India: Is Biometric Data Privacy at Risk?

India's Criminal Procedure Identification (CPI) Act came into force last month. It gives police officers the power to collect biometric samples — such as fingerprints and iris scans — from people who have been arrested, detained or placed under preventive detention on charges that attract a jail term of seven years or more.

Data collected under the the act can be stored for up to 75 years and shared with other law enforcement agencies. It is an offense to resist or refuse to allow the collection of data.

Unbridled power, no checks

The legislation has come under sharp criticism from opposition political parties, free speech practitioners, lawyers and civil rights activists who fear the legislation violates an individual's privacy and liberties. 

They say the CPI Act will create a "surveillance state" given that India does not have a comprehensive data protection mechanism in place. 

For instance, central and state governments in India have deployed facial recognition systems in recent years without putting in place any law to regulate their use.

The growing adoption of this potentially invasive technology without any safeguards poses a huge threat to the fundamental rights to privacy and freedom of speech, critics say.

"Sharing of sensitive personal data that discloses a complete identity profile of an individual is in clear violation of Article 21 of the Constitution [the right to] life and liberty and cannot be done even in exceptional circumstances without enforcing adequate safeguards," said Anandita Mishra, a litigation counsel for the Internet Freedom Foundation, an Indian NGO that defends online freedom.

'Gross privacy violation'

The Identification of Prisoners Act of 1920 — which has been superseded by the new law — had allowed police to collect only photographs, fingerprints and footprint impressions from suspects.

However, the scope of the new CPI Act includes other sensitive information such as fingerprints, retina scans, behavioral attributes — like signatures and handwriting — and other biological samples such as DNA profiling.

"Perhaps the most egregious provision of the bill is that it authorizes the retention of all the measurement data digitally for 75 years from the date of collection, without any in-built checks to protect the confidentiality of such data," Vrinda Bhandari, a consultant with India's Law Commission, told DW.

"This is a gross violation of privacy and data storage limitations and is contrary to the law laid down in the Supreme Court's privacy judgment."

In 2017, the country's top court gave a momentous judgment affirming that the constitution guarantees to each individual a fundamental right to privacy. This includes three aspects, the ruling found: intrusion with an individual's physical body, informational privacy and privacy of choice.

Safeguarding rights

Criminal lawyer Rebecca Mammen John points out that the new legislation creates a whole new regime and structure within the criminal justice system that disproportionately affects the rights of individuals — while granting the state unchecked powers of surveillance.

Moreover, she says that creating databases and enabling data sharing on the scale envisioned by the act may violate the fundamental right against self-incrimination.

"What happens if these databases are breached or if data is misused or sold? What protections are offered to prevent the usage of stored information to maliciously implicate innocent persons?" John asked DW.

During the passing of the bill in parliament, the government sought to allay apprehensions surrounding the possible misuse of data.

There are concerns that, given India's lack of robust systems to investigate alleged police misconduct, data could be misused

Home Minister Amit Shah said that the best technology would be used for safeguarding data and training manpower.

"It is about safeguarding human rights of the victims of crimes, and not just criminals," Shah told parliament in April. 

But critics believe the new law gives the government a dangerous weapon to snoop against dissidents.

No data protection system 

In August, the government surprisingly withdrew a proposed data protection bill that a panel of lawmakers had been working for more than two years.

The abandoned legislation, the Personal Data Protection Bill 2019, would have required internet companies like Meta and Google to get specific permission for most uses of a person's data — and would have eased the process of asking for such personal data to be deleted.

Tech companies had specifically questioned a data-localization provision in the bill under which they would have been required to store a copy of certain sensitive personal data within India, while the export of undefined "critical" personal data from the country would have been prohibited. 

Activists, on the other hand, had criticized a provision that would have allowed the government and its agencies blanket exemptions from adhering to any of the bill's provisions.

Risk of misuse

Several countries, including the US and the UK, collect biometric identifiers such as facial features, fingerprints or retina scans of people who are arrested or convicted.

Finger scans can immediately be sent to a database and turned into biometrical data

But given that India lacks well-defined systems to investigate alleged police misconduct, there are concerns that collected data could be misused.

Cyberlaw expert Pawan Duggal says the government had a bigger duty to come up with appropriate checks and balances before implementing the CPI Act.

"This law assumes more significance because people who have been arrested and detained have not been convicted and the accepted principle of law is that a person is presumed to be innocent unless proven guilty," Duggal told DW.

"There is a distinct need for having in place appropriate checks and balances for exercising such power. Given the absence of dedicated data protection law in India, such power has the potential of being abused and misused," he added.

Edited by: Keith Walker