By Raghav Ahooja
The Central Government of India had released guidelines on May 1 under the Disaster Management Act, 2005 directing local authorities and district magistrates to ensure that all residents in Containment zones downloaded Aarogya Setu, and making employers, both in public and private sector, responsible for ensuring that their employees, also downloaded the app. These guidelines were issued by the chairperson of the National Executive Committee (NEC), the executive arm of the National Disaster Management Authority (NDMA) — the prime minister-led national body formulated under the Disaster Management Act, 2005, for the management of disasters.
These guidelines, however, have been since revised and it is now the responsibility of the employer to ensure that the app is downloaded on a “best effort basis” by all employees with compatible phones. District authorities can now only advise individuals with compatible phones to download the app with effect from May 18.
While we may be in a public health emergency, it is important to note that India does not have a central legislation that enables the government, both the central and state governments, to collect and use data of a personal nature (such as health information) either through an app or otherwise. This makes such collection and use rely upon delegated legislation such as guidelines under acts such as the Disaster Management Act, 2005, and the Epidemic Diseases Act, 1897.
The Personal Data Protection Bill which allows cross-sectoral use and collection of data does have such enabling provisions. For example, Section 12 allows collection and use of such data in exceptional circumstances even without consent, but is pending before the Parliament.
Despite a legislative void on the subject, the Central Government is collecting and using personal data via Aarogya Setu through a wide power conferred under section 10 (2)(l) of the Disaster Management Act, 2005. This allows the government to formulate guidelines on any domain of law no built-in restriction in the name of disaster management.
While the Supreme Court in the past has acknowledged the need to give wide powers to authorities in suitable situations, it has cautioned against the dangers of delegating powers to legislate so loosely that the area of the delegated legislation cannot be ascertained, leading it to cover all areas of law. This was done so in the landmark case of In Re: The Delhi Laws Act 1912, decided by a seven-judge bench, which deals with the permissible limits of delegated legislation.
As per entry number 97 of the Seventh Schedule of the Constitution of India, a legislation on data collection and use would be covered only by the Union list, and thus, only the Parliament would have the power to legislate on such a subject. In view of the same, the NEC cannot use the Disaster Management Act, 2005, to formulate guidelines on data collection and use. Therefore, such an action suffers from excessive delegated legislation horizontally.
The chain of events is as follows:
The legislature constituted the NDMA through the Disaster Management Act, 2005, which then under Section 8 constituted the National Executive Committee, which then further constituted a number of “Empowered Groups’”. The bodies have been created under Section 10 (2) (h) and (i) which confer no power upon the NEC to create new bodies. The said clauses only allow the NEC to give directions to extant bodies for disaster management.
Such a delegation is unconstitutional on two counts:
- As per the maxim delegata potestas non potest delegari, a delegate cannot further delegate its powers to another body. This is true, more so, when the NEC as the delegate itself suffers from excessive horizontal delegation.
- Even if NEC did not suffer from excessive delegation, it still does not have the power to create a new body.
One of such groups was the Empowered Group 9 on Technology and Data Management. The question that arises is that can the Group legislate on data management and regulation in the first place? More so, when its scope is not defined and it too suffers from excessive delegation, both horizontal and vertical.
It is important to note that while its scope is not restricted to the Aarogya Setu, it has formulated a sub-delegated legislation called the Aarogya Setu Data Access and Knowledge Sharing Protocol.
The NEC has, thus, suo motu created Empowered Group 9, using its wide, unrestrained powers to formulate guidelines, which has further legislated on data regulation under an order passed in its own name. It is the job of the Parliament to legislate on data regulation, and the subsequent binding rules of conduct in the form of rules and regulations can only be issued under such a legislation.
The Supreme Court, in the In Re: The Delhi Laws Act 1912, had further ruled that if the delegation is of an indefinite character, such delegation may amount to “abdication of essential legislative functions of the legislature”, which consist of declaring a policy and making it a binding rule of conduct.
Where “no policy is discernible at all or the delegation is of such an indefinite character as to amount to abdication”, the Court may interfere in such a case of clear abuse of delegation. Thus, the vague nature of Section 10 and its virtually indefinite exercise by the NEC, enables the NEC to use it to legislate on any matter in the name of disaster management..
As observed by the Court, it would certainly amount to abdication when the Parliament does not legislate on a subject of the legislative list (Entry number 97) and leaves it to somebody else to legislate on it.
By sub-delegating an area of law over which the Parliament has the sole power to legislate, that is, personal data regulation, to a body formed by the NEC, the NEC (with the Empowered group) is doing the essential functions of the Legislature, and as a consequence, the Legislature is abdicating its essentials functions to the NEC.
The Bill cannot be substituted by such a protocol. The protocol is, in fact, a wolf in sheep’s clothing — a piece of legislation in substance, posing as a piece of delegated legislation in form.
The two-pronged test laid down by the Hon’ble Supreme Court to check whether a law enacted by the Indian Legislature conferring legislative power on a subordinate authority is valid or not is: (i) whether the law is within the legislative competency fixed by the instrument creating the legislature, and (ii) whether the legislature has abdicated its own legislative power.
In this case, the first part of the test is satisfied as the Constitution empowers the Parliament to legislate on disaster management. The question boils down to the second part — in this case, the legislature has virtually given up its law making power which it is entitled to, on the particular body of law, transgressing the limits of permissible delegation
The Court also observed that “the legislature cannot abdicate its legislative functions and it cannot efface itself and set up a parallel legislature to discharge the primary duty with which it has been entrusted”.
Thus, by abdicating its legislative functions, the legislature has created a “parallel legislature” in the form of the NEC which has the one ring to rule them all.
Given the fact that the Parliament is adjourned, the Central Government could have at least brought out an ordinance on the same subject to regulate data of the citizens while protecting their health, instead of using a mere section as a one ring to rule them all and later justifying it by releasing a “protocol”, and further jeopardising their right to privacy under Puttaswamy I.
Statutes at both Central level and State level continue to be insufficient for legislating on data regulation, yet the government continues to collect and use personal data in the absence of a legislation on data protection.
What we need is a data protection law or an Ordinance, but not the One Ring To Rule Them All.
Raghav Ahooja is a fourth year law student from RGNUL, Punjab. He is interested in the intersection of law and technology.