India’s Criminal Proceedings Identification (ICC) Act came into force last month. It gives police the power to collect biometric samples – such as fingerprints and iris scans – from people arrested, detained or remanded in custody on charges that carry a prison sentence of seven years or more .
Data collected under the law may be retained for up to 75 years and shared with other law enforcement agencies. It is an offense to resist or refuse to allow data collection.
Unbridled power, no control
The legislation has come under heavy criticism from opposition political parties, free speech practitioners, lawyers and civil rights activists who fear the legislation violates privacy and human rights. freedoms of an individual.
They say the ICC Act will create a “surveillance state” as India has not put in place a comprehensive data protection mechanism.
For example, Indian central and state governments have rolled out facial recognition systems in recent years without putting in place laws to regulate their use.
The growing adoption of this potentially invasive technology without any safeguards poses a huge threat to fundamental rights to privacy and freedom of expression, critics say.
“The sharing of sensitive personal data that discloses an individual’s full identity profile is in clear violation of Section 21 of the Constitution [the right to] life and liberty and cannot be done, even in exceptional circumstances, without applying adequate safeguards,” said Anandita Mishra, a lawyer for the Internet Freedom Foundation, an Indian NGO that defends online freedom.
“Blatant violation of privacy”
The Prisoner Identification Act of 1920 – which was replaced by the new law – had allowed police to collect only photographs, fingerprints and footprints of suspects.
However, the scope of the new IPC law includes other sensitive information such as fingerprints, retina scans, behavioral attributes – like signatures and handwriting – and others. biological samples such as DNA profiling.
“Perhaps the most glaring provision of the bill is that it allows digital retention of all measurement data for 75 years from the date of collection, with no built-in controls to protect the privacy of that data” , said Vrinda Bhandari, consultant. with the Law Commission of India, told DW.
“This is a clear violation of privacy and data storage limits and is against the law set out in the Supreme Court’s privacy ruling.”
In 2017, the nation’s highest court issued a landmark judgment affirming that the constitution guarantees every individual a fundamental right to privacy. This includes three aspects, according to the ruling: intrusion into an individual’s physical body, privacy of information, and privacy of choice.
Protection of rights
Criminal lawyer Rebecca Mammen John points out that the new legislation creates a whole new regime and structure within the criminal justice system that disproportionately affects the rights of individuals – while granting the state unchecked surveillance powers .
Additionally, she says the creation of databases and the ability to share data on the scale contemplated by law may violate the fundamental right against self-incrimination.
“What happens if these databases are breached or data is misused or sold? What protections are offered to prevent stored information from being used to maliciously implicate innocent people?” John asked DW.
During the passage of the bill in Parliament, the government sought to allay apprehensions surrounding the possible misuse of the data.
Interior Minister Amit Shah said the best technology would be used to save data and train the workforce.
“This is about protecting the human rights of victims of crime, not just criminals,” Shah told parliament in April.
But critics believe the new law gives the government a dangerous weapon to spy on dissidents.
No data protection system
In August, the government surprisingly withdrew a data protection bill that a group of lawmakers had been working on for more than two years.
The scrapped legislation, the Personal Data Protection Bill 2019, would have required internet companies like Meta and Google to obtain specific permission for most uses of a person’s data – and would have made the process of requesting deletion of that personal data easier. .
The tech companies had specifically questioned a data localization provision in the bill under which they would have been required to store a copy of certain sensitive personal data in India, while exporting “critical” personal data undefined since the country would have been banned.
Activists, on the other hand, had criticized a provision that would have allowed the government and its agencies blanket exemptions to opt into any of the bill’s provisions.
Risk of misuse
Several countries, including the United States and the United Kingdom, collect biometric identifiers such as facial features, fingerprints or retina scans from those arrested or convicted.
But given that India does not have well-defined systems to investigate allegations of police misconduct, there are fears that the data collected could be misused.
Cyberlaw expert Pawan Duggal says the government had a bigger duty to come up with proper checks and balances before implementing the IPC law.
“This law takes on greater importance because the people who have been arrested and detained have not been convicted and the accepted principle of law is that a person is presumed innocent unless proven guilty,” said Duggal to DW.
“It is absolutely necessary to put in place proper checks and balances to exercise such power. Given the lack of dedicated data protection law in India, such power can be abused and misused,” he said. -he adds.
Edited by: Keith Walker