Analysis of India’s contact tracing application vis à vis digital rights

by Ritwik Prakash Srivastava


In the wake of COVID-19, the Indian government came up with a contact-tracing application Aarogya Setu (application). The Indian Prime Minister, Mr. Narendra Modi, in his address to the nation on 14 April 2020, urged the citizens to download the application to supplement the State’s struggle against the contagion. What started as a voluntary step, was first made mandatory for employees, including in the private sector, then a directive extended it to entire districts, and failure to comply resulted in a criminal penalty.

It brings to the forefront the conflict between public health and the right to privacy of an individual. While the effectiveness of contact-tracing has been proven, it is also pertinent that such a mechanism is developed within the frameworks of existing laws and a regard for human rights and constitutional rights. Interestingly enough the Supreme Court of India, in its landmark judgment of K.S. Puttaswamy v. Union of India (the judgement) in 2017, made the right to privacy a fundamental right in India. Even stating that “if the State preserves the anonymity of the individual it could legitimately assert a valid state interest in the preservation of public health…

This piece seeks to address the viability of the Indian government’s order of making the download of Aarogya Setu application mandatory, against the touchstone of the right to privacy.



The Court in its judgment recognised every individual’s right to decide for themselves the extent of information about them that could be shared with others. However, every fundamental right in India comes with its reasonable restrictions, and is not absolute (see Article 19 (2) of Constitution of India). Some of the grounds of restriction could be to preserve public order, maintain sovereignty and integrity of India, and security of the State. These restrictions have to be mandatorily in accordance with procedures established by law (see Maneka Gandhi v. Union of India).

As per paragraph 180 of the section of the judgement authored by the then Chief Justice of India, Justice Khehar, Justice R.K. Agrawal and Justice Dr D.Y. Chandrachud, before such restrictions on the right to privacy can be placed, the State must show the existence of a valid legislation, which permits the restriction to be put into place. Secondly, the restrain must be in pursuit of a legitimate aim; thirdly, it should have a rational nexus with the such aim; fourthly, it should be the least restrictive method to achieve such aim and lastly, it should be proportionate to the aim that is required to be achieved.

The Aarogya Setu application fails on the first prong itself. Not even the Epidemic Diseases Act, 1897, currently enforced in India, grants such permissions to the State. In the absence of any legislative framework to restrict its ambit, there is no guarantee that the sensitive data about individuals’ health and movement will not be used for mass surveillance, or will not be stored and used for profiling once the pandemic subsides.

Gerd Altmann from Pixabay

As the Terms and Conditions of Aarogya Setu stand currently, a user has no mechanism to seek deletion of their data uploaded on the servers of the application. Removal of the application merely means they cannot use the services, and not that they get their data erased. Without a comprehensive framework to regulate data protection, a contact tracing technology may as well mutate into a system of movement control and data profiling. The possibility of this becomes greater in the absence of any protocol which mandates a limit on the time for which such sensitive personal data of citizens can be stored by the government.

These shortcomings may have been eliminated if India had a dedicated privacy framework, as demanded in the judgement. However, even after substantial discussions and impending need of such a law, the framework is yet to be enacted, it currently exists merely as a bill. As far as international standards and European regulations on contact-tracing are concerned, the Aarogya Setu application fails on various counts.

The European Data Protection Board (“EDPB”) in its “Guidelines on the use of location data and contact tracing tools” (“Guidelines”). The foremost caveat the guidelines provide against contact-tracing is that are a grave intrusion into the privacy of an individual. The guidelines make it very clear that use of application must be voluntary. However, the orders of Indian government of mandatory download go directly against such a provision. There is an inherent lack of transparency on how the accumulated data is to be processed, or for how long it would remain in the possession of the government. The government has not shared any policies with respect to data retention and grievance redressal against the collected data.

A basic technical requirement any application which seeks to collect and process data is that of security. The guidelines mandate “state-of-the-art” cryptographic techniques to secure the data collected. However, there are already serious questions being raised at its sophistication when an ethical hacker took to Twitter to reveal the flaws with the application’s security. There have also been reports of the Aarogya Setu application exposing the users’ location data to third-party actors like YouTube.



Since the Supreme Court’s reasoning in the Puttaswamy judgement, the Indian government has had collisions with the concept of privacy multiple times. First with the nation-wide citizen identification scheme AADHAR, then with the inordinate delay in the delivery of the personal data protection law. While the current circumstances around the pandemic are nowhere near normal, the concerns arising out of unwarranted surveillance cannot be set aside.

The threat that the pandemic poses to digital rights was specifically addressed in a joint-statement issued by United Nations, the Inter-American Commission for Human Rights, and the Representative on Freedom of the Media of the Organization for Security and Co-operation in Europe. The joint-statement provided that the use of any technology for surveillance should  conform to the strictest standards of protections provided by the domestic law and the principles of international human rights.

New privacy concerns arise every day out of ever-developing technologies, be it in terms of facial recognition, mass surveillance, or tracking online activities of citizens.  The digital ecosystem has become an intricate part of the personal life of every citizen. While the current status quo with the Coronavirus pandemic is largely out of the ordinary, it is important nonetheless that the governments remember that privacy rights of citizens cannot be suppressed even during an unusual situation.  Now more than ever, it is important that any derogation from or limitation to digital rights remains lawful, and is appropriately scrutinised by the states and their respective courts.



Ritwik Prakash Srivastava Ritwik Prakash Srivastava is a third-year B.A.LL.B. (Hons.) student at National Law Institute University, Bhopal.  He is currently the Co-Convenor of the Centre for Research in International Law at NLIU, Bhopal. His research interests include technology and media law, cyber law, and public international law.  He may be reached at