Former Supreme Court Justice B.N. Srikrishna, who chaired the expert committee that drafted the Personal Data Protection Bill, has questioned the data collection protocol of the Aarogya Setu app, which has been installed by nearly 100 million Indians as part of the Centre’s approach to stopping the spread of COVID-19.
Referring to the guidelines on data access and knowledge sharing issued by the Empowered Group 9 on Technology and Data Management, based on power derived by the Disaster Management Act, Justice Srikrishna questions how the group could issue such an order.
“It’s highly objectionable that such an order is issued at an executive level. As I repeatedly said and continue to say, such an order has to be backed by parliamentary legislation which will authorise the government to issue such an order,” Justice Srikrishna said at a webinar organised by the Daksha Fellowship, titled "Data Governance & Democratic Ethos".
“If it is to be traced to the DMA, there is no provision for the constitution of an empowered group. What provision of law is this order issued? I cannot understand,” he said.
He then questioned who would be held accountable in the event of a data breach. He said it should have been traced to the Personal Data Protection [Bill] or the Disaster Management Act through an amendment.
Justice Srikrishna’s comments come as the Ministry of Electronics and Information technology (MeitY) released the data access and knowledge sharing protocol for the Aarogya Setu app.
The policy states, among other things, that the National Informatics Centre (NIC) shall, “collect only such response data as is necessary and proportionate to formulate or implement appropriate health responses. Further, such data shall be used strictly for the purpose of formulating or implementing appropriate health responses and constantly improving such responses.”
In addition, “Contact, location and self-assessment data of an individual that has been collected by NIC shall not be retained beyond the period necessary to satisfy the purpose for which it is obtained which, unless a specific recommendation to this effect is made in the review under Para 10 of this Protocol, shall not ordinarily extend beyond 180 days from the date on which it is collected, after which such data shall be permanently deleted."
“Demographic data of an individual that has been collected by NIC shall be retained for as long as this Protocol remains in force or if the individual requests that it be deleted, for a maximum of 30 days from such request, whichever is earlier."
The instructions state that violations of the directives could be punishable under section 51 to 60 of the Disaster Management Act, 2005 “and other legal provisions as may be applicable.”
The policy also lists principles for sharing of response data for research purposes, mandating “hard anonymisation” for research data that is made available by NIC for universities or research entities.
A Sunset Clause of six months was added to the protocol.
“The Empowered Group shall review this Protocol after a period of 6 months from the date of this notification or may do so, at such earlier time as it deems fit. Unless specifically extended by the Empowered Group on account of the continuation of the COVID-19 pandemic in India, this Protocol shall be in force for 6 months from the date on which it is issued.”
Srikrishna was a member of the expert committee that drafted the Personal Data Protection Bill, 2019, though he has criticised the version circulated in parliament for removing safeguards and for having the power to turn India into an “Orwellian” state.