[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part II can be found here]
With the wave of machine learning and technological development, a new system that has arrived is the Facial Recognition Technology (FRT). From invention to accessibility, this technology has grown in the past few years. Facial recognition comes under the aegis of biometric data which includes distinctive physical characteristics or personal traits of a person that can be used to verify the individual. FRT primarily works through pattern recognition technology which detects and extracts patterns from data and matches it with patterns stored in a database by creating a biometric ‘template’. This technology is being increasingly deployed, especially by law enforcement agencies and thus raises major privacy concerns. This technology also attracts controversy due to potential data leaks and various inaccuracies. In fact, in 2020, a UK Court of Appeal ruled that facial recognition technology employed by law enforcement agencies, such as the police, was a violation of human rights because there was “too broad a discretion” given to police officers in implementing the technology. It is argued that despite the multifarious purposes that this technology purports to serve, its use must be regulated.
In the Indian context, the Personal Data Protection Bill, deals with the protection of personal data and draws significant parallels to European Union’s General Data Protection Regulation (hereinafter, GDPR). However, there are also significant divergences between the two. The authors in this article, by contrasting the Personal Data Protection Bill (hereinafter, PDPB) and GDPR, aim to highlight the gaps in the former and argue that even if it is passed, it would prove to be an insufficient safeguard against privacy breaches in FRT.
COMPARATIVE ANALYSIS: EU AND INDIAN LAWS
The GDPR, since it came to force in 2018, has become a globally accepted standard for personal data protection and regulation. A range of countries have been using the GDPR as a template to create and revise their data protection laws. PDPB is largely modelled after GDPR. The Srikrishna Committee Report, based on which the PDPB was drafted, makes multiple references to GDPR. Some examples are that of notice and consent requirements for processing personal data, restrictions to ensure that personal data is only collected for the provision of a specific service by the data processor, appointment of data protection officers for routine assessments, data localization which means storing data on servers within India, and the establishment of a Data Protection Authority to regulate and supervise collection and storage of personal data. However, despite these points of convergence, there are various differences in the implementation of the aforementioned similarities. There are also differences among various other sections of the PDPB and GDPR as elaborated upon below.
Data localisation
In terms of territorial scope of application, PDPB has a broader range than that of the GDPR. This is because of data localisation, that is, an entity will be included within the scope of PDPB merely by processing any kind of personal data within India as opposed to the GDPR which includes within its scope only an organization established within the EU or one that is not established in the EU but processes personal data either relating to goods/services in the EU or monitoring the behaviour of individuals in the EU.
Exemptions to government agencies under the PDPB and the GDPR
One of the most crucial concerns of the PDPB is the exemptions allowed to government agencies. Section 35 of the Bill allows the Central Government to exempt any agency of the Government from application of the Act in the interest of or for preventing incitement to the commission of any cognizable offence relating to sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order. Along with this blanket exemption, Sections 36 to 40 provide for further specific exemptions that allow data processors to bypass privacy safeguards such as where personal data is processed in the interests of prevention, detection, investigation, and prosecution of any offence [Section 36(a)] or where processing of personal data by any court or tribunal in India is necessary for the exercise of any judicial function [Section 36(c)]. It may seem justified for the State to intervene for the aforementioned reasons but the general ambiguity of phrases like “security of the State” and “public order” can be interpreted in a way to justify mass surveillance.
Now, if and when this Bill is passed, there is a possibility that the Central Government may provide a blanket exemption to numerous law enforcement agencies across the country that use facial recognition technology and justify by arguing for “security” or “public order.” This lack of clarity leaves a wide scope for mass surveillance which is antithetical to the goals that PDPB seeks to achieve.
The GDPR also exempts law enforcement agencies from the scope of its application. However, there are alternative laws governing the use of personal data in the EU such as the Law Enforcement Directive which includes automated processing of personal data in Schengen Member States and processing of personal data for the prevention, investigation, detection or prosecution of criminal offences. This directive aims to protect individuals’ personal data when it is being processed by the police or other criminal justice authorities. Along with the requirements of the data being processed lawfully, fairly, for clearly stated purposes and time-frame, it further mandates that the data be accurate and not excessively collected. Although in India, we see that the government acknowledges the problems of inaccuracies and biases that AI brings (see Artificial Intelligence Committee Report- D, pg. 30, 31), it has not created mechanisms to specifically regulate law-enforcement agencies’ use of FRT. Additionally, the Data Protection Regulation for EU institutions, bodies, and agencies law governs Personal data processing by all EU institutions, bodies and agencies. Both these laws specifically provide for protection of biometric data including facial recognition data.
The Data Protection Authority under the PDPB
It may be argued that in case of any privacy violations by law enforcement agencies, the Data Protection Authority, which is an independent body that promotes good practices of data protection, can be approached. This then leads to the inevitable question of the independence of this Authority. This Authority is entirely composed of members of the executive, i.e., secretaries from departments of the Central government. There is no judicial member and no expert. Furthermore, the power to remove members from the Authority rests entirely with the Central Government and there is no specific procedure for the same. This shows a clear interest of the Central Government in influencing the decisions of the Data Protection Authority and therefore, will not suffice in providing adequate protection against privacy violations by law enforcement agencies due to mass surveillance using facial recognition technology.