India is among the list of countries where government surveillance has become a major concern from a data privacy perspective. Regulations that allow governments to access personal data of citizens are still undermining the overall privacy protections that certain countries offer their citizens. India has been named as a country with minimal restrictions in terms of data privacy and protection where government surveillance is a matter of caution, alongside countries with high-level of government surveillance, such as China.

India has no personal data protection law. The Centre promised the Supreme Court that it would pass legislation in respect of privacy matters years ago and it was observed during proceedings where the court affirmed privacy is a fundamental right. Yet the law doesn’t seem likely any time soon. India also lacks an electronic surveillance framework. A draft of the personal data protection bill put together by the Justice Sri Krishna Committee last year deliberately left out the question of placing fetters on government surveillance. The presumption was that another legislative effort would take care of it. Of course, this didn’t happen either. Yet, with little in the way of safeguards, India is barrelling forward with all sorts of efforts to pry into citizen’s lives and even allowing private companies to do so. The latest threat to privacy comes in the form of facial recognition. Deploying of this facial recognition technology allows the data to be used by private companies with the consent of people whose data is shared thereon.

In addition, the National Crime Records Bureau has called for bids to allow it to implement an Automated Facial Recognition System. The tender envisions the system as a grand database that acts as a “searchable platform of facial images”.It wants this to be integrated into numerous other existing systems, such as the Crime and Criminal Tracking Networks and Systems used by police stations everywhere. The government envisions using the system to match faces of suspected criminals, prisoners, missing persons and others in the database with those picked up on CCTVs around the country.There are many problems with this, and they have been discussed at length by a number of analysts, who have sent a legal notice to the crime records bureau and the Home Ministry demanding an immediate halt to the tender process. For one, this is a purely executive effort, with no backing legislation. Without a data protection law or a surveillance framework, and no legislation governing facial recognition, it should not be allowed particularly considering that the Supreme Court so recently affirmed the right to privacy.

To dwell into the details, Automated facial recognition is a technology which allows the capturing of facial features and contours of persons for the purposes of preparing database for potential comparison. Automated facial recognition technology is an extension of facial 'profiling' or 'mapping' that has been used in criminal justice systems around the world since the19th Century and continues to be used today[1]. Automated facial recognition technology can be used to conduct one-to-one matching, or the verification of the identity of an individual, or one-to-many searching using databases[2]. Facial recognition as a technology has got its own intrinsic benefits. It allows law enforcement agencies to track by comparing facial features of not just offenders but also lost children. Automated facial recognition has been deployed in beta projects in India. This technology can also be used at airports which can be proved on best efficient method to be adopted for the purposes that can be met in the airport building [3]. While on paper, this technology tends to show lot of potential, the implementation of such facial recognition technologies brings forward large number of legal, policy and regulatory issues.

The direct implementation of such technologies has not been recognized by law. As such, there is a need for having in place detailed legal frameworks passed by the Parliament of India which authorize the implementation and maintenance of such automated facial recognition technologies. Currently, in India, we don’t have specific law which authorizes deployment of these technologies. The Indian Information Technology Act, 2000 being India’s mother legislation on the electronic format is completely silent on facial recognition. Also, even under the rules passed under the Information Technology Act, 2000, there has no reference to the facial recognition. As such, for a long-term deployment of these technology, it will be imperative, that the Parliament should pass strong law to not just enable legal implementation of such technologies but also the law should establish the various instances where such technologies can be so implemented.

One of the biggest challenges concerning facial recognition technology is the fact that it would tend to violate people fundamental right to privacy enshrined under Article 21[4] of the Constitution of India. By virtue of the judgment of Justice K.S Puttaswamy v. Union of India[5], in which the Hon’ble Supreme Court of India has already declared the right to privacy as a fundamental right and that such right can only be exercised in accordance with the procedure established under the law. If there is no procedure established under law, any deployment or adoption of such technologies, tantamount to violation of people fundamental right to privacy. The Government needs to specifically keep in mind these factors and parameters into consideration as it moves forward in the deployment of new technologies. In other words, it must be in pursuit of a legitimate aim, that it is necessary and proportionate. It needs to be appreciated that people have a fundamental right to privacy vis-à-vis their right and also their facial features and contours. These technologies have a distinct potentiality of intruding into the personal privacy space of people.

Further, cyber security is an important component and aspect of facial recognition technologies[6]. When the automated facial recognition technologies would be deployed, large data sets would be created which will contain the personally identifiable information. There is a need for ensuring the cyber security of such data to be protected and preserved in order to protect the rights and liberty of people.

Law enforcement authorities around the world are grappling with the limitations and dangers of facial recognition. San Francisco banned police use of facial recognition technology earlier this year. Police trials of facial recognition systems in the United Kingdom have shown that the technology failed 80 percent of the time, and has “significant operational shortcomings”. Given the dangerous and unreliable consequences of these technologies, police forces in the UK are proactively resisting piloting facial recognition systems.Already, in California, a law has been passed which has banned the use of facial recognition technologies. India needs to examine the legal approaches taken by various countries in regard of Automated self-recognition technology and suitably address the legal challenges and issues raised by such law before moving forward and then see what the law has provided from the perspectives of India. Thereafter evolve Indian customized approaches on facial recognition technologies.

Thus, these and other variety of data issues need to be considered in a holistic manner before India moves forward in the direction of facial recognition technologies. These technologies indeed have a lot of benefits. India needs to create a harmonious balance between the needs of India as a nation on the one hand and protecting the intrinsic privacy and other fundamental rights and liberties of citizens on the other. It will be interesting to see how the Government approaches these issues as it moves forward in the deployment of Automatic facial recognition technologies.Surveillance practices may prove to be pervasive and not in line with the enforced data privacy laws, thus affecting data security of citizens. The Personal Data Protection Bill has a couple of provisions that deal with the issue of government surveillance. But a lot of regulations and procedures need to be built into it on how these procedures are to be followed. Indians deserve as much care and deliberation before being subjected to an extremely flawed technology that currently has nothing in the way of safeguards. Until there has been public consultation, laws that put in place safety checks and a proper demonstration that facial recognition actually works, the government should withdraw its bids and focus first on passing the privacy law that it promised Indians in the first place.Until India introduces a comprehensive data protection law that provides such guarantees, there needs to be a moratorium on any technology that would infringe upon an individual's right to privacy and other rights that stem from it.

[1]R v. Tang (2006) 65 NSWLR 681. [2] Philip Brey, 'Ethical Aspects of Facial Recognition Systems in Public Places' (2004) 2 Journal of Information, Communication and Ethics in Society 97, 98. [3]Lenese Herbert, Othello Error: Facial Profiling, Privacy,and the Suppression of Dissent, 5 Ohio St. J. Crim. L. 79 (2007). [4]Article 21 of Indian Constitution- Protection of life and personal liberty No person shall be deprived of his life or personal liberty except according to procedure established by law [5] Justice K.S Puttaswamy v. Union of India, (2017) 10 SCC 1. [6]Nathan Alexander Sales, Regulating Cyber-Security, 107 Nw. U. L. Rev. 1503 (2013).