Is Delhi Police’s Use of Facial Recognition to Screen Protesters ‘Lawful’? 

The eventual legal answer may lie in whether there is a clear distinction between physical and virtual intrusion of privacy.

Protests have erupted across the country over the past two months, and with them, new methods to crack down on dissent.

The Delhi police, for instance, recently used Automated Facial Recognition Technology (AFRS) to screen crowds at political rallies against the Citizenship (Amendment) Act (CAA). The city’s law enforcement then compared this data with a pre-existing database of more than two lakh protestors it reportedly perceives as ‘antisocial elements’. 

The use of AFRS has met with considerable ire of experts since it was not introduced through a legislation passed by parliament and that this renders it unlawful. 

This criticism is based on the observations of the Supreme Court in the Puttaswamy case, which acknowledged that privacy is a fundamental right. 

The plurality opinion, delivered by Justice D.Y. Chandrachud, laid down a three fold-test to impose reasonable restrictions on individual privacy.

Also Read: Delhi Police Is Now Using Facial Recognition Software to Screen ‘Habitual Protestors’

First, there must exist a law imposing the restriction (on privacy). Second, there must be a legitimate state aim that the law seeks to pursue; Third, there must be a rational nexus between the intended aim and the means (i.e. nature of restriction) adopted to achieve it.

However, from the judgment, it is not clear whether by using the word ‘law’ the judges meant only statutory law or even common law (derived from custom and judicial decisions common to courts across England and Commonwealth states).  

If the interpretation of ‘law’ in the (Puttaswamy) three-pronged test includes non-statutory common law, an express statutory provision enabling surveillance through AFRS is not necessary and the Delhi Police could use AFRS in the absence of any parliamentary law enabling such use. Establishing that surveillance through AFRS is an exercise of powers derived from common law would be sufficient. Discerning the correct interpretation of ‘law’ is relevant since there is no express statutory provision enabling AFRS. 

Supreme Court. Photo: PTI

A statutory provision which may be somewhere close to enabling the use of AFRS is section 31 of the Police Act, 1861, which creates a duty for the police to keep order on public roads, streets and resorts and to prevent any obstructions due to assemblies. Of course, it would be a stretch to argue that correlative to this public duty, there exists the power to use AFRS in streets in Delhi. Eventually, however, whether the power to use AFRS is implicit in this duty or not is a matter of judicial interpretation.

Similarly, it is true that the Criminal Procedure Code (CrPC, e.g. under section 165) grants police the power to conduct a warrantless search if it has reasonable grounds to believe that waiting to obtain a warrant would cause undue delay. Moreover, section 151 of the CrPC empowers the police to arrest without a warrant to prevent the commission of cognizable offences. However, it would be sweeping to suggest that the power to conduct warrantless search includes the use of AFRS indiscriminately on a public street. 

Deriving power from common law

Interestingly, back in 2005, the Supreme Court in District Registrar and Collector, Hyderabad v. Canara Bank incidentally made an observation on the extent to which common law permits intrusion into someone’s privacy. The apex court, in this case, was concerned with a challenge to the constitutionality of a statute enabling the collector to authorise access to documents placed in the custody of a bank. In passing, the court acknowledged that restrictions on privacy can be imposed not only by statutory provisions but also in rare exceptional circumstances, administrative action deriving its powers from common law (“such as where warrantless searches could be conducted but these must be in good faith, intended to preserve evidence or intended to prevent sudden danger to person or property”). In fact, common law, according to a recent decision of the United Kingdom High Court (UKHC) in Edward Bridges v The Chief Constable of South Wales, enables the use of facial recognition technology by the police. 

Before the UKHC, Edward Bridges, a civil liberties campaigner from Cardiff challenged the use of facial recognition technology to capture his images in two instances – first, at Queen Street, a busy shopping area; and second, when he was at an exhibition in the Motorpoint Arena at Cardiff. Edward’s claim in his suit inter alia was that the AFRS deployed by the South Wales Police had no statutory basis and was therefore not lawful. 

The court, however, rejected this claim. It observed that a police constable’s obligations are non-exhaustive and include taking all steps necessary for the maintenance of peace and protection of property. The police need not express statutory powers to use CCTVs or AFRS for policing purposes. The power to use facial recognition technology is inherent in common law. 

Police powers to conduct surveillance, however, do not authorise intrusive methods of obtaining information through entry upon private property. Interestingly, the UKHC distinguished between virtual intrusion and collection of biometrics (such as through AFRS) from physical searches (e.g. physical collection of fingerprints, DNA swabs, etc). While the former, according to the court, does not require enabling legislation, the latter needs to flow from statute since it would otherwise constitute a physically intrusive act (such as an assault). 

The court’s logic is this: the use of AFRS does not involve any physical entry, contact or force necessary to obtain biometric data. It simply involves capturing images and using algorithms to match the image with a face on a watchlist or database. Taking of fingerprints, however, requires cooperation, or the use of force on the individual which would otherwise constitute assault; a physically intrusive act.  

A DNA swab. Photo: Reuters/Michaela Rehle

A hierarchy between physical and virtual searches

In other words, the court creates a hierarchy between physical searches and virtual searches, characterising the former as more (i.e. physically) intrusive. This understanding of intrusion from AFRS deviates from the more liberal position adopted by the Supreme Court of the United States in Katz v. United States, where the court imposed similar conditions on both physical and virtual searches, i.e. the requirement to obtain a warrant before conducting the search.

Also Read: India Is Falling Down the Facial Recognition Rabbit Hole

Indian courts should reject the hierarchisation between physical and virtual intrusion if it has to consider the question of permissibility of facial recognition technology under common law, in the future. This is because virtual intrusion through AFRS-enabled CCTVs can be equally invasive. AFRS enabled-CCTV footages are different from ordinary CCTVs. Data from a series of AFRS-enabled CCTVs, if processed in conjunction, could reveal a series of movements of an individual, enabling long-term surveillance. Such surveillance would be qualitatively distinct from isolated observances across unrelated CCTV footages. For instance, a series of trips to a bar, a gym and a bookie or a church can reveal significantly more about a person than a single visit viewed in isolation.

The problem with common law forming the bedrock of surveillance is that it seriously undermines legitimacy and foreseeability of the extent of surveillance we can be subjected to. 

This is particularly because law and order is a state subject and police practice varies across jurisdictions. To ensure that police use of AFRS is reasonably foreseeable and predictable, express statutory regulation which enables and regulates AFRS should be created. A proposed framework of this nature is the Facial Recognition Technology Warrant Act of 2019 introduced in the US. The Bill requires that sustained surveillance only be conducted for law enforcement purposes and in pursuance of a court order (unless it is impractical to do so). Combined with a robust data protection framework, such a framework would ensure some degree of predictability in its use. 

Siddharth Sonkar is a final year student of the National University of Juridical Sciences (NUJS), Kolkata.