The Government had released guidelines for lockdown 3.0 under the Disaster Management Act, 2005 directing public officials such as District Magistrates to ensure that Aarogya Setu app was downloaded by everyone in Red and Orange zones and employees, and by all employers, whether private or public, in Green Zones.
These guidelines were released by the National Executive Committee, which is the executive arm of the National Disaster Management Authority (NDMA) — the PM headed the national body formulated under the Act for the management of disasters.
While we may be in a public health emergency, it is important to note that India does not have a legislation that enables the Government to collect and use data of a personal nature (such as health information), which is what the app is currently doing — moreover, forcefully so, i.e. without the consent of the person. The Personal Data Protection Bill does have such an enabling provision, but it is pending before the Parliament.
Notwithstanding, the Government has mandated the collection and usage of personal data through the app using a wide power given under Section 10 of the Act which has no in-built restriction.
Moreover, the collection and usage of data by the Ministry of Health and Family Affairs for the purpose of surveillance using physical contact tracing has also been legitimised under the same provision.
The dangers of defining such delegated powers to legislate so loosely, so that the delegated legislation can cover all areas with no restriction, have been observed by the Supreme Court in the landmark case of In Re: The Delhi Laws Act 1912.
The Legislature constituted the NDMA through the Act, which constituted the National Executive Committee that mandated the app. It then further constituted an ‘Empowered Group’ to prospectively legitimise data collection and usage by the Aarogya Setu app by incorporating some of the principles of data protection.
This ‘Empowered Group’ was constituted by the National Executive Committee under Section 10 to partially and prospectively fill the gap of a data protection framework by releasing a sub-delegated legislation called the ‘Aarogya Setu Data Access and Knowledge Sharing Protocol’.
In the absence of a data protection legislation that grants rights to every person whose data is being collected and used and protects their interests in case of a breach, while maintaining accountability and observing the principles of data protection held out by the Hon’ble Supreme Court, can provisions on data collection and use be legislated upon under such a section that delegates legislative functions to the National Executive Committee that too with no in-built restrictions?
The Supreme Court, in the above mentioned case, also ruled that if the delegation is of an indefinite character, such delegation may amount to “abdication of essential legislative functions of the legislature.” Such essential legislative functions consist of declaring a policy and making it a binding rule of conduct.
However, such a policy shall not be unrestricted or indefinite so as to allow the delegate to perform the functions of the legislature itself. In such a case, wherein “no policy is discernible at all or the delegation is of such an indefinite character as to amount to abdication,” the Court may interfere, considering the clear abuse of delegation.
Thus, the vague nature of the Section, and its virtually indefinite exercise by the Government, enables the Government to use it to legislate on any matter.
It is important to note that the Personal Data Protection Bill is pending before the Parliament. And as per the Seventh Schedule of the Constitution of India, a legislation on data collection and usage would not be covered in either the State list or the Concurrent List, and would only be covered by the Union list, and only the Parliament has the constitutional authority to legislate on such a subject matter.
It would certainly amount to abdication when in respect of a subject of legislative list (Entry no. 97) that Parliament does not legislate on that subject, but leaves it to somebody else to legislate on it, as observed by the Court.
Therefore, by delegating a whole body of law (i.e. personal data regulation) to a body formed by a delegate in the form of a protocol released under an executive order of the National Executive Committee, the NEC is doing the functions of the Legislature, and in doing so, the Legislature is virtually abdicating its functions as such a provision allows the delegate to legislate on any matter. It was also observed by the Supreme Court that this abdication may be absolute or partial.
Moreover, the app was firstly released to be used on a voluntary basis, after which it was made mandatory and the protocol legitimising the data collection and usage was released — when a Bill on the same is pending before the Parliament.
The essential functions (of policy making and delineation of such policy) of the Legislature cannot be delegated to an authority created by a statutory body that is a delegate. The Bill cannot be substituted by such a protocol in the form of delegated legislation.
The two-pronged test laid down by the Hon’ble Supreme Court to check whether a law enacted by the Indian Legislature conferring legislative power on a subordinate authority is valid or not is:
- Firstly, whether the law is within the legislative competency fixed by the instrument creating the legislature and
- Secondly, whether the legislature has abdicated its own legislative power.
In this case, the first part of the test is satisfied as the Constitution empowers the Parliament to legislate on Disaster Management.
The question boils down to the second part — in this case, the Legislature has virtually given up its law making power which it is entitled to, on the particular body of law, and has delegated the whole task of formulating policy and making it a binding rule of law to the delegate, who has further sub-delegated the task to muddy the waters — transgressing the limits of permissible delegation.
The Court also observed, “The legislature cannot abdicate its legislative functions, and it cannot efface itself and set up a parallel legislature to discharge the primary duty with which it has been entrusted.”
Thus by abdicating its legislative functions, the Legislature has created a “parallel legislature” in the form of the NEC which has the “one ring to rule them all”.
With unhindered powers to legislate, the NEC is thus playing the role of a parallel legislature that can, in the name of disaster management, legislate on any issue. This can prove to be dangerous as, in times of a pandemic, the efforts and priority of a citizen should go towards looking after oneself and those around them, and not questioning a potentially dictatorial law that allows anything in name of disaster management. The efforts should definitely not be spent in challenging the steps taken by the Government which fall short of protecting our rights, and making it a trade off between privacy and health.
Moreover, one cannot be too reliant on the Government — what we’ve learnt from the history of democracies. The citizen should have the choice to decide what is good for them and what is not, and it should not be forced down one’s throat.
What is also not constitutionally sound is that given the circumstances and the fact that the Parliament is adjourned, the Government could have at least brought an ordinance on the same subject to protect the rights of the citizens and the sanctity of the principles of data regulation held out by the Supreme Court in Puttaswamy II while protecting their health. Instead the government used a mere section as a one ring to rule them all and later justified it by releasing a “protocol”, and in the process, simply jeopardized the rights of the citizens, instead of protecting and balancing them.
Fundamental rights such as right to privacy must be balanced, not traded off. Even though privacy is an abstract concept, it’s as real as you and me, and cannot be seen as a first-world luxury which can go on a holiday because there is a public health emergency. The right to choose to give personal data is an important aspect of one’s privacy, while making it mandatory seems like a contradiction between the order of the NEC and the consent requirement of the user agreement, as observed by a senior MEITY official. Given the developments, can there be a thing such as mandatory consent? I believe not.