Introduction and List of Countries Verfassungsblog (2020).
Lindsay Wiley and Steve Vladeck, COVID-19 Reinforces the Argument for "Regular" Judicial Review-Not Suspension of Civil Liberties-In Times of Crisis, Harvard Law Review Blog (2020).
Emperor v. B.N. Sasmal (B.N. Sasmal), ILR (1930) 58 Cal 1037.
Kusum Kumari Debi v. Hem Nalini Debi (Kusum Kumari Debi), AIR 1933 Cal 724.
Muzaffarpur Electric Supply Co. v. State of Bihar (Muzaffarpur Electric), 1973 Crl. L.J. 143 (Patna).
Justice K.S. Puttaswamy v. Union of India (Puttaswamy), 2017 (10) SCC 1.
Ramanlal Bhogilal Patel v. N.H. Sethna (Ramanlal Patel), 1971 Crl. L.J. 435 (Guj).
Malone v. The United Kingdom (Malone), [1984] ECHR 10.
The International Principles on the Application of Human Rights to Communications Surveillance ("the Necessary & Proportionate Principles") (2013).
 
Vrinda Bhandari is a practicing advocate in Delhi. She is involved in the legal challenge to the app before the Kerala High Court. Faiza Rahman is a researcher in the technology policy team at the National Institute of Public Finance & Policy. We thank Ajay Shah, Renuka Sane, and Smriti Parsheera for useful comments.
No comments:
Post a Comment
Please note: Comments are moderated. Only civilised conversation is permitted on this blog. Criticism is perfectly okay; uncivilised language is not. We delete any comment which is spam, has personal attacks against anyone, or uses foul language. We delete any comment which does not contribute to the intellectual discussion about the blog article in question.
LaTeX mathematics works. This means that if you want to say $10 you have to say \$10.