The Privacy Concerns of the Criminal Identification Act, 2022 – The RMLNLU Law Review Blog

By: Shaharyaar Shahardar and Mahika Suri


In April 2022, the Criminal Procedure (Identification) Bill, 2022 (hereinafter ‘Act’) received the President’s approval, notwithstanding the hullabaloo surrounding it. The Act replaces the century-old Identification of Prisoners Act and attempts to collect what it calls ‘measurements’ to identify and investigate criminal matters. The data to be recorded under it would comprise physical and biological samples, including fingerprint impressions, palm-print impressions, iris and retina scans, among others. The Act, besides enhancing the accuracy and efficiency of investigations, targets at improving conviction rates. But an increased collection of data doesn’t necessarily result in increased prevention of crime. Further, a critical and scientific examination of the Act shows grievous constitutional violation as falling short of several fundamental rights recognized by the Indian Constitution. The authors, however, have restricted themselves to the debate surrounding the right to privacy. They have disputed the Act’s constitutionality by testing it on the grounds of proportionality. The authors have also conducted a substantial comparative analysis from the perspective of European Union (hereinafter ‘EU’) laws.


Privacy is a fundamental human right recognized by various international instruments.[1] In India, the right to privacy wasn’t explicitly recognized. However, in August 2017, the Supreme Court of India in Puttaswamy (I) unanimously affirmed the fundamental right to privacy as an integral part of Article 21 and other rights enshrined under Part III of the Constitution. Hon’ble Justice Chandrachud, while leaving the scope of the right undefined to not unduly restrict its ambit observed that “privacy safeguards individual autonomy and recognizes the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy”. The Supreme Court of India also noted that the European Court of Human Rights (hereinafter ‘ECtHR’) has upheld the right to privacy and has interpreted it to entail a personal sphere that cannot be defined by an ‘exhaustive list’. Later, in Puttaswamy (II), the Supreme Court recognized ‘informational privacy’, including biometric data and other personal information inherent to the right to privacy. The measurement defined in the Act constitutes private and personal information. The collection and retention of which would amount to an interference with the right to privacy.


To validate this infringement of informational privacy, the Act must stand the test of proportionality. Although, the Supreme Court of India has applied the doctrine of proportionality differently on different occasions. The analysis herein focuses on the fourfold test laid down in Modern Dental College v State of MP, which was subsequently affirmed by the Supreme Court in the Puttaswamy (II). The doctrine of proportionality constitutes;

(i) legality (the action must be sanctioned by law).

(ii) Legitimate aim (the proposed action must be necessary for a democratic society for a legitimate aim).

(iii) proportionality (the extent of such interference must be proportionate to the need for such interference) and,

(iv) Procedural guarantees (there must be procedural guarantees against abuse of such interference).

While the Act satisfies the foremost need of established law, it fails to conform to the other three requirements. The authors have analyzed the constitutional legitimacy of the Act by applying different aspects of the proportionality test.

The legitimate aim mandates the law to be reasonable. This legitimacy is a guarantee against state despotism. The Act usuriously empowers the magistrate to direct any personto provide measurements. This, besides resulting in executive arbitrariness, will overlook the ‘presumption of innocence’ of individuals not convicted for any offense. In S and Marper v. the United Kingdom, the ECtHR objected to a similar scheme and emphasized the risk of stigmatization that stemmed from the fact that those who had not been found guilty were entitled to the presumption of innocence and should not be treated the same as those who had been found guilty. While the introduction of modern techniques for improved investigations into criminal offenses might constitute a legitimate aim, an arbitrary expansion of the scope and ambition of the Act cannot be classified as a legitimate state aim.

The interference with or restriction on a fundamental right must be reasonable to the need for such interference. Any measure taken by the government should be suitable for achieving the concerned objective. The test mandates that “the means being adopted should be proportionate for achieving the identified aim”. The Act provides for the retention of data for seventy-five years, which unambiguously can be relegated as ‘indefinite’ while comparing it against the average life expectancy of Indians, which stands at around 70 years. In Gaughran v the United Kingdom, the ECtHR held the indefinite retention of biometric information of people who have been convicted of crimes carrying a custodial sentence is considered to be a violation of their right to respect their privacy. Further, in S and Marper v the United Kingdom, the indefinite retention of data formed an essential reason for the annulment of legislation. The ECtHR has also on multiple occasions suggested that “any measure interfering with the protection of personal data under Article 8 must meet a pressing social need and must not be disproportionate to the legitimate aims pursued”. The collection of measurements from individuals neither arrested nor convicted and its indefinite retention is what manifests the Act to be without rational nexus.

Justice Chandrachud (writing for three other judges) put forward the three tests viz. legality, legitimate aim, and proportionality for validating impairment on privacy, as discussed above. In the same judgment, Justice Kaul in his concurring opinion went ahead and added the fourth test of ‘procedural guarantees’ which requires the presence of procedural safeguards to check against the abuse of state interference. The Act doesn’t set out any procedural safeguards for the collection and subsequent retention of records. This review process has an austere conflict of interest since only the members of the executive are empowered as the monitoring authority and as the authority for issuing orders for the collection and retention of data. There is no judicial oversight for the collection, retention and destruction of data subjected to the acquisition of an individual. The Supreme Court in Puttaswamy (II)(Aadhaar Judgment) while acknowledging the necessity for judicial oversight, scrapped Section 33(2) of the Aadhar Act, which provided the power to authorize the revelation of biometric or demographic information to ensure national security. The court held that to rule out any possible misuse, such authorization requires “application of judicial mind for concluding that disclosure of the information is in the interest of national security”.


The blemish of having one’s personal information floating around in cyberspace hasn’t been given due consideration by lawmakers. The Act has the potential of being misused against disadvantaged and marginalized groups in society. Globally, nations are making efforts to safeguard their citizens’ data viz. United Kingdom Data Protection Act, European Union General Data Protection Regulation etc. Therefore, how can the security of the data obtained in India be guaranteed in the absence of a data protection regime? Thus, to secure the personal information of those, whose data is being collected under this Act, it is imperative to enact a data protection legislation.

Further, to ensure that the rights of the individuals are not violated, terminologies like ‘measurement’, ‘behavioural traits’, and ‘any person’ should be given a restrictive interpretation. The exchange and misuse of the data collected through this Act shouldn’t be allowed and the Law Enforcement Agencies (hereinafter ‘LEAs’) should not be allowed to use and acquire this data for any unlawful purpose. The state should be subject to the retention of data to judicial oversight to reduce the executive’s arbitrariness. This would also help form a system of checks and balances, increase transparency, and improve the public faith in the Act.

“The right to privacy shouldn’t remain an empty promise. It is a basic right that has constitutional recognition; therefore, lawmakers shouldn’t leave it revocable at the executive’s whim”.

Shaharyaar Shahardar and Mahika Suri are second-year law students at Gujarat National Law University. The primary interest of the authors includes Constitutional Law and Human Rights Law. The authors may be contacted via email at shaharyaa[email protected] and/or [email protected] respectively.

Cite as: Shaharyaar Shahardar and Mahika Suri, ‘Breaching Proportionality, Tearing Constitutionality: The Privacy Concerns of the Criminal Identification Act, 2022’ (The Rmlnlu Law Review Blog28 September 2022) date of access.

[1] Universal Declaration of Human Rights, Article 12; International Covenant on Civil and Political Rights Article 17; the European Convention for the Protection of Human Rights and Fundamental Freedoms, Article 8.

[2] Zv. Finland [1997] ECHR 10; Khelili v. Switzerland [2011] ECHR 195; Vicent Del Campo v. Spain [2018] ECHR 909

Post Comment