[This two-part post has been authored by Riddhi Bang and Prerna Sengupta, second year students at NALSAR University of Law, Hyderabad. Part I can be found here]
Procuring Data from Private Entities
The PDPB allows the government to compel entities to disclose information that does not constitute personal data. This includes data processing by law enforcement agencies or data processing for prevention, detection, investigation and prosecution of any law. This essentially buttresses the previous criticism that most law enforcement agencies that collect data from users will be able to provide that data to the government if and when they ask for it. Therefore, the 42 facial recognition projects ongoing in India by a variety of law enforcement agencies will not be subject to any of the restrictions and guidelines enumerated in the PDPB. At the moment, these facial recognition projects are operating in a legal vacuum as there is no data protection legislation imposing any mandatory safeguards. Mass surveillance also violates the fundamental right to privacy as enumerated under Article 21 of the Constitution and also restricts the fundamental right to freedom. Further, there is no clarity on whether informed consent is being sought from data principals.
Exemptions to Private Entities
Exemptions for prevention of criminal activity extends to any institution processing such personal data and is not limited to law enforcement agencies. Owing to the lack of such a situation having arisen in India, the Capitol Attacks in Washington DC in January 2021 is an appropriate example to explain this drawback. In the Capitol Attacks of January 2021, the Federal Bureau Investigation is said to have used Facial Recognition Technology to identify suspects using Clearview AI, a facial recognition application which confirmed a spike in searches of its database used by law enforcement. If something like this were to happen in India, a private firm such as Clearview AI would not be subject to the PDPB simply because it was used for prevention of criminal activity. Companies are subjected to certain obligations like purpose, collection and storage limitation (chapter II of PDPB) when it comes to the personal data. However, as per the exemptions provided under the Act, the provisions of these obligations would not apply if it is claimed that the data is being processed for prevention, detection, investigation and prosecution of any offence. With this exemption, the government may also seek personal data from the private companies. Even under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (2011), body corporates are allowed to disclose personal data to the government when it is necessary to disclose the information in compliance with a legal obligation. Although private companies are to maintain non-disclosure and other requirements as mentioned above, the government would justify the sharing of facial data on the grounds of it being necessary for detection, prevention and investigation of criminal offences. Recently, the National Crime Records Bureau (NCRB) has also invited bids from companies to develop a nationwide facial recognition system that would be accessible to all the police stations in the country. The implication of all the above is that there is immense scope for law enforcement agencies to not only develop their own FRT but also employ such technology developed by private entities.
Data Protection Risks
GDPR takes into consideration the reasonable likelihood that an individual will be identifiable (see Recital 26). This essentially is a risk-based approach that it adopts and implies that where there is a reasonable risk of identification, data needs to be treated as personal data. This helps the data protection authorities in efficiently deploying resources in areas where there is a higher severity of risks and harm to individuals. This seems to be lacking in the PDP bill. . It also translates into a wider interpretation of the purpose limitation principle under the GDPR where the purpose for collection of data must be specified either before or at the time of collection. This could open the doors for misuse because the PDP Bill lacks provisions for the collection and storage of data at a subsequent point of time (which is not mentioned at the initial stage).
Right to Be Forgotten
Different from the privacy laws that usually protect information that is not yet public, provisions regarding the right to be forgotten deals with the already existing public information by providing a right of erasure. The GDPR grants data subjects the right to obtain erasure of personal data processed by the controller, where the data is no longer needed for the purpose cited, when the subject withdraws consent or when the purpose is illegal. While the right to erasure and right to be forgotten is recognised under the PDPB (Section 18(d) and Section 20 respectively), the scope of this right that is to be applied is placed in the hands of the adjudicating officers that are appointed by the Data Protection Authority as opposed to GDPR where the responsibility rests with the controllers. A controller in GDPR is equivalent to the concept of ‘data fiduciary’ under the PDP bill. In the GDPR, the data subject could simply ask the controller for removal of his/her personal data. It is when the controller refuses to do so that the data subject can approach the authority. However, as per the PDP bill, the individual would first have to file a form with the adjudicating officer to exercise the right to be forgotten which makes the process time-consuming. This implies that the final decision of ownership of personal data lies with the adjudicating officer and not the individual. The adjudicating officer would thus be burdened to consider multiple factors (see clause 20(3) of the PDP bill) and it is likely that the right to be forgotten would be interpreted narrowly as compared to GDPR. Facial recognition technology is based on probability more than certainty. Amazon’s face recognition technology ‘Rekognition’, for example, had incorrectly matched 28 Congress members to be people who have been arrested for crimes before. Inaccuracies in identifying individuals could thus have far-reaching consequences, especially when it is being done without the data -subject being aware of this privacy-intrusion. Given the possibility of mass-surveillance by authorities and the misuse of data in addition to the aforementioned, the right to be forgotten becomes especially crucial. With the process under PDP bill being lengthy as mentioned, the application of this right would consequently be delayed, essentially defeating its purpose.
There has been rampant use of FRT in India in recent times. It has been especially popular among the law enforcement agencies which further amplifies privacy concerns. PDPB seems to have stricter regulatory guidelines for private entities but for the state, it extends broad immunities. Now, if and when this Bill is passed, there is a possibility that the Central Government provides a blanket exemption to numerous law enforcement agencies across the country that use facial recognition technology. For example, it would allow police to use handheld devices to record protestors, process the footage through a facial recognition software, cross-reference the results from a national database of citizens such as the Aadhaar database, the NPR, and the NRC to find their personal details such as phone numbers and addresses and arrest them from their homes. The PDB would not be able to prevent such a scenario from taking place.
It is therefore argued that PDPB is an insufficient mechanism to develop, deploy and regulate facial recognition technology. There is a dire need to position fundamental rights, specifically in relation to data protection and non-discrimination, at the core of the privacy framework. Like the GDPR, there is an exigency of a more comprehensive data-protection law in India. Following the spirit of EU laws (such as, Law Enforcement Directive and Data Protection Regulation for EU institutions, bodies and agencies), India should take a similar approach in its effort to procure, deploy and commission new and innovative technology in order to overcome the shortcomings of the PDPB.