Human Rights Here blog NNHRR Logo    Asser Logo

Contact tracing application vis à vis digital rights in a COVID-19 India


Source: iXimus - Pixabay

Ritwik Prakash Srivastava

National Law Institute University, Bhopal, India

In the wake of COVID-19, the Indian government launched and mandated the use of a contact-tracing application, Aarogya Setu (smart phone application). The Indian Prime Minister, Narendra Modi, in his address to the nation on 14 April 2020, urged the citizens to download the application to supplement the State’s struggle against the contagion. What started as a voluntary step, was first made mandatory for employees of the public and even the private sector, and then for entire districts. Failure to do so gives rise to a criminal penalty.

This brings to the forefront the conflict between public health and the right to privacy of individuals. While contact-tracing has been effective, it is also pertinent that such a mechanism is developed within the frameworks of existing laws, and with a due regard for human and constitutional rights. Interestingly enough, the Supreme Court of India, in its landmark judgment of K.S. Puttaswamy v. Union of India in 2017, declared the right to privacy a fundamental right in India. It stated that “if the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health (…)”.

Aarogya Setu and India’s Domestic Law

Justice Kishan Kaul, one of the judges of the bench adjudging the above-mentioned case, in his opinion at paragraph 62, recognised every individual’s right to decide for themselves the extent of information about them that could be shared with others. However, every fundamental right in India comes with its reasonable restrictions. As per paragraph 180 of the section of the judgement authored by the then Chief Justice of India, Justice Khehar, Justice R.K. Agrawal and Justice Dr D.Y. Chandrachud, before such restrictions on the right to privacy can be placed, five criteria needs to be met: (1) The State must show the existence of valid legislation which permits the restriction; (2) the restriction must be in pursuit of a legitimate aim; (3) have a rational nexus with such aim (4) be the least restrictive method to achieve such aim, and (5) be proportionate to the aim.

The Aarogya Setu application fails on the first prong itself. Not even the Epidemic Diseases Act, 1897, currently enforced in India, grants such permissions. In the absence of any legislative framework to restrict its ambit, there is no guarantee that the sensitive data about individuals’ health and movement will not be stored and used for profiling and other purposes once the pandemic subsides. These shortcomings may have been eliminated if India had a dedicated privacy framework, as provided for in the judgement. Yet even after substantial discussions on the impending need of such a law, the framework is yet to be enacted, and exists merely as a bill. As far as international standards and European regulations on contact-tracing are concerned, the application fails on various counts.

Aarogya Setu and International Law

India ratified the International Covenant on Civil and Political Rights (“ICCPR”) on 10 April 1979. The ICCPR under its Article 17 grants the citizens of member States a right to protection against unlawful and arbitrary interferences with their privacy. Read in tandem with Article 17, Article 2(1) of the ICCPR imposes a positive obligation on the member States to protect the right to privacy of its citizens (see General Comment No. 31 at paragraph 8). To do so, it requires member States to enact an enabling legislation to protect privacy, not just in State-citizen relationships, but in citizens’ relationships inter se (see General Comment No. 31 at paragraph 7). This principle is called Drittwirkung principle, and has been adopted by the European Court of Human Rights in its jurisprudence here and here involving privacy and anonymity. 

It needs to be pointed out that the right to privacy provided under Article 17 of the ICCPR is subject to certain reasonable restrictions. Such restrictions cannot be unlawful or arbitrary. To that extent, for an interference to be in accordance with the ICCPR, it has to fulfil a conjunctive three-part test of i) legality, or being in accordance with law; ii) necessity, or the restriction being proportional and there being a pressing social need for such a restriction; and iii) legitimacy, or it being in pursuit of a legitimate state aim (see General Comment No. 16 at paragraphs 3 and 4). Keeping in mind the peculiar situation COVID19 has presented us with, the United Nations Human Rights Council (“UNHRC”) has released a set of Guidelines for Emergency Measures (“Emergency Guidelines”) to be taken by member States. In addition to the above requirements, the Emergency Guidelines also require that such restrictions must not be discriminatory. They also place a burden on the State to justify any such restriction on the enjoyment of the right.

An argument can be made that the application was in pursuit of a legitimate aim, that of curbing the spread of COVID19. Accordingly, one can also argue that there existed a pressing social need. However, the restriction placed on the right to privacy by the compulsory use of Aarogya Setu fails on every other count. As mentioned earlier, there is no enabling and legislative framework governing Aarogya Setu. It is a result of a mere notification by the India Government. Hence, it objectively fails the test of legality. While the questions of proportionality and the requirement of non-discrimination may be outside the scope of this piece, it must be noted that the test provided above is conjunctive. What it means, is that all three requirements of legality, necessity and legitimacy must be met before a restriction can be said to be in accordance with ICCPR. As such, the implications of Aarogya Setu do not hold when tested against the touchstone of these provisions.

Moving on to a specialised soft law in the field, the European Data Protection Board (“EDPB”) in its “Guidelines on the use of location data and contact tracing tools” (“Guidelines”) attempts to codify the functionality of contact-tracing. The foremost caveat the guidelines provide against contact-tracing is that they are a grave intrusion into the privacy of an individual. The guidelines make it very clear that the use of the application must be voluntary. However, the orders of the Indian government of mandatory installation of the app go directly against such a provision. There is an inherent lack of transparency on how the accumulated data is to be processed, or for how long it would remain in the possession of the government. The government has not shared any policies with respect to data retention and grievance redressal against the collected data.

Another basic technical requirement for any application which seeks to collect and process personal data is that of security. The guidelines mandate “state-of-the-art” cryptographic techniques to secure the data collected. However, there are already serious questions being raised at its sophistication when an ethical hacker took to Twitter to reveal the flaws with the application’s security.


Since the Supreme Court’s reasoning in the Puttaswamy judgement, the Indian government has had collisions with the concept of privacy multiple times. First with the nation-wide citizen identification scheme AADHAR, then with the inordinate delay in the delivery of the personal data protection law. While the current circumstances around the pandemic are nowhere near normal, the concerns arising out of unwarranted surveillance cannot be set aside.

The threat that the pandemic poses to digital rights was specifically addressed in a joint-statement issued by United Nations, the Inter-American Commission for Human Rights, and the Representative on Freedom of the Media of the Organization for Security and Co-operation in Europe. The joint-statement provided that the use of any technology for surveillance should  conform to the strictest standards of protections provided by the domestic law and the principles of international human rights.

New privacy concerns arise every day out of ever-developing technology, be it in terms of facial recognition, mass surveillance, or tracking online activities of citizens. Given the current digital ecosystem which has become an intricate part of the personal life of the common citizen, it becomes that much more important that any derogation from or limitation to digital rights remains lawful, and is appropriately scrutinised by the states and their respective courts.


Ritwik Prakash Srivastava is a third-year B.A.LL.B. (Hons.) student at National Law Institute University, Bhopal. 

Add comment