Rethink the criminal identification bill
It places the privacy of individuals at the mercy of the State; allows for the retention of personal data of convicted individuals for lifetime; and goes against the best practices of data protection
In 1920, the colonial British government passed the Identification of Prisoners Act. Enacted just a month after the beginning of Mahatma Gandhi’s non-cooperation movement, and amid a roiling wave of nationalism, the Identification of Prisoners Act was an attempt by the British to shore up their control by expanding the scope of surveillance: It authorised law-enforcement authorities to take and store the photographs, fingerprints and footprint impressions of convicted (and, in certain limited cases, non-convicted) persons, and made provisions for their storage and destruction.
It is, therefore, ironic that 102 years later, the government of a long-independent India has proposed to replace the Identification of Prisoners Act with a fresh draft law that seeks to collect even more personal data — and with even fewer safeguards — than the colonial law did. The stated objective of the Criminal Procedure (Identification) Bill of 2022, which was introduced in Parliament at the end of March, as set out in its Statement of Objects and Reasons, is to update the law by taking into account new techniques of “measurement” and identification that have evolved over the last century.
To this end, the Bill now includes “finger-impressions, palm-print impressions, foot-print impressions, photographs, iris and retina scan, physical, biological samples and their analysis, behavioural attributes including signatures, handwriting or any other examination” in the list of “measurements” that can be taken.
However, this is not all the Bill does. It has three other features that have nothing to do with updating the law to keep pace with the scientific evolution of what “measurements” can be taken from the body.
First, it “expands the ambit” of the law’s operation to people who have been arrested of any offence, including people detained under preventive detention laws. By now, the abuse of the police’s powers of arrest, and the even greater abuse of preventive detention laws in India, are well known; the Bill, unfortunately, places the privacy of individuals who are not convicted of any wrongdoing at the mercy of the State.
Second, the Bill allows for the retention of personal data of convicted individuals for a period of up to 75 years. Practically, this means at least the lifetime of the individual. However, in its indiscriminate application to all people convicted of an offence, the bill overreaches: And there is no explanation given for why this effectively permanent collection of data will help in the prevention or prosecution of crime.
Third, the Bill allows the National Crime Records Bureau to share and disseminate personal data with “any law enforcement agency.” This goes against the well-known best practices of data protection, including the principle of “purpose limitation”: i.e., even where the collection of data is legitimate, data that is collected for a specific purpose should be used only for that limited purpose, and not for anything else. “Investigation and prosecution of crime”, in general, is too vague a purpose to pass muster: Not all crime-fighting requires personal data; it is only in certain specific cases that there is a necessary connection between the two. Thus, once again, a major problem with the Bill is its indiscriminate nature, and its failure to carefully distinguish between those categories where the collection of personal data may be necessary — and even indispensable — for investigating a crime, and where it isn’t, is an overreach.
This is particularly important, because while the Statement of Objects and Reasons is correct to note that “measurement” techniques — in the context of crime-fighting — have evolved and improved over the last century, what it ignores is the flip-side: That with the advance of technology, the State has ever greater powers of surveillance and control over the citizenry, and, therefore, any legal expansion of those powers has to be regulated even more strictly. For instance, in the context of the Bill itself, while there is only so much a State can do by way of surveillance with photographs and fingerprints, when you add retina scans, biological samples (does this include DNA?), and even “behavioural attributes”, the scope of State power is vastly increased, and the need for safeguards even greater.
In this context, it is important to note that even five years after publicly announcing it, India still does not have a data protection law, which can stipulate the limits on the use of personal data, and set up redressal mechanisms for abuse. The absence of a data protection law only adds to an unregulated legal landscape, where State surveillance power — through laws such as the Criminal Procedure Amendment Bill — continues to expand unchecked.
Finally, the hurried manner in which this Bill was introduced in Parliament — an increasingly common feature of law-making in our democracy — is worrisome. There has been no prior public consultation before the Bill’s passage, and no opportunity for public input. This is reflected in the fact that in the Statement of Objects and Reasons, the Bill is silent on what, precisely, was the necessity of expanding the scope of the State’s surveillance power — a point that would certainly have arisen as part of public debate, had the Bill been put to public consultation.
For all these reasons, therefore, there are serious concerns about the new Bill. A more democratic and inclusive process can still — it is to be hoped — remedy some of these concerns.
Gautam Bhatia is a Delhi-based lawyer
The views expressed are personal