CPC: Criminal Procedure Identification Bill raises fears of surveillance in India

A proposed new Indian law gives sweeping powers to law enforcement agencies to collect biometric data – a move that has sparked concerns over privacy.

The Criminal Procedure (Identification) bill, which was passed in parliament last week, makes it compulsory for those arrested or detained to share sensitive data – like iris and retina scans. The police can retain this data for up to 75 years. The bill will now be sent to the president for his assent.

Opposition leaders have protested against the law, calling it draconian and illegal.

Prime Minister Narendra Modi’s government has defended it, saying it will modernise policing and help solve crimes swiftly, “increasing the conviction rate”.

But critics fear the rise of a “dystopian” surveillance state.

One of the biggest concerns is that it hands over too much personal data to the state.

India does not have data protection laws, so critics say this is akin to giving the government a dangerous snooping weapon – one it could wield against dissenters.

“Since the depth of the data that can be collected is very serious, and the bill lacks any safeguards to prevent the arbitrary collection or the misuse of data, the potential for misuse is extreme,” tech and policy analyst Aditya Sharma says.

Critics add that the proposed law runs counter to India’s constitution and a landmark 2017 Supreme Court ruling, both of which protect a citizen’s right to privacy.

The top court – in an eloquent 547-page order – had unflinchingly declared privacy as the “the constitutional core of human dignity”, and said that any kind of state surveillance must be proportionate and justifiable.

India’s current prison law – the Identification of Prisoners Act, 1920 – allows the police to collect only photographs, fingerprint and footprint impressions. But it limits this to those who have been convicted, are out on bail, or those charged with offences punishable with rigorous imprisonment of one year.

The new law, however, massively expands its ambit to include other sensitive information such as fingerprints, retina scans, behavioural attributes – like signatures and handwriting – and other “biological samples”.

It does not specify what these “biological samples” are but experts say it likely implies collection of DNA and blood. The police currently require a warrant to collect these samples.

And this now also applies to anyone who is arrested or detained. A court or magistrate can order the police to retain the records even of those who are acquitted or not even tried.

“What you’re going to see is the creation of several thousands or millions of criminal profiles in India,” digital rights researcher Srinivas Kodali says.

The National Crime Records Bureau will hold the data for 75 years, but experts say the law doesn’t explain how it would be protected.

“It’s not like the police want to put a lot of people in jails – they don’t have the capacity,” Mr Kodali says. “But what they want to do is put you under surveillance, tabs on what you’re doing.”

The bill, he adds, now gives this power to “every constable on the street”.

Vikram Singh, former police chief of Uttar Pradesh state, says the proposed legislation is an “excellent tool” to upgrade the country’s crime database and investigative tools.

But he worries it could be indiscriminately applied: “You have enhanced the scope of the collection of samples but downgraded the control and supervisory mechanism.”

It’s not uncommon for investigative agencies to mine personal data. Several countries including the US and the UK, collect biometric identifiers – facial features, fingerprints or retina scans – of people who are arrested or convicted.

But unlike the UK and US, India also doesn’t have robust systems to investigate alleged police misconduct, Mr Kodali says.

The increasing use of facial recognition technology by governments and law enforcement has become a contentious issue the world over. This is especially true in authoritarian regimes where the data can be used to track citizens.

This happened during the pro-democracy protests in Hong Kong, where the Chinese surveillance system was deployed to heavily crack down on demonstrations. People covered their faces, disrupted security cameras and even avoided public transport that required ID proof.

Of course, such data has its uses too.

Police in the US have successfully used facial recognition to track down criminals and missing children, but biases in the algorithms have also led to misidentification.

India already has a system, launched in 2009, that integrates crime records across thousands of police stations. So, experts question what is the reason to infringe on people’s privacy further.

They are wary of what this erosion of privacy means under Mr Modi’s government, which has been widely accused of crushing dissent. Several activists, protesters and critics of the government have been jailed in recent years and struggled to get bail.

“Increasing the use of tech in law-enforcement isn’t inherently wrong, but India’s government has a long record of abusing citizens’ privacy and using tech to target opponents, not criminals,” Mr Sharma says.

He adds that the state has also made “made increasingly enthusiastic use” of surveillance techniques over the last several years.

Reports have accused Mr Modi’s government of using Israeli spyware Pegasus to snoop on political leaders – a charge it denies. Even during the protests against a contentious citizenship law in 2019-20, police in Uttar Pradesh had said it used facial recognition technology to identify protesters who it labelled as conspirators.

There is also a certain fear over the government’s ability to protect this data in the age of unscrupulous data leaks and hacks. In fact, data leaks involving the personal information of Indian citizens from the world’s largest biometric ID database programme, the Aadhaar, have been widely reported in the past.

“Since the bill allows law-enforcement to gather increasing amounts of data from anyone who is detained, there is nothing in it that would prevent, say, a police officer from detaining a peaceful protester and collecting their data to use against them later,” says Mr Sharma.

He adds that the scope for misuse is also higher because of the “profound lack of data-protection architecture in India”.

The Personal Data Protection Bill has been stuck in parliament since 2018 and its still waiting to be introduced, although critics say the current version is significantly diluted and doesn’t restrict the government from accessing sensitive data.

“Until a data protection bill is passed in a form that actually makes a serious attempt to safeguard personal privacy, the government knows it basically has a free hand to snoop on citizens,” Mr Sharma says.