~By Abhinav Sekhri
The Criminal Procedure Identification Act, 2002 [“CPIA”] was passed this April amidst significant criticism [see, for instance, here, here and here]. The issues identified with this law were across a wide spectrum — the attack on the right to privacy, the uncertain status of the forensic ‘science’ at play, the lack of clarity in terms of implementation. Some of these concerns, it was assumed, would be addressed by way of Rules (ignoring whether or not such delegation of statutory functions to rules was legal). Now, on September 19, 2022, the Government of India has notified Rules under the CPIA, laying down the framework for implementing this statute.
This post does not re-agitate the issues on forensic science aspects or the mechanics of why some people (myself included) consider the CPIA to be a serious assault on privacy (where the Rules in fact compound problems by making data deletion more tedious and opaque). What I am interested in here is focusing on how the CPIA has, according to my preliminary reading at least, has placed the National Crime Records Bureau [“NCRB”] at the heart of how identification of persons will work henceforth in the criminal justice system.
This post first gives a brief about what the NCRB is, it then explains its place of prominence in the CPIA regime, and argues that vesting such responsibilities with the NCRB is a problem and seriously worrying from a privacy perspective.
NCRB — A Brief History
Most people hear of the NCRB only once every year when the annual crime statistics are published. Both the statistics and the organisation responsible for curating these promptly leave the public consciousness after this annual event. Which is why it may be interesting to learn a little about its history, helpfully provided on the NCRB website.
While annual crime statistics have been running since the mid 1950s, the NCRB was only established in 1985 and it is not a statutory body. Instead, its moment of creation can be traced to a gazette dated 10.03.1985 carrying a “Resolution” of the Union Ministry of Home Affairs (pursuant to a draft). The Resolution notes that the Union Government accepted a resolution of the National Police Commission “in regard to setting up of the National Crime Records Bureau at the Centre and Creation of State Crimes Records Bureaux and the District Crime Records Bureaux in the States by the State Governments.” It further states that the “President has been pleased to constitute the National Crime Records Bureau” which will be “an attached office of the Ministry of Home Affairs“.
Various existing offices were to be merged with the newly-formed NCRB, which was tasked with the following objectives:
- To function as a clearing house of information on crime and criminals including those operating at national and international levels so as to assist the investigators, and others in linking crimes to their perpetrators;
- To store, coordinate and disseminate information on inter-state and international criminals from and to respective states, national investigating agencies, courts and prosecutors in india without having to refer to the police station records;
- To collect and process crime statistics at the national level;
- To receive from and supply data to penal and correctional agencies for their tasks of rehabilitation of criminals, their remand, parole, premature release etc.
- To coordinate, guide and assist the functioning of the State Crime Records Bureaux;
- To provide training facilities to personnel of the Crime Records Bureaux; and
- To evaluate, develop and modernise Crime Records Bureaux.
These objectives suggest that the NCRB has not been envisioned as discharging any active role in police investigations, and nor was it ever given the responsibility of being a primary source of information. The information-sharing for active cases was specifically worded to cover sharing information pertaining to “criminals” and did not imagine a role for NCRB in the day-to-day running of a criminal investigation at all. It appears to have been imagined, arguably, as an institution meant to ease information flows across the various investigating agencies, courts, as well as the public.
The NCRB in the CPIA Regime
Section 4 of the CPIA went where no law had gone before and directly makes the NCRB responsible for: (a) collection of the record of measurements, (b) storage, preservation, and destruction of such records at the national level, (c) processing such records with criminal records, and (d) sharing such records with law enforcement agencies. It appears to be the first time that an act of parliament has conferred powers of any nature on to the NCRB.
Why is this worrying? Simply put, because the CPIA authorises housing sensitive personal data with an attached office of the Ministry of Home Affairs that has no independent legal existence save a resolution passed by the government. Which necessarily means that there is no statutory safeguard for the enormous data which will now come to be with the NCRB in terms of its storage, processing, sharing or deletion; we will not know where this data is, who is using it, and how it is stored. And nothing can stop the government from passing yet another resolution, without any accountability of debate or discussion in parliament, simply removing the NCRB and declaring that information stored by it will remain in the ministry, at some unclear place.
The closest analogy in terms of having an authority which deals with sensitive personal data of the kinds that the NCRB will get access to is the proposed regime created under the DNA Technology (Use and Application) Bill. It is not without its problems, but at least that regime has a clear statutory basis outlining who the authority is, where and how it stores data, and who is accountable if there is a breach (well, sort of). Empowering an institution to deal with sensitive personal data that owes its existence to little more than a government resolution is as obvious an affront to the requirement of having a legal basis for enacting a regime that infringes the right to privacy as any. It is oddly reminiscent of the early days of Aadhaar and how from 2009 and 2016 the entire program operated basis notifications without a law to anchor the regime. The similarities have been heightened owing to the way in which the Rules envisage the NCRB as providing the function of “matching” samples with identities (more below).
Which brings us to the second, related problem. Section 4 of the CPIA provides that the manner of discharging responsibilities vested with the NCRB would be prescribed by Rules. In a sense, this clause leaves the possibility for at least the processes to be regulated by institutions or actors governed by statute, especially the actual task of identifying persons. What have the Rules done, you ask? Rather than actually prescribing the manner in which the NCRB will do things, as the section had said, the Rules simply tell us that all of this will be decided by the NCRB itself later, through a “Standard Operating Procedure” that it is supposed to publish. On top of which, Rule 5(3) says that the task of actually matching the records will be done by the NCRB itself.
If the government giving up its job of creating a law to regulate collection, storage, and processing of sensitive personal data wasn’t bad enough, the Rules have compounded that abdication of responsibility by failing to offer any oversight to the process altogether. The NCRB—that mighty attached office of the Ministry established pursuant to resolutions—will decide how agencies will collect data for the purposes of digital comparisons, how it will be stored, processed, shared, and deleted, including prescribing the IT systems which will be used for all this.
Amidst all this, the very task of doing the identification has also been given to the NCRB by Rule 5(3). At one level it is similar to how currently a request for matching samples is sent to the forensic expert. But without getting into the issue of whether NCRB actually possesses expertise to carry out the task of comparison, the difference in the CPIA model of identification is that it is not being done on a case to case basis but it runs a sample against a database, thereby increasing the chances of false matches tremendously especially since forensic sciences are by design inexact and imperfect (There are such databases in operation, such as one for the comparison of fingerprints and are susceptible to this issue).
What would help counter such problems would be having an independent agency prescribe standards for data collection, processing and giving results of ‘matching’, or at least sign off to affirm their legitimacy. Which brings us back full-circle to Section 4 of the CPIA putting out that thought, but the Rules failing to implement it and leaving the NCRB to act as judge, jury, and executioner.
Rather than solve problems that the CPIA created, the Rules have essentially kicked the can further down the road and created new problems in the process (above and beyond what has been identified here).
Should laws be passed to help improve policing and criminal investigations? Absolutely. Does that mean all laws that are passed with that purported objective should avoid any sort of scrutiny altogether? Absolutely not. The CPIA touches upon ideas and approaches that are in vogue the world over which rely on “databasing” as an investigating tool where entire groups of people are permanently under suspicion. They are extremely undesirable, if you wanted my opinion, but are nearly inescapable today.
What the CPIA does, in a sense, is to have an Aadhaar style system in place in the context of criminal investigations where the NCRB will do what the UIDAI is doing. The inspiration has been so strong, that the government again opted to make a non-statutory body responsible for the entire data collection and processing exercise, and on this limited point itself the CPIA regime must be brought to halt as soon as possible before we have yet another fait accompli on our hands.
There are obviously many arguments to make in respect of the problems with the kind of database that the CPIA is creating, for that we keep our powder dry.
[The author is a criminal lawyer based in New Delhi. This article first appeared on his blog, ‘The Proof of Guilt’]