The right to privacy has been included under the ambit of A.21 thus making it a fundamental right after the judgement of the Hon'ble S Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) v Union of India[1]. Facial recognition technology has been more or less unregulated before the Personal Data Protection Bill, 2019.

Information Technology Act, 2000

The Information Technology Act, 2000 classifies biometric data as sensitive personal data, and contains rules for collection, disclosure and sharing of such information.

In the event of violation, recourse can be taken to section 43A of the IT Act, which reads as follows:
Body corporate' possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates is negligent in implementing and maintaining reasonable security practices and procedures, and thereby causes wrongful loss or wrongful gain to any person, this body corporate will become liable to pay damages as compensation to the affected person.

However, the fundamental flaw with this is that it only applies to body corporates and leaves scope of misuse by the government and its agencies.

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016
The Aadhaar Act was the first legislation in India specifically dealing with the collection, storage and processing of biometric data. Three categories of information are prescribed by the Aadhar Act:

• Section 2 (n) 'identity information' in respect of an individual, includes his Aadhaar number, his biometric information and his demographic information;
• Section 2 (g) 'biometric information' means photograph, finger print, Iris scan, or such other biological attributes of an individual as may be specified by regulations;
• Section 2 (j) 'core biometric information' means finger print, Iris scan, or such other biological attribute of an individual as may be specified by regulations;

It goes on to classify biometric information as 'sensitive personal data or information' as defined under the Information Technology Act, 2000.

The Aadhaar scheme permits a requesting entity (whether an individual or agency)[2], to seek authentication of the UID of an individual in relation to his/her biometric information.[3] The Act incorporates some principles reflected in the GDPR such as seeking consent of principal[4], keeping individuals informed about the purpose of data collection[5] and provision for one's own information[6].

The violations of the Aadhaar Act may result in imprisonment that may extend to 3 years in some cases and a penalty with a maximum cap ranging from ten thousand rupees to one-lakh rupees or both.

Personal Data Protection Bill, 2019

The PDP Bill has classified the use of facial recognition technology as 'sensitive personal data'. Relevant provisions of the bill:

• Clause 3 (7): 'biometric data' defined which includes 'facial images' as a part of it.
• Clause 3 (36): categorizes 'biometric data' as 'sensitive personal data', as compared to critical or general data.
• Clause 33: It states that 'sensitive personal data' may be transferred outside India, but must be stored in India. Nevertheless, transfer of 'sensitive personal data' shall be subject to conditions laid out in.
• Clause 34: Lays down the conditions for transfer of sensitive personal data outside India.
  
  1. After explicit consent is given by the data principal, transfer may be made if:
     
     1. It is for an intra-group scheme approved by the Authority if rights are protected and the data fiduciary assumes liability for non-compliance.
     2. The Central Government allows such transfer if it finds that such data has had an adequate level of protection and the transfer does not affect the enforcement of laws
     3. Such transfer has been allowed by the Authority for any specific purpose.
  2. Sensitive personal data may be transferred outside India on specified grounds such as:
     
     1. A medical emergency as per S. 12.
     2. Transfer to a country or international organization where the Central Government has concluded that it does not harm the security or strategic interest of India.

End-Notes:

1. KS Puttaswamy v. Union of India, (2017) 10 SCC 641
2. AA 2016, s. 2(u).
3. AA 2016, s. 8(1).
4. AA 2016, s. 8(2)(a).
5. AA 2016, s. 8(3).
6. AA 2016, s. 28(5).