Monday, November 28, 2022

Guest Post - A Critique of the CPIA and its Rules

(This is a guest post by Ananya Tangri and Priyansh Dixit)

Recently, the Criminal Identification Rules 2022 (‘the Rules’) came into force. As is the case with the primary legislation, the Criminal Identification Act 2022 (‘the Act’), the Rules are riddled with issues. One such issue is the provisions in the rules concerning the destruction of collected data, provided under Section 5 of the Rules. The specific issue of the destruction of data is also present in the Act. The existing writing has focused mainly on what would sequentially come before the destruction of data; that is, the collection and processing of data. But with the act coming into effect and the rules getting issues, the issue of destructing collected data attains immense importance, since it directly impacts the right of individuals to get their data out of the government’s system. For these reasons, this article focuses on the provisions provided for the destruction of data under the Act and the Rules.

We make two primary claims. First, absence of a provision for destruction of data collected under Section 5 of the Act is a gross error and is contrary to fundamental principles of privacy and data protection. Second, the existing mechanism provided in the Rules is unconstitutional, inadequate, and has negative policy implications. 

Loopholes in the Section 5 Mechanism for Persons Incidental to Crime
The proviso of Section 4(2) of the Act allows destruction of measurements taken under the Act. The proviso suggests that it covers persons who have (i) not been previously convicted of any offence which warrants imprisonment, (ii) had their measurements taken according to the provisions of the Act, (iii) been “released without trial or discharged or acquitted by the court” and (iv) has exhausted all legal remedies of appeal etc. These appear to be conjunctive requirements, meaning all need to be satisfied for an appeal to be possible for destruction of data. This suggests that only data of the following persons can be destroyed: who have been accused of crimes and subsequently “released without trial or discharged or acquitted by the court” are covered under the proviso. 

However, this seems to leave out an important class of people who may never be prosecuted in the first place and have their measurements taken under Section 5 by orders of a Magistrate. Even if we assume that this interpretation is the result of an oversight, and allow for a more liberal interpretation, the alternate conclusion we are left with remains problematic. One may argue that the phrase “measurements taken according to the provisions of the Act” may cover such people. But even so, the proviso would still need an accused whose innocence is established. There would still seem no way for such persons to have their measurements destroyed from the database if the accused is ultimately convicted of the offence. 

Additionally, if the proviso is blindly extended to persons under Section 5, that would amount to treating the measurements of persons accused of the crime in the same way as persons incidental to the crime. This is fundamentally wrong because persons accused of a crime versus those incidental to it are necessarily two different classes of persons and must be treated differently. The deletion and storage of their data must be governed by different provisions. 

No matter which way you look at it, the Act in failing to independently deal with persons incidental to crime in respect of data deletion is a serious flaw and not mere legislative oversight that can be rectified by a clever interpretation of the text. 

The Framework under the Rules is Unconstitutional
The data destruction mechanism is provided under sub-clauses (4) and (5) of Rule 5. Sub-clause 4 states that the procedure for destruction would be specified in the Standard Operating Procedure (‘SOP’), to be issued by the NCRB. Sub-clause 5 explains that individuals would have to make a ‘request’ to a Nodal Officer (nominated by either the State government, the Central government, or the administration of the Union Territory) for the destruction of the data. This officer would ‘recommend’ the request to the NCRB, after verifying that the samples are not linked with other criminal cases. Both these clauses have serious issues (which have been discussed elsewhere), in impermissibly sub-delegating power and placing the burden on data deletion upon individuals and not the state. 

The Act itself has issues of sub-delegation. In respect of the Rules, though, the issue is slightly different. It concerns a further devolution of powers to the NCRB. Notably, such further delegation has been barred by the Supreme Court in on many an occasion on the basis that if a task which is delegated to an agency by the legislature is further delegated, it violates the trust that the legislature reposed in the agency. In the instant case, the legislature has put that trust into the central and state governments under Section 8 by enabling them to create rules for the act. Note that the function of delegated legislation is so that a certain policy can be made functional. Thus, it is the duty of the centre and the state to make adequate procedures for the destruction of data. They cannot delegate this duty further. 

Placing the burden upon individuals for data deletion is problematic on three fronts. Firstly, it imposes an unreasonable burden on individuals. In K.S. Puttaswamy, it was held that individuals have a fundamental right to their data. It was also noted in the case that no right must be abridged more than what is necessary to achieve the state’s legitimate aims. The burden is on the state to ensure that the infringement of the right is properly tailored to ensure such minimum infringement. The state, by putting the burden on individuals to ensure that their data is destroyed, is foregoing their responsibility to ensure that their infringement is minimal. Secondly, it inhibits the ability of people to secure the right to their data. If everyone must request their data to be deleted, which in turn would go through the complicated process of requests transferring from the nodal officers to the different executives, there would be an unnecessary lag in the process. Given the slow state of Indian bureaucracy, it would certainly put the common person in peril. This would indirectly disincentivise individuals from taking steps to secure their fundamental right to get their data destroyed. Thirdly, the interference that is created by such action is disproportionate. In Marper, it was held that the police power to “indiscriminately retain data” was disproportionate after an individual has been acquitted. This implies that the police cannot unconditionally retain data after the basis of their justification, the status of the individual as an accused, has been dissolved.

Conclusion
Through this post, we have highlighted two sets of problems with the Act and the Rules. Firstly, it shows that an entire set of persons have been left out of the framework altogether when it comes to data deletion under the law. And, secondly, the Rules appear to be unconstitutional and resultantly render the entire system of the law susceptible to being struck down altogether.

No comments:

Post a Comment