Facial Recognition in India: Privacy, Surveillance and the Need for Regulation

    0
    9
    ADVERTISEMENT
    Introduction

    SPONSORED

    While facial recognition technology has emerged as a critical tool for policing and infrastructural purposes in India, the technology’s use does not have a legal mechanism that is specifically designed to regulate it. While the Digital Personal Data Protection Act, 2023 (“DPDP Act”) provides for a legal framework on how personal data should be processed, the Act was not enacted to regulate facial recognition technology using artificial intelligence and the special constitutional concerns arising from the use of the technology by the state.

    The crucial question here then is whether the DPDP Act regulates FRT, or there is a need for an explicit legal framework. This blog argues that the latter is imperative, as FRT extends beyond ordinary data processing and implicates fundamental rights relating to privacy, equality, and personal liberty.

    Facial Recognition and its deployment in India

    Face Recognition Technology can be described as a biometrics-based identification technology where the system transforms the input face into a mathematical template and performs the matching process using machine learning-based algorithms, especially deep neural network models.

    There are two main operational processes within the system that are the verification process, which takes place in cases such as phone unlocking or e-gate identity verification at airports, and the identification process, where an unknown face is searched in a vast database, which occurs in cases related to law enforcement.

    India’s deployment footprint has grown quickly and largely outside legislative scrutiny:

    • Policing: The National Crime Records Bureau’s Automated Facial Recognition System (AFRS/NAFRIS) was conceived to integrate CCTV, passport, prison and missing-persons databases into a searchable national repository, without a parliamentary statute authorising its creation.
    • Airports: The initiative of DigiYatra by the Ministry of Civil Aviation, which was first launched in Hyderabad in 2018, has become a facial recognition-based system of boarding in big airports, where instead of verification of the board passes there is now facial recognition being used.
    • Smart Cities and public surveillance: City level Safe Cities projects and the networks of CCTV in Smart Cities program are beginning to use facial analytics for crowd control, traffic management, and tracking of habitually offending people.

    A commonality is that the implementation of these technologies happened more through executive notifications and procurement and not parliamentary legislation, which would define who can use facial recognition technology, for what, against whom and under what type of supervision.

    Does the DPDP Act adequately regulate FRT?

    The DPDP Act, India’s first omnibus data protection statute, is a genuine advance on the fragmented regime under the Information Technology Act, 2000, (“IT Act”) and its 2011 Rules. It recognises core principles, lawful and transparent processing, purpose limitation, data minimisation, storage limitation, and accountability, and creates enforceable rights for “Data Principals” against “Data Fiduciaries”, including access, correction and grievance redress, with penalties of up to ₹250 crore for non-compliance.

    The DPDP Act supplies a floor of data-handling hygiene for private and low-stakes public processing, but it was not engineered to regulate the specific harms of covert, algorithmic, mass biometric identification carried out by the state, the very use case driving India’s FRT expansion.

    The need for a dedicated FRT law

    Pulling these threads together, the gap emerges like regulatory fit, the DPDP Act’s consent-and-fiduciary model, and its broad state exemptions are poorly suited to covert biometric surveillance. A private member’s bill, the Facial Recognition Technology (Regulation of Police Powers) Bill, 2023, has attempted to address some of this by proposing magistrate-level authorisation for police FRT use and defined accountability mechanisms, but private member bills are rarely enacted in India, and it remains pending. NITI Aayog has itself called for comprehensive policy and legal reform on FRT, citing concerns about privacy, transparency and accountability, and its earlier “Responsible AI for All” paper had recommended, at minimum, that law enforcement agencies not be exempted from data protection oversight, a recommendation the DPDP Act’s Section 17 does not honour.

    Based on this analysis, five reforms merit legislative priority:

    1. A dedicated Facial Recognition Technology Act, enacted by Parliament rather than left to executive notification, defining permissible use cases, prohibited use cases (including real-time mass identification in public spaces absent judicial authorisation), and retention limits, along the lines of the EU’s prohibition/high-risk model.
    2. Mandatory judicial or magisterial authorisation before any law-enforcement FRT search against a named individual or watchlist, with emergency ex post facto ratification limited to genuinely urgent cases, mirroring the EU’s approach to real-time RBI exceptions.
    3. Mandatory Data Protection Impact Assessments (DPIAs) and independent bias/accuracy audits before deployment and periodically thereafter, with published error-rate disclosures disaggregated by demographic group, akin to NIST’s FRVT methodology.
    4. An independent oversight authority, structurally insulated from executive control, unlike the current Data Protection Board, empowered to inspect FRT systems, mandate corrective action, and receive individual complaints, with binding transparency obligations requiring public registers of active deployments.
    5. A statutory right of action or compensation mechanism for individuals harmed by facial-recognition errors, restoring something closer to the IT Act’s repealed Section 43A compensation right, calibrated to avoid the litigation excesses seen under BIPA while still providing a meaningful remedy.

    AMLEGALS Remarks

    Facial recognition technology has moved from an abstract idea to a tangible part of the developing law enforcement and public infrastructure of India. While the DPDP Act has been enacted as a base structure for data protection legislation, it fails to address the specific issues of privacy and constitutionality posed by facial recognition technology which relies on artificial intelligence and machine learning algorithms.

    The absence of a special legal structure has enabled the introduction of facial recognition technology without proper legislation, regulation, and mechanisms for the redressal of grievances of citizens who may have been affected by its abuse. With the increasing use of facial recognition technology in India, there is a need to move past the general data protection framework and formulate a specific legislation that balances innovation and constitutional liberties.


    For any queries or feedback, feel free to connect with mridusha.guha@amlegals.com or Khilansha.mukhija@amlegals.com



    Source link

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here