'Who will be held accountable for data breach?', Justice Srikrishna on Aarogya Setu app

Justice BN Srikrishna says "With no Personal Data Protection Law to the rescue of Indian citizens, who will be held accountable if indeed a data breach happens?"


  • Justice Srikrishna says the mandate for Aarogya Setu app is unconstitutional
  • Right to Privacy should be accorded the same sanctity under Article 21 as other fundamental rights
  • The app should have a legal base either under privacy laws or appropriate amendment to NDMA
With no safety net of data privacy for citizens, Justice BN Srikrishna has slammed the setting up of an Empowered Group on technology and data management under the National Disaster Management Act (NDMA) to govern the controversial contact tracing app Aarogya Setu. In the recent order issued by the Empowered Group on May 11, a set of protocols -- Aarogya Setu Data Access and Knowledge Sharing Protocol, 2020 -- has been put in place to regulate the use of personal data collected from individuals who have downloaded the app.

Justice BN Srikrishna points out that since the order issued by the Empowered Group derives its power from the National Disaster Management Act, the said act only has the concept of national, state, district and local authorities. There is no provision or a mention of an Empowered Group. "It's highly objectionable that such an order has been issued at an executive level," he said.

While every executive order has to be issued as per a particular methodology under the business rules of the Government of India, Srikrishna said: "Such an order has to be backed by a parliamentary legislation that authorises the government to issue it. There does not seem to be one." Even if the authority has  to be traced to the Disaster Management Act, there is no provision for the constitution of such empowered group, he added. "Under what provision of the law has this order been issued?" he questioned, speaking at a webinar hosted by Daksha Fellowship on Data Governance and Democratic Ethos.

"With no Personal Data Protection Law to the rescue of Indian citizens, who will be held accountable if indeed a data breach happens?" he questioned.

While the protocol reads in violations of the directions to attract penalty under the NDMA and other legal provisions, the redressal mechanism is virtually absent.  "This is some kind of a patchwork, which is going to cause more concerns to the citizens than the benefit it brings to them," added Justice Srikrishna.

Even as the Supreme Court has enshrined right to privacy as a fundamental right under Article 21 of the Constitution of India, Justice SriKrishna says the sanctity with which one deals with a fundamental right under article 21, must be accorded to the right of privacy also. "That is the reason why we have said there should be a law which is proportionate and takes into account the parameters laid down by the Supreme Court. The law should pass the test of constitutionality. Anything else will be struck down," he said.