Laws with claws

The Puttaswamy judgment heralded the legal recognition of the right to privacy as a fundamental right. This multidimensional right includes the right to informational privacy and bodily integrity. However, some legislative steps, such as the Criminal Procedure (Identification) Act, 2022, have diminished this right’s value. The wide powers conferred by this Act had caused much debate about its impact on the right to privacy. A petition against the constitutionality of the CPI Act was, however, dismissed. The recent move to collect iris samples, fingerprints, and other personal data by law enforcement authorities in Delhi and in Rajasthan has rekindled the debate.

The CPI Act was enacted without a data protection law in place. Even with the Digital Personal Data Protection Act, 2023 in place, the safeguards against excessive collection of data and their misuse remain inadequate.

Recognising the need to safeguard informational privacy in the globalised world, several countries have developed laws to erect protective barriers. The European Union, for example, has the General Data Protection Regulation; Singapore has enacted the Personal Data Protection Act. Similarly, India passed the DPDPA.

An area where the collection of personal data becomes prominent is in the prevention and the investigation of criminal matters. The Identification of Prisoners Act, 1920 was passed to delineate the powers vested in authorities and the safeguards to be followed. However, the CPI Bill, 2022, replaced the Act of 1920, significantly expanding its scope and heightening the possibilities of its misuse.

The B.N. Srikrishna Committee Report (2018), along with the OECD and APEC privacy principles, recommended stipulations such as data minimisation, purpose limitation, and time limitation to be followed strictly. However, the CPI Act expanded the impugned Act of 1920 to allow the collection of sensitive personal data, such as finger impressions, iris and retina scans, DNA samples, and behavioural attributes, which would be retained for 75 years, thereby violating the principle of data minimisation and time limitation. Recently, the Supreme Court, in the case, Frank Vitus versus Narcotics Control Bureau, had not permitted the GPS tracking of a convict on bail, citing breach of privacy. Yet, the CPI Act lacks automatic record deletion for acquitted individuals, leaving remedy under the magistrate’s discretion under Section 4(2) read with Rule 5. To further aggravate the plight of the ones who have suffered a breach of data privacy or have been wrongly accused, Section 7 of the Act bars the filing of a suit or any other proceedings against any act done in “good faith”. The absence of a Data Protection Officer as required under Article 10(2)(a) of the DPDPA or a purpose limitation mechanism deepens the complexity of the case at hand.

The CPI Act allows data collection from arrestees, including non-convicts, without adequate justification for such a measure. Section 4(1)(d) read with Rule 5 allows the National Crime Records Bureau to share this data with “any law enforcement agency” without specifying how.

Pursuant to the CPI Act, law enforcement agencies can collect such sensitive data of any convict irrespective of the gravity of the offence. Even though the Act allows detainees to refuse giving biological samples in certain cases, most detainees are unaware of this right and may be coerced to do so. The collection rests on the flawed assumption that such measurements are always unique and accurate. In Puttaswamy II (nine-judge bench), the Unique Identification Authority of India noted a 6% authentication failure rate of fingerprints, which extends to crores in numbers, thus increasing the risk of wrongful convictions and violating the presumption of innocence. Additionally, this raises concerns regarding self-incrimination under Article 20(3) of the Constitution. Yet, under the CPI Act, even lower-ranked police officials, such as a head constable or a head warder, have been permitted to collect data from “any person” sans consent, on the order of the magistrate. This ignores the Law Commission’s report of 1980 which recommended such a power to be vested only in magistrates subject to the reason recorded in writing. Ultimately, without meaningful checks and clear accountability, the CPI Act risks enabling excessive State surveillance at the cost of privacy and due process.

Similarly, the DPDPA gives police authorities unbridled powers to collect, store, and disseminate personal data with minimal safeguards. For instance, as per DPDPA, the State enjoys several exemptions, including the exemption to not obtain consent of the data principal and is only required to practise reasonable security safeguards, which remain undefined. Additionally, the Act is vague on data retention and makes no distinction between sensitive and non-sensitive personal data. Consequently, there are no higher security measures or rights and duties attached to the collection and the processing of such data. This, combined with the absence of any provision to regulate the profiling of data, poses the risk of the profiling of biological data of all the persons forced to provide personal data under the Act. Another grave concern is the Act’s silence on the collection and the processing of personal data (including sensitive personal data) of juveniles who are in conflict with the law. Further, only fines may be levied for non-compliance with the provisions of the DPDPA and there is no provision for compensation to the aggrieved. This fuels scepticism about the grievance redressal mechanism. Moreover, the constitution of the Data Protection Board as envisaged in the Act does not instil confidence that the proceedings under the DPDPA shall be non-biased. Instead of providing security against the abuse of rights, the DPDPA suffers from multiple lacunae.

It cannot be denied that the prevention and the investigation of offences are aided by the collection of information from criminals. But if this collection of data is widened without any limitations on its storage, use and dissemination, it would amount to a breach of the right to privacy. The government has erred in both its positive and negative obligations to protect the right to privacy as held in the Puttaswamy judgment. In order to remedy the existing grave situation, the government should take a cue from the GDPR, which distinguishes between sensitive and non-sensitive personal data and prescribes higher safeguards for the former. Thus, suitable amendments must be made by the government to both the CPI Act and the DPDPA to enforce the right to privacy of citizens irrespective of their criminal history.

Ananya Srivastava and Harshita Gupta are students at the National Law University, Jodhpur

Laws with claws

Suitable amendments must be made by the government to both the CPI Act and the DPDPA to enforce the right to privacy of citizens irrespective of their criminal history

RELATED TOPICS

‘56 lakh infiltrators? What was home ministry doing?’ Bihar protest cripples Parliament

Labourers from Bengal say they were beaten in Tamil Nadu, stripped in Haryana over ‘identity’

Flag hoisting, drone show, robot dogs: Indian army kicks off Kargil Vijay Diwas celebrations

MGNREGA data for Bengal has NOT been provided. Why? This is unprecedented and unacceptable

Bill Clinton, Les Wexner among nearly 50 contributors to Epstein’s 50th birthday album: WSJ

India-UK trade deal fails to lift stock markets; Sensex crashes 721 points

Zomato steps in where govt lags: Starts paramedic training for 10-min ambulance service

Kolkata reels under rain; Behala, Garia, Tollygunge, Central Avenue sees significant waterlogging

How Hulk Hogan paved way for wrestlers like Dwayne Johnson, John Cena to enter Hollywood

Elephant-Dragon collab: India signals thaw with China, warms to electronics tech transfer

India’s only ape faces extinction as Western Hoolock Gibbon population shrinks in Tripura

Centre bans ULLU, ALTT & others for streaming ‘soft porn’ under cover of web series