AROGYA SETU APP

 Mandating the app’s use would require a legal statute that satisfies the ‘triple test’. since
there is no law backing Aarogya Setu, making it mandatory would be illegal.

 Anyone’s personal data cannot be taken away without his/her consent unless it is mandated
under a statute that satisfies the triple test laid down in the Supreme Court judgment in the
Puttaswamy Aadhaar case.

 According to the triple test, privacy can be invaded to a ‘permissible limit’ if: a) it’s a welfare
measure backed by law, b) there is a ‘legitimate state interest’, and c) the measure passes
the ‘test of proportionality’.

 Time-Limited: All measures related to the public emergency response to COVID-19 should
be temporary in nature and limited in scope and should not become permanent features of
governance. The personal data collected for the purpose of public health should only be
retained during the response to the pandemic and deleted automatically without
maintaining any copies, once the pandemic has been declared to be over.

 Necessity and Proportionality: Any collection, processing of personal data, including health
data, shall be necessary and proportionate for the purpose of combating the pandemic and
public health. In some states the list of persons who are under quarantine have been made
public in the guise of public monitoring. This is excessive and a disproportionate invasion
into the privacy of the individuals under quarantine.

 Transparency and Accountability: Processing of personal data must be conducted

transparently, and appropriate notices must be provided about use, collection and purpose
in an easy to read, plain language format. Individuals must be informed as to the volume,
extent, and purpose of the personal data belonging to them being collected, processed,
stored or transferred to any person.

 Use Restrictions: No use of the data unconnected to public health should be allowed. Use of
such data for advertisement and commercial purposes unrelated to public health should be
completely prohibited. No discrimination shall be meted out to individuals in the collection
and processing of personal data during this pandemic and such personal data shall not be
used to discriminate any individual in the future.

 Security:Security protections for data processing during the Covid-19 pandemic should not
be compromised and the data must be maintained securely and must be exchanged only
through secure platforms and hardware. Any apps related to COVID-19 promoted by the
Government should be secure and their data collection should be in tune with the principles
mentioned herein.

 No Surveillance without Due Process:Any surveillance required to respond to the pandemic

should be temporary and only to the extent and degree allowed by provisions of the Indian
Telegraph Act, 1885 and the Information Technology Act, 2000 and the rules notified under
these statutes. Any surveillance pursuant to the aforementioned statutes and other relevant
 laws such as the Epidemic Diseases Act, 1987, and the Code of Criminal Procedure, 1973
used for the monitoring of individuals during this pandemic are subject to judicial review.

 The Proportionality Principle and PDPB 2019

Due to the lack of a comprehensive data protection legal framework in India, the only
authoritative standards are the principles propounded in the Puttaswamy judgement.
Nonetheless, this paper relies on the PDPB 2019 to analyse the application through the
proposed legal provisions.

In Puttaswamy, the Supreme Court recognized data protection as an essential part of

information privacy. It stated that any infringement of such privacy must satisfy three
requirements, namely – the existence of a valid law, a legitimate state interest in pursuing
that course of action and that the infringement of privacy must be proportionate to the
objective sought. Any means of achieving state interest would be considered proportional if
it was the least-restrictive means to achieve that goal and did not have a disproportionate
impact on the right holder.

The PDPB 2019 comprehensively lays down the rights and duties of the Data Principals, Data
Fiduciaries, and Data Processors. It holds the Data Fiduciary accountable for compliance with
the Bill, which contains detailed provisions for consent of the Data Principal for data
processing, data retention, purpose of collection of data, and transparency in the processing
of data. Thus, the Aarogya Setu application can be considered a proportionate infringement
of the right to privacy of individuals if it is sanctioned by law as a means of securing a
legitimate objective and follows the principles of data protection.