Criminal Procedure (Identification) Act : An Attack on Individual Rights, Liberty and Privacy

In early April this year, the Criminal Procedure (Identification) Bill was passed by both houses of the parliament and has subsequently become a piece of law that will be enforced. This Act, which we will refer to as CPIA in this article, is the latest in a long list of draconian legislations designed to allow the state to target and surveil citizens. The provisions of this Act are an attack on individual privacy, on the right to a dignified existence, and on the right to not be discriminated. The CPIA is a modification, and one could argue an extension in scope and range, of the colonial era Identification of Prisoners’ Act 1920. It allows authorities to collect, store and analyse biometric, biological and personal data of anyone who is arrested. It also allows such data to be collected from a person against whom there is a presumption that they may commit a criminal act in future. Therefore, the CPIA is designed not just to help authorities with current investigations, but also to build a system of criminal profiling. This means that a wide variety of personal data – fingerprints, footprints, signatures, handwriting samples, blood, semen, hair samples and swabs – can now be routinely and legally collected, stored and used by authorities.

Attack on Individual Rights, Liberty and Privacy

The CPIA poses several challenges to rights and liberty provided by and defended by the Indian constitution. To begin with, the constitution provides an individual the right against self-incrimination. In other words, it is a key judicial principle in the Indian legal framework that no individual should be forced to be a witness against themselves, no one should be coerced to provide evidence against themselves. The CPIA violates this constitutionally protected right.  The CPIA severely curtails the right of an individual, who is arrested, to refuse to handover the personal data to the authorities; barring certain exceptions, this refusal is deemed as a criminal offence in itself. The Act essentially states that authorities will not face any consequences when they resort to any action to collect personal data, and therefore coercive, and previously suspect actions by authorities now have the backing of the law. Moreover, no reasons have to be stated before an order to collect biological and biometric samples is passed. For example, if a person participates in a protest and is arrested for doing so (an unfortunately routine occurrence these days), their DNA samples can be collected, stored and used for analysis as well as future targeting without any specific rationale being offered to justify the collection of samples. In fact, if a Magistrate deems it appropriate, data can be collected from any person, even if not arrested, if it “helps” an ongoing investigation.

The nature of samples that can be collected under the ambit of this Act makes this legislation particularly dangerous. This Act was introduced to expand the scope of its predecessor, the Identification of Prisoners’ Act, 1920. CPIA keeps the definition of “biological samples” vague, and therefore, the Act could also open up the doors to legalization of coercive narco analysis and brain mapping. These procedures, questionable and dubious as they are, have correctly been critiqued the world over for their lack of accuracy and for the damage they can cause to the very idea of evidence and a fair trial. And now, the CPIA, without saying so explicitly, allows for such data to enter the investigative procedures followed in the country.

The right to privacy, another constitutionally protected right, is also under attack from the CPIA. The Act allows personal data collected under its ambit to be stored in the archive of the National Crime Records Bureau for 75 years. Given the fact that India does not have a strong data protection framework in place (the Data Protection Bill in its current format has several loopholes, and even if passed is not a robust guarantor of individual privacy), this opens up the space for substantial sharing and misuse of personal data by a variety of state and even non-state actors. The CPIA does not really provide a substantial and effective “right to be forgotten”, even if one were to be fully acquitted and discharged. In other words, authorities could use their “discretionary” powers to not just collect and use all sorts of intrusive personal data from an innocent person, but also to prevent this person from getting this data removed from public databases.

Difference from the 1920 Legislation

In response to the opposition to CPIA, the government has been arguing that the new legislation is merely a necessary modification of the previous 1920 legislation, a modification necessitated by the emergence of new technologies. It is, therefore, necessary to understand the nature of the difference between the two legislations. As the PRS Legislative Research states, CPIA expands “(i) the type of data that may be collected, (ii) persons from whom such data may be collected, and (iii) the authority that may authorise such collection.  It also provides for the data to be stored in a central database” (

The new CPIA essentially arms the state with more coercive tools to intimidate, harass and punish citizens. It is an assault on individual rights and can also lead to a highly problematic regime of criminal profiling of entire sections of the population – of the poor, of the marginalised, of those deemed by the state to be ‘troublemakers’.