Author: Srushti S Kekre, V Year of B.A.,LL.B(Hons.) From Gujarat National Law University.
Introduction
State surveillance is not a nascent concept. It has been in existence for aeons. The great philosopher Jeremy Bentham was an ardent supporter of surveillance for better security of the state. Many governments across the globe have used various methods viz. spying, identity documentation, etc. to regulate the state order. Subsequently, with the advent of the internet in 1993, technology became an integral part of the functioning of society. There was an evolution in the methods of surveillance deployed by the state in consonance with the newly discovered technological wisdom. This technology-driven state surveillance was predicted by George Orwell the renowned British novelist in his famous book ‘1984’.
Biometric data is a combination of physiological (fingerprint, face recognition, iris scan etc.) and behavioural (the specific way of doing regular activities viz. walking, typing etc.) traits of an individual which are unique to every person. Many states have adopted surveillance methods based on the biometric traits of an individual because of its distinctive and stable nature. It is extensively used in airports, banks, passwords of electronic gadgets, voting etc. However, it is highly sensitive and personal information of an individual which may be susceptible to access by unauthorized entities. The collection, processing and retention of data should safeguard the interest of the stakeholders. Moreover, it should be ensured that the right to privacy of an individual is not violated while exercising surveillance methods.
International Legal Framework on Biometric Surveillance and Privacy
Biometrics is a widely used surveillance tool globally owing to its unique characteristic and persistent nature that generates reliable and accurate results. In Australia, facial recognition and fingerprints was introduced to regulate cross-border security under the Migration Act 1958. Similarly, America introduced a holistic biometric system in military forces and intelligence bureau as an aftermath of the terrorist attack on the World Trade Centre in 2001. Each state in the USA has separate laws for biometric data regulation viz. the Illinois Biometric Information Privacy Act and California Consumer Privacy Act 2020. Further, China has an extensive biometric system in visa requirements, smart city initiatives, medical data etc. The UN Human Rights Council (UNHRC) and UN Office on Drugs and Crimes have also encouraged the use of biometric data for the surveillance of terrorists and criminals.
However, the Human Rights Council has expressed concerns over infringement of the right to privacy of an individual in case of mishandling of biometric data. The right to privacy is an inalienable human right under Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights. Further, the UN General Assembly Resolution condemned the violation of the human rights of an individual due to the use of technology in interception and surveillance by the states. International law recognizes privacy as an integral part of the human rights however, due to the absence of any binding international guidelines protecting privacy, there is no uniformity in the laws of surveillance around the globe.
Biometric data is sensitive information that should be protected to prevent access by unauthorized sources. Therefore, comprehensive legislation with necessary provisions for the protection of privacy is a prerequisite for a biometric surveillance framework. In Hirst v. The United Kingdom, the European Court of Human Rights held that “the laws interfering with the privacy of an individual must be based on the tenets of proportionality and necessity”. Further, in Georgian Labour Party v. Georgia it was observed that the law should be foreseeable in nature with requite safeguards to protect the abuse of law. The UNHRC also highlighted the need for an accessible law based on the tenet of proportionality to prevent violation of the right to privacy
The General Data Protection Regulation (GDPR) is a revolutionary law of the European Union that aims to effectively protect the privacy of the citizens. It has provided a 72-hour time frame within which the violators need to address the breach of privacy. A Data Protection Board is established to regulate the laws in its jurisdiction. However, the regulation provides an exemption to judicial and investigating agencies for data processing for the security of state, maintaining friendly relations with foreign states, the sovereignty of state etc. The aforementioned features of the act are unique in nature that effectively guard the privacy of an individual. Thus, other countries should also formulate privacy laws in consonance with GDPR to alleviate instances of privacy breaches of sensitive biometric data.
Indian Overview of Biometric Data and Privacy Concerns
India is striving towards establishing a holistic surveillance system based on biometric data. The ambit of biometric data was widened with the introduction of the unique identity document known as the Aadhar card. Subsequently, the DNA Technology (Use and Application) Regulation Bill, 2019 was introduced which aims to improve the criminal justice system by maintaining DNA repository for efficient investigations. Further, NITI Aayog encouraged facial recognition techniques to be adopted in India. In similar vein, recently the biometric face recognition technology was launched for pensioners which shall replace the mandate of life certificate. It is observed that several countries are gearing up for new additions in the biometric data e.g. inclusion of tongue biometric, brain biometric etc. Likewise, India is also preparing to expand its biometric surveillance in the near future.
In order to establish an efficient biometric surveillance system, it is imperative to ensure that the privacy of citizens is not compromised. The Hon’ble Supreme Court in the landmark judgment of Justice K. S. Puttaswamy (Retd.) and Anr. v. Union of India, held that the right to privacy is an integral part of Article 21 of the Constitution of India. It implies that the right to privacy is an integral facet of right to life that must be protected even in presence of a biometric surveillance framework. Moreover, the UNHRC in its report stated that biometric methods are threat to various human rights viz. right to privacy, right to freedom of expression, right to freedom of movement, right to life etc., thus, there is a pressing need to address the issue of invasion of right to privacy.
Presently, biometric surveillance in India is regulated under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 framed under the aegis of Information Technology Act 2000. It defines biometric data under Rule 2 (b) as “the technologies that measure and analyze human body characteristics.” It is recognized as sensitive personal information under Rule 3, whereby the collection, disclosure and transfer of the data are regulated to prevent unauthorized access. However, these rules fail to provide absolute protection to the privacy of an individual. The hon’ble Supreme Court in Anuradha Bhasin v. Union of India held that the laws that interfere with fundamental rights should be in consonance with the principles of necessity and proportionality to reduce the arbitrariness in the conduct of authorities. Therefore, a holistic legislation aimed at guarding the privacy of citizens is needed to ensure the unadulterated use of biometric systems.
The Personal Data Protection Bill, 2019 is a landmark legislation that will be a new dawn for the citizens of India. It recognizes the paramount importance of data privacy and has identified biometric data as sensitive personal data. The data protection bill is similar in spirit to the GDPR. Further, it provides for the processing of data without consent in cases of medical emergency, legal necessity or if required by the state for providing benefits to individuals. Moreover, exemptions are provided for preventing sovereignty, integrity, security of the state etc. Wherefore, India should enact the privacy law coupled with a comprehensive set of guidelines for effective implementation and enforcement of the law to promote the judicious use of biometric data.
Conclusion
The 21st century is an era driven by technology wherein the states are using innovative biometric surveillance techniques to safeguard their national interest. The biometrics is a wide pool of information which is going to witness linear growth in the coming years. Various techniques like the DNA mapping, brain biometrics, tongue biometrics will be widely used along with the existing biometric methods in the near future. Thus, it is essential to store and process the data in a judicious and non-arbitrary manner to prevent invasion of privacy.
Owing to the sensitive and distinctive nature of the data it is necessary to shield it from unauthorized access. Therefore, India should enact the Personal Data Protection Bill, 2019 to prevent the abuse of the biometric data of an individual. Whereafter, holistic guidelines or rules should be introduced to promote efficient implementation and execution of the privacy law. The legislation alone will merely be a toothless tiger, hence, it should be supplemented with an elaborate implementation strategy and adequate safeguards in the best interest of all the stakeholders.
Surveillance is necessary for national security, integrity, and sovereignty. Concurrently, the protection of human rights is pivotal for a democratic state. Therefore, it is necessary to establish an equilibrium between biometric surveillance methods and the human rights of an individual.