Facial recognition technology is being deployed by Indian police forces at an accelerating rate, at railway stations, airports, public events, and protests, without a dedicated statute governing its use, without mandatory accuracy thresholds, and without robust redress mechanisms for persons who are misidentified. The technology is operational. The legal framework is absent.
The existing legal architecture was not designed with biometric surveillance in mind. The Code of Criminal Procedure (now the BNSS), the IPC (now BNS), and the various police acts that govern state forces were drafted before facial recognition was a practical technology. The Information Technology Act, 2000 and its amendments address data protection in general terms but do not specifically regulate biometric data collected by state actors. The DPDP Act, 2023 explicitly exempts state instrumentalities engaged in the interest of sovereignty, integrity, and public order from most of its obligations. The practical result is that police facial recognition deployment exists in a legal vacuum.
The accuracy problem is foundational. Facial recognition systems trained predominantly on lighter-skinned faces perform measurably worse on darker-skinned faces. Multiple independent studies have documented error rates for people with dark skin that are significantly higher than for people with light skin. In India, where the population is predominantly dark-skinned and the criminal justice system already exhibits documented biases against Scheduled Caste and Scheduled Tribe persons, the deployment of an inaccurate system creates a multiplied risk of discriminatory harm. Questions of watchlists and retention have received minimal regulatory scrutiny, while documented evidence of discriminatory deployment patterns is emerging in the academic literature.
The Puttaswamy judgment (2017) established that privacy is a fundamental right under Article 21 of the Constitution. Biometric surveillance by the state engages this right directly: it involves the collection, storage, and processing of sensitive personal data without the knowledge or consent of the persons captured. The proportionality test developed in Puttaswamy requires that any infringement of privacy must be lawful (backed by a statute), necessary (for a legitimate state aim), and proportionate (the least restrictive means available). Facial recognition policing, as currently practised in India, fails all three limbs: there is no statute authorising it, the necessity analysis is rarely performed, and no proportionality assessment governs its deployment.
The contrast with other jurisdictions is instructive. The European Union's AI Act classifies the use of real-time remote biometric identification in publicly accessible spaces as a high-risk application and, with limited exceptions for specific law enforcement purposes, prohibits it. The United Kingdom has adopted a framework for police use of live facial recognition that includes mandatory equality impact assessments, accuracy testing requirements, and independent oversight. Several US cities have enacted outright bans on municipal police use of facial recognition. India has moved in the opposite direction: expanding deployment while deferring regulatory design.
What a minimum regulatory framework should include is not difficult to specify. A statute or statutory rule governing police use of facial recognition should require: legal authorisation for each use case specifying the offences or purposes for which the technology may be used; mandatory accuracy testing against the demographic profile of the deployment population before operational use; independent oversight of watchlist compilation and retention; a redress mechanism for persons who are stopped, detained, or otherwise affected based on a facial recognition match that turns out to be incorrect; and mandatory disclosure of the technology's use during any proceeding in which it contributed to an arrest or prosecution.
The DPDP Act's exemption for state actors engaged in law enforcement is the most significant regulatory gap. The Act was the opportunity to create a comprehensive data protection framework that applied equally to private actors and state actors. The exemption for state law enforcement agencies removes facial recognition policing from the Act's ambit entirely. Whether the exemption is constitutionally valid, given Puttaswamy's requirement that any privacy infringement be backed by law and be proportionate, is a question that has not yet been tested in litigation. It will be.