You’re reading it here first: “[The] Protocol is not a statute, and nor does it offer any legislative foundation for the Aarogya Setu Mobile Application, and therefore the primary issue of Aarogya Setu lacking legal basis, as raised in the captioned writ petition, is still alive and unaddressed,” Jackson Mathew has said in his affidavit filed in the Kerala High Court today. The affidavit argues that the Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020, issued by the Ministry of Electronics and Information Technology, is not a “statutory authorisation” that can be used to infringe upon fundamental rights granted under the Constitution. The affidavit has also cited Justice B.N. Srikrishna’s comments, as per which, the Protocol was “akin to an inter-departmental circular” that “was not adequate to protect privacy”. Justice Srikrishna also said that the government’s push to mandate Aarogya Setu is “utterly illegal”, as quoted in this Indian Express article.

Mathew had filed a writ petition in Kerala High Court challenging the Ministry of Home Affairs directive that holds employers liable for ensuring that all their employees download Aarogya Setu on the grounds that it fails the tests laid down in the Puttaswamy judgement on right to privacy.

Empowered Groups do not have the power to legislate: As per the affidavit, the 11 Empowered Groups created to contain the pandemic — of which Empowered Group 9 on Technology and Data Management developed this Protocol — do not have the power “to formulate laws or even binding guidelines”.

The Protocol also suffers from “excessive delegation”, as per the affidavit, since “a core legislative function (of formulating binding laws and regulations)” is delegated to a committee set up by the government. The Protocol, the affidavit says, has not been signed by a member of the Central Government authorised/empowered to do so under the Disaster Management Act, 2005, but by Ajay Prakash Sawhney, MEITY Secretary and chairperson of Empowered Group 9.

The lack of public information about the constitution of Empowered Group 9 and how it sought external inputs for drafting the Protocol is an issue, as per the affidavit. There is also no public information if the Empowered Group 9 is “responsible for the creation and execution” of Aarogya Setu, “much like the Unique Identification Authority of India (UIDAI) for the Aadhaar number”.

Privacy problems with the Protocol itself: The Protocol, as per the affidavit, stresses on the need for “efficient data collection and sharing” instead of “ensuring that the most privacy-respecting practices are adopted in this regard”. It does not answer why existing data, such as from the Indian Council of Medical Research and the Integrated Disease Surveillance Programme, are inadequate, and collects data for purposes “beyond the immediate issue of identifying persons affected/at risk of being infected with Covid-19”. It also does not state how it will interact with its Terms of Use and Privacy Policy, and “how to resolve any conflict between the provisions”. Most of the concerns that are highlighted in the affidavit — such as conflict between the Protocol and Privacy Policy in terms of data deletion, lack of clarity around the data deletion process, broad and vague terms such as “appropriate health responses” lack of obligation to open source the code, lack of liability for breaches after expiry of the Protocol, lack of details about security standards, insufficiency of the Sunset Clause, etc. — had been outlined by MediaNama earlier.

Nature of consent given is under question since unlike the app — which is available in 11 languages, including Malayalam —, the Privacy Policy, Terms of Use and the Protocol are not available in 11 languages.

Read: All you need to know about MEITY’s Data Access and Sharing Protocol for Aarogya Setu

Matter not listed for today

In the last hearing on May 12, Mathew’s advocate, Santhosh Mathew had pled for an interim order that stayed any prosecution of employers for failures on part of an employee to download the contact-tracing app. Justice Gopinath Puzhankhara had not stayed the order, but had instructed the counsel for the Ministry of Electronics and Information Technology (MEITY) to get instructions from the Home Ministry and MEITY on how the government proposed to practically implement this requirement, and the matter was to be heard today. However, it has not been listed for today.

Since the Ministry of Home Affairs issued revised guidelines yesterday as per which Aarogya Setu is no longer mandatory and employers “on best effort basis should ensure” that the app is installed by all employees with “compatible mobile phones”, it appears that the two immediate concerns in the petition have been addressed. And as S. Mathew argued in court last week, that the legality of the move in the absence of legislative anchoring — which is a concern that the writ petition brings up — “is a larger issue which can be considered later”.

Mathew’s is not the only petition in Kerala High Court against the mandatory nature of Aarogya Setu. There are two other PILs that were supposed to be heard today, but neither of them is listed. Both made similar pleas.