Contact Tracing and Digital Rights in COVID-19 India

by Ritwik Srivastava

In the wake of COVID-19, the Indian government came up with a contact-tracing application Aarogya Setu (application). The Prime Minister of India, Narendra Modi, in his address to the nation on 14 April 2020, urged citizens to download the application to supplement the State’s struggle against the contagion. What started as a voluntary step, was first made mandatory for employees, even of private sector, then for entire districts. Failure to do so gives rise to a criminal penalty.

This brings to the forefront the conflict between public health and the right to privacy of an individual. While the effectiveness of contact-tracing has been effective, it is also pertinent that such a mechanism is developed within the frameworks of existing laws and with a due regard for human and constitutional rights. Interestingly enough, the Supreme Court of India in its landmark judgement of K.S. Puttaswamy v. Union of India (the judgement) in 2017, made right to privacy a fundamental right in India. Even stating that “if the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health…

The Court in its judgement recognised every individual’s right to decide for themselves the extent of information about them that could be shared with others. However, every fundamental right in India comes with its reasonable restrictions. Before such restrictions on the right to privacy can be placed, firstly the state must show the existence of a valid legislation which permits the restrictions. Secondly, the restrain must be in pursuit of a legitimate aim; thirdly, it should have a rational nexus with such aim; fourthly, it should be the least restrictive method to achieve such aim, and lastly it should be proportionate to the aim.

The Aarogya Setu application fails on the first prong itself. Not even the Epidemic Diseases Act, 1897, currently enforced in India, grants such permissions. In the absence of any legislative framework to restrict its ambit, there is no guarantee that the sensitive data about individuals’ health and movement, will not be stored and used for profiling and other purposes once the pandemic subsides.

These shortcomings may have been eliminated if India had a dedicated privacy framework, as provided for in the judgement. Even after substantial discussions and impending need of such a law, the framework is yet to be enacted, and exists merely as a bill. As far as international standards and European regulations on contact-tracing are concerned, the application fails on various counts.

The European Data Protection Board (EDPB) in its “Guidelines on the use of location data and contact tracing tools” (guidelines). The foremost caveat the guidelines provide against contact-tracing is that are a grave intrusion into the privacy of an individual. The guidelines make it very clear that use of application must be voluntary. However, the orders of Indian government of mandatory download go directly against such a provision. There is an inherent lack of transparency on how the accumulated data is to be processed, or for how long it would remain in the possession of the government. The government has not shared any policies with respect to data retention and grievance redressal against the collected data.

A basic technical requirement any application which seeks to collect and process data is that of security. The guidelines mandate “state-of-the-art” cryptographic techniques to secure the data collected. However, there are already serious questions being raised at its sophistication when an ethical hacker took to Twitter to reveal the flaws with the application’s security.

Since the Supreme Court’s reasoning in the Puttaswamy judgement, the Indian government has had collisions with the concept of privacy multiple times. First with the AADHAR policy, then with the inordinate delay in the delivery of the personal data protection law. While the current scenario is nowhere normal, however, given the existing digital ecosystem, with new privacy concerns are arising every day, be it in terms of facial recognition, tracking online activities of citizens, and concerns arising out of ever-developing technology. It therefore becomes important that any derogation from such rights is appropriately addressed by the states and their respective courts.


Ritwik Prakash Srivastava, 3rd year Law LLB Undergraduate at National Law Institute University, Bhopal, India.