This article is written by Millia Dasgupta, a second-year student studying at Jindal Global Law School. This article covers provisions and laws which protect citizens from breach of their right to privacy by Facial Recognition Softwares.
Our unbridled love affair with all things technological has an evil twin: a seemingly unstoppable encroachment on our personal privacy- Brock N.Meeks
I was on Instagram the other day, scrolling through my feed when I came across the most peculiar post. It was an infographic that instructed you about how to hide your face when you go out protesting. The post said that the government uses facial recognition software to scan the faces of people participating in rallies. People attending should take great caution.
Surprised by such allegations, I searched the news to find some sort of confirmation to the allegation. I was shocked to find that well-regarded news outlets such as Reuters and The Wire affirmed the rumors. Not only that, I saw numerous viral videos of the Delhi Police with cameras, recording the crowds in protests and rallies. It makes you ask, whether we live in one of the biggest democracies in the world or in the novel “1984”.
We are living in a surveillance state. And it is not only the government that is misusing our information. Many other big firms and corporations have also leaked our biometric data due to mishandling, negligence or because they are selling our information to other companies. It is during these times that we must remind ourselves that there are mechanisms set in place to protect us. Thus in this article, we will discuss the various Acts and laws one can receive protection under.
Parties Who Might Have Interests In Your Facial Recognition Data
There are two parties that are interested in your information. These parties are :
(i) Governments and law enforcement agencies
(ii) Manufacturers and service providers.
Governments and Law Enforcement Agencies
The Government in the name of protecting ‘national interest’ and the ‘safety of greater public’ have encroached our rights multiple times. This is especially true for surveillance and their disregard to the ‘Right to Privacy’.
The government has taken active steps, especially through facial recognition software to establish 24/7 surveillance. For example, the world’s biggest surveillance software for facial recognition has already arrived in India and shall be used to monitor citizens. Another example is when the Madurai Police were exposed for taking pictures of citizens who they suspected were criminals. They uploaded it to a database through an app. In these instances, technology gave the government unprecedented power to change our nation into a surveillance state where every citizen is a potential suspect.
The rights that protect citizens from such unprecedented surveillance is mentioned later in the article.
Manufacturers and Service Providers
Manufacturers and service providers like Google and Amazon exploit the data they extract while you avail their services. An example is when you search for ‘cheapest headphones in the market’ on Google, you are suddenly bombarded with ads about headphones. Even your Amazon recommendation is filled with cheap headphones. Another example is when you search for cheap flights and suddenly you get emails from various online portals about the prices of flights. How does a confidential information of this nature reach these other service providers?
Now, what would happen if you were to provide your picture to these services providers and they store your picture in a database or even worse, sell it to another entity? Then, how would you avail relief against their behavior? We will now talk about the various Indian legislations such as The Indian Information Technology Act, 2000 and The Consumer Protection Act, 2019 that provide relief later on in the article.
Can Facial Recognition Data be Identified as ‘Sensitive Personal Data’?
In order to seek protection under the various legislations and provisions stated throughout the article, we must first establish that facial recognition data is ‘sensitive personal data’ under The Indian Information Technology Act, 2000.
Under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, personal data is any information about a natural person that can be used directly or indirectly to identify such a person. Thus, according to the definition, facial recognition data can be classified as sensitive personal data.
Right to Privacy
India has no laws when it comes to the collection, processing, and storage of facial recognition data. But one can use certain principles and laws established on data privacy to receive relief from excessive government surveillance.
In the landmark case of Justice KS Puttaswamy Vs Union of India (2018), the nine-judge bench ruled that the ‘Right to Privacy’ is protected under Article 21, (read alongside Article 14 and Article 19).
It was held that the ‘Right to Privacy’ is not only an intrinsic part of the right to life and personal liberty under Article 21 but it is also a part of the freedoms guaranteed by Part III of the Constitution”. They stated that “informational privacy is a facet of the Right to Privacy” and suggested that the government should establish laws that would help to strike a balance between the interests of a citizen’s privacy and the interests of the state with regards to security.
Article 21 not only protects citizens against deprivation of life and personal liberty, but it also grants the ‘Right to Privacy’.
It was K.S Puttasawmy who stated that this ‘Right to Privacy’ consists of-
(i) Intrusion with an individual’s physical body
(ii) Informational privacy
(iii) Privacy of choice.
Exception to The Right To Privacy
This ‘Right to Privacy’ can only be encroached by the procedure established by law. Even these laws are subject to scrutiny. These laws must fulfil the duty of the State. The procedure set down by it must be proportionate to the goal it wishes to attain. In simpler terms, the procedure should not encroach upon a right in order to accomplish an aim which does not require such draconian procedure.
Additionally, such laws should be approved by the principles of Article 14. They assure equality before the law and prevent the state from discriminating on the basis of caste, race, gender, etc.
Regardless of these exceptions, there are no laws in place which facilitate the collection and processing of facial recognition data. There aren’t any laws that mention the use of facial recognition software by the government and government-controlled entities. Thus, using facial recognition software especially for the use of identifying protestors in rallies, cannot be an exception to Article 21.
Indian Case Laws
There are no case laws that discuss the implications of the usage of technology for surveillance by the government and law enforcement. But we can refer to the following case laws on surveillance to get a general idea on the stance of India’s judiciary on this matter.
In Govind vs State of Madhya Pradesh (1975), the petitioner filed a plea against MP Police Regulations 855 and 856. These regulations allowed police surveillance to the extent of visiting a suspect’s home. While the government dismissed the plea, they interestingly said provisions that were ‘borderline unconstitutional’ should be reviewed.
In People’s Union for Civil Liberties vs. Union of India, (1997), the petitioners questioned the constitutional validity of Section 5(2) of the Indian Telegraph Act, 1885. The section of this Act allowed the government to tap phones. The Supreme Court held that privacy is essential to the right to life and liberty enshrined under Article 21 and it can not be curtailed except by procedure established by law. Thus, we can infer from this decision, that the police or any other government institution cannot take your facial recognition data due to lack of procedure established by law.
In District Registrar and Collector, Hyderabad, and Anr. v. Canara Bank (2004), it was held that excessive police surveillance is against the right to liberty.
Foreign Case Laws
Katz v. the United States (1967) is a landmark case. Kats was a gambler who was suspected of using telephone booths to transmit illegal wagers. While he was proven to be guilty, the evidence used against him was obtained by eavesdropping on his private conversation. It was ruled by the US Supreme Court that the methods used to incarcerate him violated his right to privacy.
In R v. The Commissioner of Police of the Metropolis (2011), it was held that if the police retained DNA and other biometric data of a suspect after his name is cleared, it would violate Article 8 of the European Convention on Human Rights. If we were to apply this case to facial recognition data collection, then we can infer that the police must delete your biometric data once your name is cleared.
Legislations in India
Data leaks are becoming increasingly common nowadays. Corporations such as Facebook, Linkedin or Whatsapp are some examples of companies who have either succumbed to either a security breach or have been accused of selling that information themselves.
On August 16th, 2019, a security firm called Suprema was a victim of a data leak. It resulted in 27.8 million records of biometric data such as fingerprints and facial recognition information being released into the open.
Leaks like this are scary, especially with the increasing importance of biometric data. Nowadays, one can open their phone by just having their face scanned. If one has their facial recognition data leaked, it can be a serious compromise to not only their privacy but their security as well.
How can we get recourse when another Suprema breach happens? The various legislations of India which provide protection are stated below.
The Indian Information Technology Act, 2000
Section 43A – Compensation
This section makes commercial bodies liable for the negligent collection and handling of sensitive data. It is by this Act that if these bodies do not follow reasonable practices and procedures they are liable to pay compensation.
By this section, bodies are defined as firms or corporations dealing with professional work. For example, such sections would apply to service providers like Quora and Google who collect information.
“Reasonable security practices and procedures” means practices that safeguard sensitive information from such attacks. These practices may be specified in an agreement, law, or procedures prescribed by the government.
Thus, if a company does not follow procedures and your facial recognition data is leaked, then they are liable to pay compensation. The amount would be fixed by the tribunal courts.
Section 72A – Imprisonment or/and Fine
It makes disclosure of ‘personal information’ without the consent of the person. This information should have been obtained under a contract.
If this section is violated, it may lead to imprisonment( which may extend to three years), a fine (which may extend to five lakh rupees) or both.
Thus, if the company leaks your facial recognition data without your consent not only can they be imprisoned, but they can also be fined.
How To File a Complaint
Matters under the IT Act 2002 are looked after by The Ministry of Electronics and Information Technology. The authority under the IT Act is the Cyber Regulations Appellate Tribunal. The adjudicating officers will be responsible for inquiring about the nature of the offense. Appeals to the verdict given by such tribunals shall be transferred to the High Court and then the Supreme Court.
One can file a complaint through their website.
One can also mail or email their public grievances to a nodal officer. Here is a list of their contacts and the issues they deal with.
Consumer Protection Act, 2019
The Consumer Protection Act, 2019 provides relief for individuals who have come across any sort of harm while using a product. These laws can also be used to assure relief when certain service providers leak sensitive or personal information given by the users to avail the services.
Section 47 (ix) of the Consumer Protection Act, 2019 (explanation) provides for relief to individuals who have had their personal information misused. If such personal information is released, then the producer shall be held for product liability. They shall then be required to pay compensation fixed by the tribunal. The 2019 Act also defines “mental agony and emotional distress” as types of harm that can be caused through the use of products.
Thus, if a certain service provider leaks private information (like you facial recognition data) and such leak causes physical, mental or emotional distress, then the consumers can avail protection under this Act and receive compensation.
How To File A Complaint
Under the Consumer Protection Act, 2019, the authority established is The National Consumer Disputes Redressal Commission (NCDRC).
The complaint should be made within 2 years from the breach. It should
- Be a written complaint that should be supported by a “Notarised attested affidavit” (a sworn statement which states that all the contents in the complaint are true. Such a document should be sealed by a notary public i.e a public officer),
- Contain 2 sets of the document (with File cover)
- Contain the number of opposite parties.
- The pages should be numbered and be organized according to the following index-
- List of Dates
- Memo of Parties (with fresh complete addresses & telephone no.)
- Complaint with Notarised attested affidavit
- Supporting documents in favor of complaint e.g. receipts, vouchers, etc. [All the Annexures (documents) must be attested (verified) as a true Copy on the last page with name & signature]
- Application for condonation of delay (a request for an extension of time) with Notarised attested affidavit, if beyond limitation. (2 years from the cause of action)
- Fee of Rs.5,000/- for making Consumer Complaint (Demand Draft in favor of “The Registrar, NCDRC, New Delhi”)
The complaint can be filled on all working days (Monday to Friday) between 10:00 A.M. to 4:30 P.M and should be mailed to –
‘Upbhokta Nyay Bhawan’,
‘F’ Block, General Pool Office Complex,
INA, New Delhi-110 023.
In the judgment of Justice KS Puttaswamy Vs Union of India (2019), the bench set up a committee headed by Justice BN Srikrishna that would set up proper legislation that would protect an individual’s data privacy. The result of a year’s long work was The Personal Data Protection Bill, 2019 and is still yet to be approved by Parliament.
The Bill seeks to regulate the processing of personal data by not only the government but by personal entities as well (for example, companies, corporations, and firms). It takes inspiration from the European Union General Data Protection Regulations.
The Bill not only ensures certain rights of the data providing parties such as the right to correction and the right to erasure but it also establishes certain duties the data controller has towards the data principal.
The Bill allows certain data processing for reasons such as national security and legal proceedings. It also seeks to establish a national level Data Protection Authority (DPA). This authority would ensure that the guidelines would be avoided.
Position in other Countries
The state of California has passed a temporary three-year ban on the use of facial recognition software by law enforcement agencies.
The bench states that through these softwares, police forces not only gain access to our every move, but they also gain access to other private records like our finances, hospital records and our education. Finding information of this depth would previously require a search warrant and 6 months’ of investigation. Now such information can be gleaned over with the use of a software.
It enables the police to consider every citizen as a perpetual suspect. Thus the government of California took the following steps in order to make sure the rights of these citizens are safeguarded.
European Union General Data Protection Regulation
The EUGDPR is an extensive and exhaustive legal framework that aims to protect an individual’s personal data. It applies to corporations, regardless of their location, dealing with information of citizens of the EU. It was enacted on May 25th, 2018 and it replaced the Protection Directive of 1995.
It enumerates the following principles with regards to data collection, processing, storage, and use-
- Personal data shall be processed keeping in mind the principles of transparency, lawfulness, and fairness.
- Personal data can only be collected for specified and legitimate reasons and purposes.
- The processing of such data must be limited and proportionate to the reason for which it is collected and must be kept up to date.
- The data must be stored in such a manner where the data can be only used for the reason it was processed, and nothing more
- The processing of such data must be secure.
- The data controller shall be held responsible for any breach or misuse of information.
This Article prohibits the collection of biometric data e.g- fingerprints, retinal scans, and facial recognition data.
It also assures that citizens have the right to know about the process of collection and the details of the data controller. They also have the right to rectification of the data, the right to restrict the processing of data, the right to data portability, the right to restrict illegitimate collection of data and the right to erasure and to be forgotten.
It is stated that one does not have the right to collect biometric data except if collected under the following circumstances-
- Explicit consent from the part it is being collected from.
- The collection of such data is necessary to ensure the rights from whom the data is being collected. E.g- In the fields of employment and protection of society.
- The processing relates to data that is manifestly made public by the data subject.
- The processing is necessary to secure the substantial interests of the public. This is subjected to the fact that processing shall be proportionate to the purpose of collection and is in compliance with the principles of data collection.
It must be kept in mind that prohibitions to biometric data collection are not limited to this list.
Biometric Privacy Act in the United States of America
Many states of the US have laws regarding the collection of biometric data. For example, The Biometric Information Privacy Act is an Act passed in 2008 by the state of Illinois. It is a set of laws that make the collection, use, and storage of biometric data without the consent of the user by private entities illegal. Another example is the state of Texas, which has established and codified laws that handle the collection of biometric data. The state of Washington has also signed into law House Bill 1493 which sets requirements for businesses that collect and process data for commercial purposes.
Cases on Facial Recognition Software
Through Biometric Information Privacy Act (BIPA) litigations, people have already brought various suits against companies for collecting and using biometric data without the consent of the users. The following cases are with regards to photo scanners and facial recognition software.
In Alejandro Monroy v. Shutterfly Inc. (2017), the court expanded the definition of biometric data to everything else which has not been expressly excluded from the ambit of the legislation. This includes facial mapping which is done by using images and fingerprints, and retina capture using images. This widens the scope for citizens who wish to protect their ‘Right to Privacy’ against facial recognition software.
In In re Facebook Biometric Information Privacy Litigation (2019), it was held that Facebook’s use of facial recognition software to suggest tags on photos was violative of the guidelines under BIPA. Thus, it was a violation of the user’s privacy as they did not ask the consent of the user before scanning their face.
However, In Rivera v. Google Inc. (2019) It was held that Google Photos did not violate the BIPA guidelines when they scanned pictures to make face edits and templates. The court held that this is because the plaintiffs did not suffer any “financial, physical, or emotional harm apart from feeling offended”, so the court would not grant them relief. They also stated that there was no violation to the users right to privacy as the only parties that has access to the data was Google and the user.
But while reading about this case one must keep in mind that Article III challenges may be raised at any time and the case is still going on. There are also cases that state ‘who is an aggrieved plaintiff’ that are still pending before the court. The court also failed to address many other litigation issues that may affect companies who collect biometric data.
Facial Recognition Software- A Boon Or A Curse?
It would be naive for us to ignore the benefits of facial recognition software, despite the danger it poses to the ‘Right to Privacy’. It can ensure better security by identifying criminals and missing citizens and provide greater security to companies as it is a fast and secure tool to identify individuals who are allowed access to their information. It also provides a quick and secure source of identification for normal day to day use. It will also be naive of us to ignore that facial scanners and software have already made an impact on our day to day life. While its convenience may seem enticing at first, but it can lead to greater problems. Thus the question we should ask ourselves is how can we use such technology to our best advantage without causing a problem? The only solution is a better legal framework.
Need For Legal Framework
When we talk about government surveillance and cooperation surveillance in general, we must talk about the great National Security Agency scandal which brought the discussion against protection against surveillance into the limelight. Edward Snowden, a previous employer of a company Booz Allen Hamilton who had a contract with NSA exposed that 2 powerful governments of the world were snooping into the phone records and user records of millions of users, including important stakeholders of other countries. It was also stated that major tech giants such as Apple and Google were unaware of this snooping.
The reason I talk about this case is that it signifies how easy it is to be betrayed by corporations whom you trust with our information. Giant tech companies are investing more in the facial recognition software market. For example, Apple enables us to open our phones and our Paytm accounts with our faces. Companies like Amazon are also coming up with facial recognition software that can help law enforcers to identify suspects and missing people. Thus, it has become even more essential that the Parliament enacts laws that establish a solid legal framework when it comes to collecting and processing of facial recognition data. Without proper law and legislation in place, we can fall victim to extreme encroachments of our rights without any recourse. Experts on India’s cyber laws have warned us that it should not be the case that India wakes up after 5 years and then realizes that facial recognition software has seeped into common social concerns and placed its roots in it.
While facial recognition software has improved the quality of life in general. From small everyday chores such as monetary transaction by PayTm to matters of national security, such as aiding the Delhi Police to identify more than 3000 missing children in the span of a 4-day trial. We must remind ourselves that it is essential to strike a balance between technological advancement and privacy of our citizens.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.