The DNA Technology Regulation Bill, 2019, runs afoul of the right to privacy and will cause “irreversible damage” to individuals’ right to privacy and the criminal justice system given the absence of a privacy law, according to Lok Sabha MP Asaduddin Owaisi. He said that the bill ignores the Supreme Court’s Puttaswamy judgment, and should be introduced after the Personal Data Protection Law is enacted. The Bill itself has gaps around privacy; by retaining profiles in perpetuity and having a inordinately powerful DNA regulator, among other things, Owaisi said.
The Bill, which has been in the making for years now, aims to establish laboratories and DNA data banks to scale the use of DNA profiles in the criminal justice system. Among the core tenets of the Bill are the creation of data banks that will house the DNA profiles of not just convicts, but also undertrials, suspects, missing people, and of samples gathered from crime scenes. The bill proposes the setting up of a DNA Regulatory Board — an evidently government-heavy body — to oversee operations, standardise labs, ensure ethics around privacy and civil liberties, among other functions.
The bill was referred to the Standing Committee on Science and Technology and Environments, Forests, and Climate Change, which is chaired by Congress MP Jairam Ramesh, in October 2019. The Committee submitted its report to Parliament on February 1 (see our summary), recommending several changes.
Owaisi, however, felt the changes recommended were inadequate. In a dissent note he sent to Jairam Ramesh in January 2021 (and again in February), Owaisi said that the Draft Report circulated in September 2020 was “significantly different” from the final report. It was “most regrettable” that the Committee Report retains the “objectionable provisions” of indexing of DNA profiles of non-convicts, especially suspects and undertrials, despite recognising its potential dangers.
In the context of a criminal justice system that disproportionately incarcerates Dalits, Muslims and Adivasis, targeted crimination will be encoded into the law.
It must also be noted that this Bill runs afoul the standards that were set in the Puttaswamy and Subramanian Swamy judgements of the Supreme Court. In the absence of a statutory framework protecting the right to privacy, this bill will cause irreversible damage to individuals’ right to privacy as well as the criminal justice system.
He raised objections to the bill on at least occasions, including the meeting held in October 2019. According to Owaisi, in this meeting, Ramesh was under the impression that the Bill is doing “nothing more than setting up a regulatory body”. Since then, successive draft reports have recognised otherwise, and have incorporated some of Owaisi’s recommendations, he said.
The following are some of the key concerns Owaisi highlighted. In line, are the responses of Jairam Ramesh, and the Department of Biotechnology (DBT), which falls under the Ministry of Science and Technology.
DNA technology is not infallible, not a panacea: Owaisi
DNA is not only used for the detection of crime. It is a unique identifier of a person, and if not recorded or retained in appropriate safeguards, may allow for the identification of a person, and critical information about them. This not only raises concerns about the privacy of individual citizens, but also national security.
DNA technology should not be viewed as panacea to inadequate justice system: The bill and the accompanying statements of the Department of Biotechnology, treats the use of DNA “as critical to reducing trial court pendency and possibly improving convictions”. However, the global experience is “more complex and cannot be simplified”. For example, crimes solved using DNA evidence in the UK actually fell in 2007, despite a large increase in the number of DNA profiles in the system. It’s important that DNA technology “is not projected as a panacea” to the problems of an inadequate criminal justice system.
Not infallible; cannot be treated as definite proof, despite its general reliability. The utility of DNA evidence depends on proper collection, and is also based on interpretations of technically competent and trained personnel. It is essential that technical aspects of DNA profiling are appreciated and accounted for.
In the context of an overburdened criminal justice system with a severe lack of prosecutorial and investigative capacity, expansive powers to access and match DNA profiles can result in severe risks to rule of law and non-arbitrariness.
When the freedom in life of a person is at stake, the answer of the legislation cannot be “as specified by regulations”. It is necessary that standards of collection and maintenance are encoded in statute, and not left to the “wisdom” of regulators or administrators.
Furthermore, the Bill must also incorporate defenses that defendants may claim with respect to DNA evidence. There must be burden of due diligence on the testing agency as well as the DNA Data Bank to ensure the conclusions drawn from the information are not only reliable, but in compliance with highest standards of conduct.
Jairam Ramesh’s response: Ramesh said he “agrees entirely” that DNA identification technology is neither a panacea not infallible. The report underscores this point and talks about reforms in the justice delivery system. The views of experts has been that DNA technology will be a “step forward” for the justice delivery system.
DBT’s response: Chapter IV covers prevention measures to be taken by DNA labs. Every accredited lab will follow quality assurance standards in collection, storage, analysis of DNA sample etc., which are developed by scientific experts. Further, trial courts can direct fresh bodily samples be collected in case of contamination.
Privacy: Need for Personal Data Protection Law, DPA oversight
The bill pays “little heed” to the Puttaswamy judgement, which makes it clear that the protection of personal information is a facet of right to privacy guaranteed in the Constitution, Owaisi said.
The DNA Technology Regulation Bill should not be introduced until the Personal Data Protection Bill is enacted, he said. This bill cannot be viewed “in isolation from other legislative and policy developments”, the most important of which is that “the government continues to collect citizens day private data without a private data protection law”.
An “autonomous and independent remedial process is paramount” for effective privacy protection, and can only happen with an independent regulator such as the Data Protection Authority envisaged in the Personal Data Protection Bill. Even the proposed DPA itself is not “completely independent” and “falls short” of internationally accepted requirements for a regulator independent of the government. The DPA’s lack of independence has been pointed out by Justice Srikrishna, among many other experts, Owaisi said.
Data Protection Authority should have oversight over DNA Data Bank and labs: The Data Protection Authority should be empowered to review the working of the DNA data bank and the law’s operation. It should have powers to identify lapses, recommend course corrections and audit the working of the DNA laboratories and the DNA data bank. “Citizens should have the right to statutory remedies in case they find that their DNA data was collected, stored, or shared unlawfully. It is not possible to entrust the DNA Data Bank without any independent oversight,” he said.
Jairam Ramesh’s response
- Regarding Board’s independence: The report changes provisions for the Board “drastically” to make it “independent and professional”.
- Regarding Puttaswamy: Opinion on whether the bill falls foul of the Puttaswamy judgment is “divided in the larger legal fraternity”. Some jurists (consulted by the Committee) agree with Owaisi’s view, while others don’t. It is ultimately for the Parliament to take a position. The Report provides for safeguards to ensure privacy is not violated “wantonly and egregiously”; and more safeguards should “certainly” be considered “as we gain further experience with the use of technology”.
- Bringing in the Personal Data Protection Law first: “Frankly, I do not see the connection since the Bill deals with as different universe of data.”
- On DPA oversight over DNA Regulatory Board: Ramesh said he “strongly disagrees” with this view; “the oversight should be as in the case of other regulators. One regulator cannot oversee another.”
DBT’s response on privacy: The Bill does not infringe on privacy, subject to the legally permissible balance between privacy and law and order maintenance / national security. DNA samples will not be obtained without informed consent.
Indefinite retention of DNA profiles is a privacy violation
Section 31 of the bill effectively retains data indefinitely because it is “preconditioned on police reports or court orders”. Getting the DNA profile of someone who is not an offender, suspect, or undertrial, from the database would require an application. India has a wide gap between arrests and convictions, said Owaisi.
The indefinite detention of personal information, conditional on court orders, violates the principle of privacy and control over personal information. Therefore, the database is likely to be lopsided and consist of people who are presumed to be innocent in the eyes of the law. In such a case, there is no constitutional justification to include their data in a database or index.
Furthermore, there is no clarity as to the retention of DNA for purposes other than criminal investigations or prosecutions. Although the law permits its use in other areas, including many civil disputes. With the DNA collector in such cases also be retained in the DNA data bank? if yes will it be indexed? If yes under which index? It is recommended that DNA data banks for both criminal and civil purposes be separated, and different attention and intimation policies be adopted for both.
DBT’s response: The categories under which the data will be maintained have been covered under Clause 28(1). Data will only be retained under Crime Scene Index and not for other categories of individuals.
Suspects, undertrials index likely to violate individual privacy and enable surveillance: The inclusion of data from crime scenes, suspects and undertrials is bound to result in two separate violations of the right to privacy. First, it may result in the violation of an individual right to privacy, and second, it can enable widespread surveillance and targeted discrimination of certain groups. All references to indices pertaining to suspects undertrials victims and relatives should be removed from the bill.
Excessive powers of DNA regulatory board
The Subramaniam Swamy judgment, argued Owaisi, clarifies that excessive delegation of legislative powers to a statutory authority or agency would make the law susceptible to being struck down.
This particular bill delegates the key function of providing procedural and substantive safeguards to the DNA regulatory board. This is reflected in the vast powers the DNA Regulatory Board has been given in Section 59 of the proposed bill.
Urgent steps should be taken to bring in substantive safeguards around collection, transfer, contamination, and matching of DNA. The revised draft must prevent excessive and undue delegation of the Board’s powers and functions.
The manner in which data is retained, shared, and controlled must be a matter that Parliament must be concerned with. Within the framework of the Puttaswamy judgment, it is not possible to envisage a situation where use of such critical data is managed and controlled by a mere statutory body.
DBT’s response: The bill’s general provisions have been framed in consultation with the Law Ministry and Law Commission; all necessary clauses are based on existing judgments and provisions in existing laws. Procedural details will be covered under rules and regulations.
Need for safeguards around DNA database
The Bill’s key proposal of setting up a national database of DNA profiles is not accompanied by any stringent statutory safeguards. “In a world that increasingly sees personal data as an extension of the person, such an arbitrary legislation would not be acceptable. Besides patently risking a citizen’s security and impinging on their privacy, this proposal also puts India’s national security at risk,” Owaisi said.
Expenditure has been under-estimated: Expenses around lawful and ethical use of DNA requires widespread training (of prosecutors, investigators and even trial court judges) and construction of infrastructure.
By the Ministry’s own admissions, we currently do not have the capacity to undertake such a mammoth task. Therefore, the financial memorandum citing [Rs.] 20 crores as a total amount required to operationalize the law deserves serious scrutiny.
DNA information should be siloed: Stringent safeguards and oversight mechanisms need to be brought in to ensure that critical information is silo’d from other databases containing identifiable information of people.
For instance, the Centre for DNA Fingerprinting and Diagnostics [CDFD] collects the case identity of suspects. In such a context, the use of DNA profiling for incidence and casteist purposes cannot be taken lightly.
In this revised dissent note of February 1, Owaisi said his concern around caste profiling “is not limited to current practices adopted by CDFD alone but potential misuse in the future as well”.
Ramesh’s response on absence of safeguards: He said this was a “little unfair”: as the Report has “gone out of its way to propose safeguards”. “But yes, potential misuse is not an imaginary fear – but that is true of any legislation. Does it mean that we should not have legislation? The challenges before us is have a law that will minimize potential for abuse through adequate and explicit safeguards which has been included in the report”, Ramesh added.
- On safeguards to DNA database: Chapters VI covers security and confidentiality, is restricts access to information in crime scene index and prohibits access to information in DNA Data Bank, among other things.
- On financial memo: “The projected cost is for setting up of Secretariat and infrastructure for Data Banks and indices. This is only for buildings and servers. However, the details cost of generating the DNA profiles will be charged to the agencies who forward the sample for analysis.”
- Caste: The CDFD earlier used to collect caste identity with the justification that the “[one world illegible] frequencies are collected from ethnic/social/caste sample sets. Based on their [illegible] frequencies, population genetic principles are applied to infer how reasonable it is that a random, unrelated individual could have contributed to the DNA profile”. Caste has been removed from the Identification Form and only name of the population and population to be used for analysis of DNA profiling data.