Published On: October 4th 2025
Authored By: Sri Durga O
Government Law college, Tirunelveli
Abstract
This paper explores the growing use of facial recognition technology (FRT) in India, examining its applications, benefits, and the legal and privacy challenges it presents. With rapid market growth and increased adoption across sectors like security, banking and retail, FRT offers improved efficiency and safety. However, concerns about data privacy, surveillance, and human rights have sparked important debates. The paper analyzes India’s current regulatory framework, including recent legislation like the Digital Personal Data Protection Act, and compares it to international standards such as the GDPR. Finally, it highlights the need for balanced policies that protect individual rights while enabling technological advancement.
Introduction
Facial Recognition Technology is rapidly becoming an important part of India’s digital landscape. Valued at around USD 382.5 million in 2024, the market is expected to more that double by 2033, growing at a steady pace of 9.4 % annually. This growth is driven by innovative solutions in sectors like security, identity verification, and process automation. At its core FRT used biometric software to analyze unique facial features through steps like image capturing, detection, and feature extraction. While this technology is often used to enhance safety and prevent crime, its ability to enable large-scale surveillance raises important questions about privacy and regulation.
The rise of Facial Recognition in India
In India, facial recognition technology is increasingly being deployed across sectors such as airports, banking and the retail industry.
a. Facial Recognition in the Indian Banking Sector
In India, the banking sector operates under a framework of regulations issued by the Reserve Bank of India (RBI) as well as various consumer protection and date privacy laws. While each of these rules addressed specific aspects of banking operations, they share a common requirement: safeguarding customer data and maintaining confidentiality. And the Sector’s exposure to risks such as identity theft, account takeover and financial fraud, banks are exploring facial recognition technology as a secure method of verifying customer identity. This technology can be applied across multiple touchpoints – including physical branches, automated teller machines (ATM), and digital banking platforms – to confirm that the person accessing the service is the legitimate account holder.
b. Facial Recognition in the Retail Industry
Similar to its use in banking, facial recognition technology is finding multiple applications in the retail sector. It can enable frictionless payments – where a customer’s face is linked to their payment method – as seen in the Amazon Go stores in the United States. In India, Companies such as Paytm and Reliance Retail have piloted face – authentication systems for payments and customer identifications. Some retailers also use it to recognise high – value or repeat customers, allowing staff to offers a more personalised shopping experience.
For employees, facial recognition can enhance workplace security by requiring biometric authentication at cash registers or points – of – sale. It can also be integrated into attendance systems, preventing “buddy punching”, where one employee clocks in on behalf of another. Beyond security, it offers a fully contactless and hygienic method of recording attendance, a consideration that has gained importance in the post – pandemic era.
c. Facial Recognition at Airports
International travel often comes with the frustration of long queues at immigration and security checkpoints, especially during peak holiday seasons. In India Initiatives such as the government’s DigiYatra programme aim to address this by using facial recognition to speed up passenger processing.
Instead of repeated manual checks by immigrations officers, passengers can place their boarding pass on a scanner, look into a camera, and have their identity verified within seconds. This automation not only reduces waiting times but also improves accuracy in identity matching. Beyond passenger convenience, such systems help authorities strengthen border security by flagging individuals on watchlists, preventing suspected criminals from leaving the country, and identifying those attempting to enter unlawfully.
Legal & Regulatory Landscape in India.
The Justice K.S. Puttaswamy vs Union of India3 decision shaped India’s Personal Data Protection Bill (PDPB), drawing also from the EU’s GDPR and the UK’s Data Protection Act 2018. The case arose party because citizens had little choice but to enrol in Aadhaar to access many government services. The Supreme Court upheld Aadhaar’s validity but stuck down provisions making it mandatory4 for most services, affirming it mandatory for most services, affirming privacy as a fundamental right. These developments directly influenced the privacy safeguards in the PDPB 2019.
a. The Personal Data Protection Bill 2019 and its GPDR Influence
Privacy Protections
Modelled in part on the European Union’s General Data Protections Regulation (GDPR), India’s Personal Data Protection Bill (PDPB) 2019 lays down strict requirements for handling personal data. It proposes the creation of a Data Protection Authority to oversee compliance and hold organisations accountable. Provisions such as appointing dedicated data protection officers and requiring foreign companies to maintain a local point of contact reflect a proactive regulatory approach. While the Bill’s emphasis on “Privacy by design” is notable, its success will depend on finding the right balance between protecting individuals privacy and avoiding excessive compliance burdens on businesses.
b. Information Technology (Amendment) Act 2008
The Information Technology (Amendment) Act 2008 provides only a broad and somewhat unclear legal basis for the use of Facial Recognition Technology (FRT) in India. Given its generic nature, it is debatable whether the Act is equipped to address the specific privacy and governance issues that FRT raises.
The Act defines “data” as a structured representation of facts, knowledge, or instructions designed for processing in computer systems or networks, and it recognises formats ranging from printouts and magnetic storage to optical media and even data stored in memory. “Information” is defined even more broadly, encompassing data, text, images, voice, software, and databases. These definitions give the state a wide scope to monitor computer systems and compile databases from collected information. However, Section 69B(8) imposes limits on the retention of such records.
From a legal standpoint, the state could argue that FRT falls under the surveillance powers granted by the IT Act, but such an interpretation stretches the intended meaning of activities like interception and decryption, where facial recognition does not naturally fit. Following the Supreme Court’s decision in Justice K.S. Puttaswamy (Retd.) v Union of India, any intrusion into privacy must have a clear legislative mandate. While the IT Act might be presented as that mandate, its application to FRT remains questionable.
India is still in the early stages of building a dedicated regulatory framework for FRT, which raises concerns about accountability, governance, and redressal mechanisms.
Impact on Privacy
Privacy is a fundamental human right recognized globally, linked closely to freedoms like expression and association. In the digital age, protecting privacy has become increasingly urgent due to rapid technological advances that allow massive collection and analysis of personal data across sectors such as healthcare, finance, and telecommunications. Surveillance technologies originally developed for military use are now widely employed by law enforcement and private companies, raising growing public concern about privacy violations. Many countries have responded with stronger data protection laws, though worries remain about these tools being used in countries with weak legal safeguards.
Privacy Concerns in Facial Recognition Technology (FRT)
Many facial recognition systems gather images from online sources, often without consent from individuals, as seen in cases like Clearview AI. This practice raises serious privacy issues and questions about the fairness and accuracy of the data collected. Real-time facial recognition also poses challenges, including prolonged data retention, use of data beyond original purposes, and limited options for individuals to opt out. These issues create important legal and ethical concerns about government access and use of personal biometric information.
Case Studies & Real-World Examples
During the COVID-19 pandemic, facial recognition technology was used in India to support public safety:
- The Technology Development Board backed projects that identify people even while wearing masks.
- Pune police launched an app requiring quarantined people to send selfies verified by facial recognition and location tracking.
- Telangana plans to switch from biometric attendance to facial recognition, sparking private sector interest. Mask-wearing, however, raises accuracy concerns, and firms await government guidelines.15
Regulatory Gaps and Challenges
a. The Digital Personal Data Protection Act (DPDP) 2023
The Digital Personal Data Protection Act (DPDP) 2023 is India’s latest step toward regulating digital data, including facial recognition technology. Although it marks progress by setting legal grounds for processing personal data, defining individuals’ rights, and establishing a Data Protection Board, the law is not yet fully active. Its implementation depends on the government notifying an effective date.
Unlike GDPR, the DPDP Act does not specify a transitional period, giving the government broad power over when different sections come into force. The Data Protection Board will have authority to investigate violations and impose penalties but lacks rule-making or advisory powers. This leaves gaps in clear, enforceable regulations around FRT use, raising concerns about accountability, data privacy, and protection of individual rights as technology advances.
b. Comparing the DPDP Act and GDPR
The DPDP Act is built on principles similar to the GDPR, categorizing key players as data fiduciaries, processors, and data principals. However, unlike GDPR’s broad protections, the DPDP only covers personal data that identifies an individual, excluding data used for personal or household purposes and aggregated research data—potential loopholes in protection. Both laws apply to data processed within their territories and related to services offered, but the DPDP’s reach is more limited internationally, missing overseas entities tracking Indian users.
Unlike GDPR’s special category for sensitive data, the DPDP treats all digital personal data the same, which may simplify compliance but weakens protections for sensitive information. The DPDP Introduces terms like “data principal” (similar to GDPR’s “data subject”) and “data fiduciary”20 (similar to “data controller”), but its broad definition of fiduciaries—covering public and private bodies alike—could cause confusion and may need future clarification. Overall, while the DPDP expands beyond older Indian laws like the IT Act, it still falls short of GDPR’s detailed safeguards and global scope.
Suggestions
- Purpose Limitation: Data should only be collected and used for clear, specific reasons to prevent misuse.
- Regulation and Oversight: Independent bodies must monitor data use, access, and storage, ensuring transparency and impact assessments for FRT.
- Citizen Oversight: Public involvement in surveillance oversight can boost accountability and trust, similar to practices in some U.S. cities requiring government approval and regular reporting.
Conclusion
In conclusion the FRT is transforming many aspects of life in India, from security to convenience. While the technology offers clear benefits, it also brings significant challenges, especially around privacy and human rights. As the use of FRT expands its crucial that laws and regulations keep pace to protect individuals and ensure technology is used responsibly. Finding the right balance between innovation and safeguarding personal freedoms will be key to making the most of facial recognition while respecting the rights of all citizens.
References
[1] Reserve bank of Inida, Master direction – Know your customer (KYC) Direction,2016 RBI/DBR/2015-16/18 (updated 2 January 2023) https://www.rbi.org.in accessed 10 August 2025.
[2] India expands airport facial recognition amid surveillance fears, Financial Times (Online,30 July 2024) https://www.ft.com/content/f1ba12ac-fe1d-4a51-b2e7-077f392115a7 accessed 10 August 2025.
[3] Justice K.S. Puttaswamy vs Union of India The Supreme court of India (2017)10 SCC 1 547
[4] Vanya Rakesh, ‘Aadhaar Act and Its Non Compliance with Data Protection Law in India – the Centre for Interner and Society’ (cis-india.org14 April 2016) https://cis-india.org/internet – governance/blog/aadhare-act- and-its-non-compliance-with-data-protection-law-in-india#:~:text = purpose%20 Limitation&text=Section%2029of20of%20the%20Actaccessed 8 August 2025.
[5] Information Technology (Amendment) Act, 2008
[6] Elonnai Hickok and others, ‘Facial Recognition Technology in India – the Center for Interest and Society’ (cis-india.org 31 August 2021) accessed 8 August 2025
[7] Information Technology (Amendment) Act, 2008
[8] Elonnai Hickok and others, ‘Facial Recognition Technology in India – the Center for Interest and Society’(cis-india.org 31 August 2021) accessed 8 August 2025
[9] Global Internet Liberty Campaign, Privacy and Human Rights: An International Survey of Privacy Laws and Practices(1998) https://gilc.org/privacy/survey/ accessed 7 August 2025
[10] Kashmir Hill ‘The secretive Company That might End Privacy as we Know It’ The New York Times (18 January 2020) accessed 7 August 2025
[11] Clearview AI fined 30.5 million by Dutch regular for GPDR violation’ The verge (3 september 2024) accessed 7 August 2025
[12]Singn.J. ‘AI based solution Amongst 6 COVID – 19 Projects receive Government Support’ (2020) NDTV Gadgets 360 https://gadgets.ndtv.com/science/news/technology-development -covid-19-coronavirus-tech- projects-approval-facial-recognition-2232056 accessed 5 August 2025
[13] The Indian Express, Pune Police Use Drones to Track Home- Quarantined Persons’ (29 March 2020) accessed 5 August 2025.
[14] Telangana Today, Telangana Government Plans to Replace Biometric Attendance with Facial Recognition Post – COVID – 19 (2020)
[15] The Digital Personal Data Protection Act (DPDP) 2023 https://www.meity.gov.in/writeraddata/files/digital%20Personal%20Data%20Publication%20Act%202023.pdf accessed 7 August 2025
[16] Deepa Christopher, Anindita Dutta and Aanchal Kabra, ‘India – the Digital Personal Data Protection Act 2023 Finally Arrives’ accessed 7 August 2025
[17] Digital Personal Data Protection Act 2023 ,s2(j)
