The fallacy of data privacy in 21st century India


The outbreak of the Coronavirus pandemic has sincerely challenged the golden triangle of the Constitution of India, viz, Article 14, Article 19, and Article 21 respectively at a varied number of events. The Covid-19 pandemic has been marked with the amusing spectacle of the persistent dichotomy between the State actions and the violation of fundamental rights of the citizens by and large. The principles of proportionality and reasonableness, which have been recognized by the Hon’ble Supreme Court of India as essential elements of valid State actions, have been blatantly ignored midst the outbreak of the Coronavirus pandemic. The administrative action should at all times bear a reasonable relationship to the general purposes for which the power has been conferred by the people. It is imperative to note that the government – at both the federal and the state levels – has insulated itself from legislative accountability, which is an essential feature of the checks and balances envisioned under our democracy.

The Government authorities have relied upon the Epidemic Diseases Act, 1897, and the National Disaster Management Act, 2005, to support the legitimacy of the actions being taken by them to ensure public health at large, however, the enormous question of law that outlines the issue herein, reflects that the Rule of law has been violated by improper implementation of the policy decision by the Government. The intended purpose and the stated purpose of the Government policies are fairly demarcated, even the execution is not based on a sound reason that has hence delivered results that perspicuously depicts the colorable exercise of power. Under article 14 of the Constitution of India, arbitrary and capricious acts of the State are annulled. The jurisdiction of Article 14 of the Constitution of India extends to the prevention of arbitrary and unreasonable actions of the State, which are “antithetical” to the rule of equality. It must be noted that the essence of court judgments in the lane of legislative accountability is limpid to the fact that with the development of the common law the exercise of discretion should be coupled with equity and shall be grounded in sound reason, even in the times of emergencies to ensure that the constitutional fabric remains unshaded.


The Right to Privacy is the right to be left alone. Amongst the series of events followed by the global pandemic that has been substantially challenging to uphold the fundamental rights of the citizens, the protection of the fundamental right to privacy in these times, is imperative for the purposes of constitutional sanctity. Data is the new oil and is an important game-changer to economic development in the 21st century. As judiciously quoted by William Edwards Deming, “In God we trust; all others must bring data”. Data is pivotal to capitalism, however, the user’s entitlement to privacy must not be disregarded in the due process. The Hon’ble Supreme Court has spelled out the individual’s Right to Privacy from Article 21 and Article 19(1) (d). This in consonance with Article 12 of the Universal Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, 1966 as well as the European Convention on Human Rights. Although the Constitution of India did not specifically refer to the Right of Privacy in an express manner, it can still be traced from the right to ‘life’ in Article 21. As decided under the case, Naz Foundation v. Government of NCT of Delhi (2010), “A citizen has the right to safeguard the privacy of his own, his family, marriage, procreation, motherhood, childbearing, and education among many other matters”.

In the case of Maneka Gandhi v. Union of India (1978), the Hon’ble Supreme Court of India has held that the expression “personal liberty” under Article 21 of the Constitution of India is of the widest amplitude and it covers a variety of rights. It is imperative to note herein, as held by the Supreme Court, in the judgment KS Puttaswamy v. Union of India (2017), the term Privacy is a concomitant of the right of the individual to exercise control over his or her personality. It finds an origin in the notion that certain rights are natural to or inherent in a human being. Natural rights are inalienable because they are inseparable from the human personality. The human element in life is impossible to conceive without the existence of natural rights. This article presents an orchestrated sycophancy with the widespread criticism towards State inaction to protect the fundamental rights of its citizens.

The incongruity between the Contract Tracing Methodologies To Curb The Spread Of Covid-19 and the Right to Privacy:

According to the landmark decision of the Supreme Court of India in, KS Puttaswamy v. Union of India (2017), the court held that the right to privacy is a part of the right to life and personal liberty and is a fundamental right under the Constitution of India. The pandemic is a public health emergency and individual rights may be restricted in the interest of the greater good. However, the fact that the Indian government tends to view citizen’s data as a natural resource to be exploited and monetized could not be disregarded. The Economic Survey of India 2018-19 mentions that citizens’ data should be treated as a public good and a few sections thereto are ought to be adapted by offering admittance to privately owned businesses to ease the pressure on government finances. There are all sorts of indispensable formalities to be observed before offering admittance to privately owned businesses, a normal adjunct to it being the very notion that it is unequivocally important to assure that the ministries and government agencies do not use this data as a way to underwrite.

In the fitness of the practice to generate a neutrally balanced opinion, the author places a due recognition to the fact that the Supreme Court of India has also observed that the right to privacy is not absolute and allows room for reasonable restrictions to be so placed in the interest of public order, however, any restriction is required to be reasonable i.e. within the legal framework of the land. As held under, V.K. Javali v. State of Mysore (1966), the expression ‘In the interest of ‘gives a greater leeway to the legislature to curtail freedom of speech and expression, for a law penalizing activities having a tendency to cause, and not actually causing public disorder, maybe valid as being ‘in the interest of’ public order. The restrictions imposed must have a reasonable and rational relation with the public order, security of the state, etc. If the nexus between the restriction and the public order etc. is farfetched, then the restriction cannot be sustained as being in the ‘interest’ of public order, etc.

The rationale behind contact tracing measures taken through mobile applications such as the Aarogya Setu Application (App) and other applications being, public health preservation and protection of larger public interest midst the fight against the faceless i.e. Covid-19, legitimizes the State action regards the data collection, however, the trepidation pursuant to the legal usage of the data collected through these methods still persists. The term reasonableness has been used in a biased manner which is contradicting the Rule of Reason. Whereto the outbreak of coronavirus pandemic is concerned the authorities have presented poor administration. Hence the colorable exercise of the power of administration can’t be overlooked to protect the constitutional sanctity and upheld the democratic principles in the largest democracy of the world.

On 1 May 2020, the Ministry of Electronics and Information Technology (“MeitY”) made it mandatory for government and private sector employees to install Aarogya Setu on their phones and said it was the duty of the head of the organization restoring to the new normal, to “ensure 100% coverage of the app among its employees.” Installing the app had also become mandatory for travel through railways and flights, but the revised guidelines did relaxed these norms and let individual states decide the protocols. The Aarogya Setu app is similar to the contact tracing app developed by Google and Apple and relies on Bluetooth technology. However, unlike Apple and Google, it also collects GPS location data. Apart from the GPS location data, ‘Response data’ collected from people using the Aarogya Setu app has the following data points-

Demographic data, which includes the name, mobile number, age, gender, profession, and travel history of the person; Contact data i.e. data about another person that a given person has come in close proximity with, including the duration of the contact, the proximate distance between the individuals, and the geographical location at which the contact occurred;

Self-assessment data i.e. the responses provided by the person to the self-assessment test on the Aarogya Setu app, and Location data i.e. data about the geographical position of an individual in latitude and longitude.

On Monday, 11 May, the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol 2020’ was released by the government, to ensure secure collection of data by the app, and regulate how such data can be shared to achieve its purpose of assisting the fight against Covid-19.

Under the Protocol, the response data (whether containing personal data or de-identified data) can be shared with the health ministry of the central government, health departments of state governments, central and state disaster management authorities, or public health institutions like the ICMR. The data is to be shared only when it becomes ineluctable to come up with a health response. Data collected using the app is not ordinarily to be shared with third parties, whether other government agencies or private parties, but this can be done if it is “strictly necessary to directly formulate or implement appropriate health responses.” These third parties will not be allowed to re-use the data for any other purpose or share the data with anyone else. The Protocol calls out data that has undergone ‘hard anonymization’ – i.e. where an individual cannot be identified using any means to trace their identity from the data – to be shared with third parties, being, universities or other research institutions registered in India, subject to approval from a special committee.

The protocol is not a binding legal regulation, neither does it draws any authority from any law passed by the Parliament of India. While the lack of an underlying law in this behalf does mean it cannot be made mandatory for people to download and use the app, this does not invalidate the safeguards that the Protocol imposes on data-sharing. The Supreme Court held in the case, Gobind v. State of M.P. (1975), that “Privacy, or the right to be let alone, is an interest that man should be able to assert directly and not derivatively from his efforts to protect other interests. A useful rule of thumb is that data privacy must be safeguarded even in times of emergency.

While the central government has residuary powers under Section 6 of the Disaster Management Act, 2005, and the state authorities claim to derive their powers from Section 2(1) of the Epidemic Diseases Act, 1897, it becomes onerous to advocate the fact that such laws do in fact grant powers to the authorities to collate, organize and disseminate information of the citizens in the manner in which it has been done. For the actions to be proportional and not manifestly arbitrary, states may collect minimum data, but it is to be primarily ensured that such data is anonymized being, used for the limited purpose of handling the public health situation, and not store or transfer the data to any third parties not authorized to access such data. Data anonymization may seem a solution, but it is to be noted that, technical and legal literature over the last decade has depicted limitations of data anonymization; with the advancements in data sciences and machine computing it has become easy to identify and reconstitute personal information from ‘anonymized’ data.” In the light of unidentified and unregulated data anonymization standards, the very essence of Article 14 of the Constitution of India is constantly challenged, through States’ whimsical approach in surveillance policy implementation.

It is pertinent to note at in the larger public interest, Section 12 of the Personal Data Protection Bill, 2019, does allow the processing of personal data without consent during medical emergencies and pandemics. However, the Bill has not been passed till date. Measures such as the publishing of lists of affected individuals, along with their personal details are definitely unconstitutional, which is eventually perpetuating unnecessary stigma and aspersions.


The pertinent question that orbits the discussion is whether, the government policies midst the outbreak of the pandemic purports to Health surveillance or State surveillance?

Privacy is the constitutional core of human dignity. It is the duty of the State not only to protect the human dignity but to facilitate it by taking positive steps in that direction. Public health interest must have to be neatly collaborated with sound State actions that cherish the sanctity of the constitutional values.

In the fitness of the practice to generate a neutrally-balanced opinion, the author places due recognition to the fact that the Supreme Court of India has also observed that the right to privacy is not absolute and allows room for reasonable restrictions to be so placed in the interest of public order; however, any restriction is required to be reasonable, i.e. within the legal framework of the land.