The Reserve Bank of India has reportedly sought the views of banks on deploying Facial Recognition Technology or other Artificial Intelligence based systems in ATMs, branch counters and banking outlets. This is intended for banking outlets in areas where fraudulent activities are considered to be rampant. To set up facial recognition tools across the country will involve massive costs and potentially involve processing of significant amounts of sensitive biometric data. While the intent is laudable, what must be examined is whether this measure is proportionate to the object which is sought to be achieved.Facial Recognition Technology, or FRT, is not new. Investigative agencies have used it for several years. For instance, in 2020, Delhi Police published a document on ‘best practices’ confirming it uses FRT. It says FRT is integrated with the missing persons module of ZIPNET, the centralised police database. The purpose, ostensibly, is surveillance and detection of suspects at crowded places like railway stations, bus stops and large gatherings.Right to privacyThe constitution guarantees fundamental rights, such as freedom of speech and expression, freedom of movement across the country and to assemble peacefully without arms to all citizens, subject to ‘reasonable restrictions’. In theory, FRT can be one such restriction on the grounds specified in the constitution. But a constitution bench of the Supreme Court, in Justice K.S. Puttaswamy (2017), laid down a three-pronged test for the right to privacy:There must be legality, i.e. the denial must be by law;There must be a legitimate state aim; andProportionality, which means a rational nexus exists between the aim and the means adopted to achieve them.There is no law which specifically regulates FRT in India and, arguably, its deployment in public spaces may serve a legitimate state aim – providing security to the public – yet a key question remains: Do alternative, less restrictive means exist to ensure public safety?In November 2025, the Delhi Metro Police reportedly used FRT to help catch wrongdoers. The issue was that it involved scanning the images of everyone entering the metro network. So, should an accused out on bail using the metro be apprehended? Or for how long must the images of travellers be stored in a database? The various arms of the state, even if they are empowered and hold exemptions under India’s data protection laws, must make clear how they are deploying FRT, where they are storing the data, how long for and who it is shared with.These requirements will land on all private sector companies, unless they are specifically exempt, under the new data protection law, the Digital Personal Data Protection (DPDP) Act, 2023. However, any agency or body that processes vast amounts of sensitive data should be held accountable for it – including government bodies.The government should, in fact, provide such information in the interest of transparent governance, so that citizens can make informed choices regarding their privacy in public spaces.General data protection lawsThe Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SDPI rules) regulate the collection, use, disclosure and protection of sensitive personal data. These rules expressly define ‘biometrics’, which fall within the definition of ‘sensitive personal data’.Biometrics, the rules say, include technologies that measure and analyse human body characteristics, such as fingerprints, retinas and irises, facial patterns and hand measurements for authentication purposes. The last qualifier – ‘for authentication purposes’ – may appear to exclude FRT, considering that these technologies are utilised on smartphones, tablets and computers for authenticating users and these rules were not targeted towards surveillance for providing security to the public.Regardless, the SPDI Rules will soon be replaced by the DPDP Act and its rules. Importantly, the DPDP Act does not distinguish between sensitive personal data and personal data. Consequently, it covers all data that can identify an individual or make her identifiable. However, the Act contains exceptions – and those might actually facilitate large-scale deployment of FRT across the country.The DPDP Act specifies that data can be processed by governments and bodies that act on their behalf to perform any function under any law in the interest of the sovereignty or integrity of India or the security of the state, maintaining public order, etc. Crucially, the DPDP Act contains an exemption which allows personal data to be processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law for the time being in force in India.This exemption facilitates the use of FRT by law enforcement agencies to prevent and detect crimes. The matter is more complicated for private entities and establishments, which will need to comply with the DPDP Act and DPDP Rules’ notice and consent requirements for such technologies.Some entities, such as shopping malls and airports, should ideally not implement this technology unless they comply with these legal requirements and provide a DPDP compliant notice to those entering their premises. The notice can be in the form of a pamphlet or be digitally displayed at the entrance. However, arguably, such entities can make entry contingent on giving consent and deny entry if consent is refused. Once an individual voluntarily accesses areas where FRT is deployed, or where consenting to FRT is contingent upon entry, it may be classified as a legitimate use for which personal data can be processed.Leh Market Square Under CCTV, Ladakh, July 2018. Photo: Chris Hunkeler, CC BY-SA 2.0, via Wikimedia CommonsThere appears to be a contradiction in the DPDP Act: On the one hand, it suggests that consent cannot be sought for permissions that are not necessary for providing a service. At the same time, it gives entities the liberty to deny a service if consent is withheld or withdrawn.If a shopping mall has a physical security check and CCTVs installed, the question arises, can it still compel an individual to consent to FRT? After all, CCTVs are a clear available alternative to FRT. This question will be answered only with time, as the private sector adopts the technology. Similarly, hospitals using FRT is also problematic because of the privacy rights associated with patients, their family members, friends and associates as well as other visitors to the hospital.Need to regulate FRTData retention is arguably one of the most important aspects of data protection legislation. The DPDP Act lays down that unless required by a law currently in force, personal data must be deleted upon withdrawal of consent by an individual or as soon as the specified purpose is no longer being served. Without realising the implications, individuals regularly subscribe to services or create accounts that they fail to delete. Their information remains in the databases of service providers and may pose a security risk to them.For instance, if government-issued identifications are retained in companies’ databases, it could be compromised or lead to identity theft. The risks are exacerbated for biometric data such as iris scans, fingerprints and images, especially when they are retained for excessively long periods.The DPDP Rules add a one-year retention period for personal data, associated traffic data and other logs, unless a longer retention period is provided for. This one-year retention period (which does not provide an outer limit) is tied to the purposes specified in the seventh schedule, for instance, the use by the State or any of its instrumentalities of personal data of individuals in the interest of the sovereignty and integrity of India and the security of the state. Further, it also allows personal data to be retained for performing any function under any law which is in force in India. The one-year retention period is tied to these purposes and does not apply across the board.The Criminal Procedure (Identification) Act, 2022 (CPIA), provides a retention period of 75 years for biometrics. As a result, the data of a person accused or suspected of having committed a criminal offence, whose trial is pending, will be arguably stored for their entire lifetime.The CPIA does allow for data deletion if an accused is released without trial, acquitted or discharged after exhausting all legal remedies. The Rules under CPIA provide the procedure for this, but that requires a user to apply for deletion – the process is not automatic. While the main provision of the law does not cover the accused, a section effectively extends it to any person a magistrate thinks should be directed to give their measurements for the purpose of investigation.Further, a holistic reading of the law shows that this will cover even those accused of an offence but not convicted. This law has recently been challenged in the Delhi High Court, which has issued notice. Interestingly, one of the grounds reportedly raised by the petitioners is the 75-year retention period.Excessive? Or necessary?While it may seem excessive to implement FRT for regular law and order problems, for more serious situations like terrorist attacks, the Union government may be justified in its use of FRT. However, to do so, it must introduce a law – the reasonable restriction mentioned earlier – and build safeguards into that law as well as address the problem of false positives that could lead to citizens being harassed. Deploying such a technology without a law in place backing it is a lacuna and it needs expeditious attention from the legislature.Therefore, it is imperative the government considers FRT-specific amendments to the 2021 IT Rules, the DPDP Act or its rules or standalone rules or legislation to provide FRT-specific tiered retention periods. It can consider providing more proportionate retention periods, depending on the nature of the offence and risk involved and prescribing safeguards for government bodies, investigating agencies and private parties to implement when they deploy this technology.Data retention is not inherently bad and may even be necessary for some purposes. Banks may need to maintain data for anti-money laundering purposes, companies may need to maintain books of accounts to comply with regulatory requirements and so on. The problem arises when these retention periods are disproportionate to the objective sought to be achieved. As argued earlier, inordinately long or indefinite data retention is a problem. Therefore, prescribing the maintenance of biometric records of those convicted of offences, accused or being investigated for 75 years does not appear to be proportionate for all categories of offences. The CPIA allows discretion for those accused of offences that carry a sentence of less than seven years from giving biometric measurements, but this is a discretionary rule. There is a need to ensure that FRT segregates data effectively and secures it with adequate safeguards.Biometric data should not be retained for inordinately long periods due to an increased risk of identity theft, and data deletion should be simplified under the CPIA. FRT is not inherently bad; we just need to ensure there are sufficient institutional and technical safeguards for its use.Raghav Tankha is a lawyer practising in Delhi.