Rule by Executive Decree: Constitutional Concerns in India
Prashant Khurana & Parth Maniktala[*]
COVID-19 has spawned contact tracing efforts, thereby triggering the collection and processing of sensitive personal data across the world.[1] Legal protections surrounding this large-scale data collection are predominantly nascent, raising significant concerns about the precedent this sets for data privacy. In India, the Supreme Court’s landmark Puttaswamy judgement recognized privacy as intrinsic to the right to life and liberty, as secured by Article 21 of the Constitution.[2] However, the Court conceded that privacy may be abridged if a legitimate interest, say, an epidemic, exists – provided the doctrine of “proportionality” is satisfied.[3]
In this context, a recent order from the Kerala High Court in Balu Gopalakrishnan assumes significance.[4] The Kerala government contracted a U.S.-based software company, Sprinklr Inc., for processing and analyzing medical data of people susceptible to, and suffering from, COVID-19.[5] The petitioners assailed the contract for lacking privacy protections—arguing that it contained no safeguards against the commercial and unauthorized exploitation of the data entrusted to Sprinklr. The Court took note of these objections and issued several directions to prevent a “data epidemic.”[6]
This case, however, raises broader concerns regarding India’s data protection regime. With India’s controversial data protection legislation[7] still in the pipeline, it is crucial to evaluate whether governments—both at the state and federal level—are complying with Puttaswamy’s privacy protections.
Notably, the Kerala government is not alone in pursuing policies that endanger individual privacy. The central government’s “Aarogya Setu” COVID-19 tracing application has been impugned for lacking requisite protections despite the release of its data-use policy.[8] The state of Karnataka required people quarantined in their homes to upload their selfies every hour to “Quarantine Watch,” an application developed by the state’s revenue department—without specifying a privacy policy.[9] It is therefore imperative to examine if these governments even possess the authority to exercise such powers in the absence of specific legislation.
Rule of Law
A pandemic is inarguably a crisis of unusual proportions. A worried population, reluctant courts, and the general sense of rallying around the flag gives states enormous powers during crises. It is precisely at such moments that constitutional tenets are most vulnerable. Drastic measures undertaken during times of crisis have often been entrenched into the political and legal landscape long after the exigency has passed. In times like these, it is beneficial to remember Justice HR Khanna’s words of caution, delivered in his ADM Jabalpur dissent: “[The] greatest danger to liberty lies in insidious encroachment by men of zeal, well-meaning but lacking in due deference for the rule of law.”[10]
Rule of law is designed to function as a constraining apparatus against abuse of power. Strictly defined, “Every act done by the government or by its officers must, if it is to operate to the prejudice of any person, be supported by some legislative authority.”[11] The need for legislative authority is based on the democratic principle that the legislature represents the will of the people and, therefore, any infraction of the people’s rights must have statutory backing.
As statutory backing for its contract with Sprinklr Inc., the Kerala government relied on the Disaster Management Act, 2005 (“DM Act”), the Epidemic Diseases Act, 1897 (“ED Act”), and the Kerala Epidemic Diseases Ordinance, 2020 (“Kerala Ordinance”).[12] Section 2 of the ED Act authorizes “such measures…as [the State Government] shall deem necessary to prevent the outbreak of such disease.”[13] Section 4(2)(j) of the Kerala Ordinance enables such “other measures as may be necessary for the regulation and prevention of epidemic diseases as decided by the Government.”[14] These statutes were cited by the Kerala government to satisfy the requirement for legislative authority.[15] However, one must consider if the executive should be permitted to invoke such expansive and overbroad statutes to justify a specific abridgment of privacy; and if in so doing the checks and balances inherent in the Constitution are eroded.
Need for a Specific Legislation
In Ram Jawya Kapur, the Supreme Court noted that the Constitution broadly recognizes separation of powers, holding that executive authority sans “specific legislation” cannot encroach upon the legal rights of any person.[16] In the context of data privacy, a piece of specific legislation would be one that defines the purpose of data collection, details the procedural safeguards against misuse of such data, and lays down the period beyond which such data will be purged. The specificity caveat cannot be met through the overbroad clauses in the aforementioned statutes.
Overbroad statutes run afoul of the test of constitutionality, particularly when evaluated against fundamental rights. In Shreya Singhal v. Union of India, the Supreme Court struck down section 66A of the Information Technology Act for being “vague and overbroad, and, therefore, unconstitutional.”[17] When defending such statutes, the government often presents assurances of enforcement within constitutional limits, despite their unreasonable scope. Shreya Singhal resoundingly rejected such assurances, holding that if a law “is otherwise invalid, it cannot be saved by an assurance … that it will be administered in a reasonable manner.”[18] Of note here is the fact that this liberal approach was adopted by the court in a case concerning free speech, not privacy. India’s Constitution places certain limitations on free speech under Article 19(2) and, as such, it is a limited right. Being free of similar textual limitations, the right to privacy under Article 21 should merit a similar, if not stricter standard of scrutiny against overbroad statutes.
There is a need for a piece of anchoring legislation that is specifically tailored to COVID-related data collection, with adequate safeguards and sunset clauses. Absent this legislation, such data collection and outsourcing is an exercise in executive usurpation. As Gautam Bhatia notes, legislation like the DM Act and ED Act grant carte blanche authority such that “just about any executive decree that (the executive believes) is required to tackle the disaster” can be issued.[19]
The statutes invoked by the Kerala government are unsuited for the policy it seeks to pursue, as the statutes do not even contemplate large scale data collection, let alone adhere to the doctrine of proportionality. It would be grossly inaccurate to argue that the 1897 ED Act contemplated even the existence of complex data analytics. The invocation of the DM Act is also suspect, since it was designed to deal with natural disasters and not public health emergencies. Although the DM Act briefly refers to data collection,[20] it is only with reference to capacity building and mitigation for natural calamities, not sensitive personal data. The DM Act enumerates no specific purpose for data collection or limitations and safeguards against misuse. Finally, the Kerala Ordinance—despite being passed in response to this pandemic—makes no provision authorizing data collection and analysis.[21]
The requirement of specific legislation is not isolated to India. In a challenge to Kenya’s biometric identification system, the Kenyan High Court held that “the provision for collection of DNA and GPS coordinates, without specific legislation detailing out the appropriate safeguards and procedures in the collection, and the manner and extent that the right to privacy will be limited, is not justifiable.”[22] The need for anchoring legislation is, therefore, being recognized across jurisdictions.
An Alternative Framework for Crisis Governance
Rule by executive decree is not the only option during a pandemic. Under the Indian constitutional scheme, even an emergency proclaimed under Article 352 (cases of war, external aggression, or armed rebellion) must be ratified by the Parliament within a month.[23] Therefore, any suggestion that a health crisis should allow the executive to ride roughshod over the legislature would be incompatible with the spirit of the Indian Constitution. Parliaments are functioning across other democracies including Canada, the U.K., and the U.S.[24] Italy is being governed through “decree-laws” subject to parliamentary approval within 60 days, absent which, they are void ab initio.[25] Curiously though, India’s executive, which possesses similar powers of ordinance,[26] is still refraining from promulgating anchoring legislation. It is instead using ordinances to enact broad, sweeping laws. There is no justifiable pretext for this other than the inherent tendency for overreach, a tendency which pervades most Indian governments across party lines.
The lack of anchoring legislation not only permits executive excesses, it also creates a precedent that constitutional checks and procedures are dispensable. This is a very dangerous erosion of constitutional ethos, and reeks of a paternalistic mindset which paints elected legislators and local representatives as dispensable rubber stamps. Given the scale and efficiency with which technology can operate, placing practical, statutorily grounded limitations on the use and collection of individual data is the only real check on executive arbitrariness. Statutes—including emergency statutes—must evolve from instruments conferring broad powers into policy prescriptions specifying comprehensive limitations on discretionary authority. Absent that, the right to privacy will become a theorized prescription worthy merely of lip-service, without any practical teeth.
[*] Prashant Khurana is an attorney based out of New Delhi, India, and holds an LL.M. from University of California – Los Angeles. Parth Maniktala is a final year student of LL.B. at the University of Delhi, India. Views expressed are personal to the authors and do not reflect those of any organization with which they may be associated.
[1] Kate Rogers, Contact Tracing has Become a Fast-Growing Job opportunity with Many People Still out of Work Due to the Pandemic, CNBC (June 7, 2020), https://www.cnbc.com/2020/06/07/coronavirus-contact-tracing-has-become-a-fast-growing-job-opportunity.html.
[2] Justice KS Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).
[3] Id. at 182. The “proportionality” doctrine is used to review the constitutionality of limitations imposed on fundamental rights. A limitation is permissible if it: (i) has a legitimate goal, (ii) is rationally connected to the furtherance of this goal, (iii) is the least restrictive alternative, and (iv) is not excessive in nature, that is, the social benefits of achieving the goal outweigh the harms of limiting the right.
[4] Balu Gopalakrishnan v. State of Kerala, (2020) W.P.(C). Temp. No. 84 of 2020 (India).
[5] Id.
[6] Id.
[7] The Personal Data Protection Bill, Bill No. 373 of 2019.
[8] Arshad R. Zargar, Privacy, security concerns as India forces virus-tracing app on millions, CBS News (May 27, 2020), https://www.cbsnews.com/news/coronavirus-india-contact-tracing-app-privacy-data-security-concerns-aarogya-setu-forced-on-millions.
[9] Theres Sudeep, Internet experts raise privacy concerns over Covid-19 apps, Deccan Herald (April 21, 2020), www.deccanherald.com/metrolife/metrolife-lifestyle/internet-experts-raise-privacy-concerns-over-covid-19-apps-828137.html.
[10] ADM Jabalpur v. Shivkant Shukla, AIR 1976 SC 1207 (India).
[11] State of MP v. Thakur Bharat Singh, 1967 AIR 1170 (India).
[12] Balu Gopalakrishnan v. State of Kerala, W.P.(C). Temp. No. 84 of 2020. (India).
[13] Epidemic Diseases Act, §2, Act No. 3 of 1897.
[14] Kerala Epidemic Diseases Ordinance, §4(2)(j), No. 6650/Leg.H1/2020/Law. Under the Indian Constitution, ordinances are temporary statutes promulgated by the executive when the Parliament is not in session. Unless ratified by the Parliament within 6 weeks of its reassembly, ordinances cease to have effect.
[15] Balu Gopalakrishnan v. State of Kerala, W.P.(C). Temp. No. 84 of 2020. (India).
[16] Ram Jawaya Kapur v. State of Punjab, (1955) 2 SCR 225 (India).
[17] Shreya Singhal v. Union of India, (2015) AIR 2015 SC 1523. (India).
[18] Id. at 96.
[19] Gautam Bhatia, Coronavirus and the Constitution – XXI: The Mandatory Imposition of the Aarogya Setu App, Indian Constitutional Law and Philosophy Blog (May 2, 2020), https://indconlawphil.wordpress.com/2020/05/02/coronavirus-and-the-constitution-xxi-the-mandatory-imposition-of-the-aarogya-setu-app.
[20] The Disaster Management Act 2005, §§ 36, 39, Act No. 53 of 2019.
[21] Kerala Epidemic Diseases Ordinance, No. 6650/Leg.H1/2020/Law.
[22] Nubian Rights Forum v. The Hon. Attorney General (2019) eKLR.
[23] India Const. art. 352.
[24] Agence France-Presse, A Historic Day: Canada’s Parliament Goes Virtual Through Coronavirus Pandemic, NDTV (May 17, 2020), https://www.ndtv.com/world-news/canada-parliament-goes-virtual-through-coronavirus-pandemic-2230097.
[25] Diletta Tega and Michele Massa, Fighting COVID 19 – Legal Powers and Risks: Italy, Verfassungsblog (March 23, 2020), https://verfassungsblog.de/fighting-covid-19-legal-powers-and-risks-italy.
[26] India Const. art. 123.