Introduction

Technology has revolutionized policing, enabling advanced surveillance, digital forensics, and predictive analytics. Yet, these tools raise deep concerns about civil liberties and constitutional safeguards. India’s legal regime—anchored in the Information Technology Act, 2000, and the Indian Telegraph Act, 1885—provides broad investigatory powers but weak privacy protections. With the Digital Personal Data Protection Act, 2023, and the landmark ruling in Justice K.S. Puttaswamy v. Union of India (2017), the balance between security and privacy has become a defining legal issue of our time.

I. Digital Forensics and the Law of Electronic Evidence

Digital forensics involves the identification, preservation, and analysis of electronic data for use in legal proceedings. The Information Technology Act, 2000, and the Indian Evidence Act, 1872, form the legislative foundation for electronic evidence. Section 65B of the Evidence Act requires certification of electronic records. In Anvar P.V. v. P.K. Basheer (2014), the Supreme Court made this certificate mandatory for admissibility. This was reaffirmed in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020), which carved narrow exceptions where the device is in court custody.

Forensic laboratories—Central and State Forensic Science Laboratories (CFSLs/SFSLs)—operate under the Ministry of Home Affairs. Section 79A of the IT Act designates Examiners of Electronic Evidence as expert authorities. However, inconsistent standards for data integrity and delays in MLAT-based evidence collection weaken investigations. Tools like Cellebrite for mobile extraction raise constitutional concerns about self-incrimination under Article 20(3). In Selvi v. State of Karnataka (2010), the Supreme Court restricted involuntary extraction of personal data, emphasizing informed consent and due process.

II. Surveillance and Interception Frameworks

India’s surveillance powers derive from Section 5(2) of the Indian Telegraph Act, 1885, and Section 69 of the IT Act, 2000. These laws authorize interception in the interests of sovereignty, integrity, and public order, subject to executive approval. Rule 419A of the Telegraph Rules requires authorization by the Union or State Home Secretary and a review committee within seven days. However, judicial oversight remains absent.

In People’s Union for Civil Liberties v. Union of India (1997), the Supreme Court upheld interception powers but required procedural safeguards. Despite this, systems like the Central Monitoring System (CMS), NATGRID, and the Automated Facial Recognition System (AFRS) operate without legislative authorization. This creates friction with the Puttaswamy proportionality test, which demands legality, necessity, and proportionality.

III. Data Retention and Forensic Data Governance

Data retention laws in India vary by sector. Telecom providers retain call data records for two years under licensing rules, while intermediaries must preserve data for 180 days under the IT Rules, 2021. CERT-In Directions (2022) require VPNs and cloud service providers to store logs for five years. These mandates, though aimed at crime prevention, raise privacy concerns and conflict with data minimization principles under the Digital Personal Data Protection Act, 2023.

In Digital Rights Ireland (2014), the European Court of Justice invalidated blanket data retention as disproportionate. A similar proportionality framework may evolve in India to balance policing efficiency with privacy rights.

IV. Privacy and Constitutional Safeguards

Justice K.S. Puttaswamy v. Union of India (2017) recognized privacy as a fundamental right under Articles 14, 19, and 21. The Court articulated a proportionality test requiring legality, necessity, and proportionality for any intrusion. Surveillance and data retention measures must comply with these principles.

The Digital Personal Data Protection Act, 2023, codifies data protection but grants broad government exemptions under Section 17. This has drawn criticism for undermining independent oversight. Comparatively, the UK’s Investigatory Powers Act, 2016, and Germany’s 2010 Data Retention Judgment mandate judicial authorization and transparency.

The Pegasus spyware controversy revealed significant deficiencies in India’s oversight regime. The Supreme Court’s inquiry in Internet Freedom Foundation v. Union of India may redefine limits on State surveillance.

V. Emerging Technologies: AI, Facial Recognition, and Predictive Policing

AI-based surveillance systems like AFRS use facial recognition to match suspects, but lack legislative scrutiny. The Internet Freedom Foundation’s 2023 report highlighted widespread deployments in Delhi and Telangana without privacy impact assessments. Such technologies risk profiling and discrimination, contrary to Article 14.

Predictive policing, relying on algorithmic analysis of crime patterns, risks reinforcing systemic biases. India’s CCTNS and Integrated Criminal Justice System may soon integrate predictive tools, necessitating strong human oversight. Courts will have to evolve new evidentiary standards for AI-generated insights, ensuring verifiability and accountability.

VI. The Way Forward

A comprehensive Surveillance and Digital Evidence Act should consolidate interception, retention, and forensic standards under judicial authorization. A National Digital Forensic Authority (NDFA) can ensure uniform chain-of-custody protocols and accreditation. Independent audits, legislative transparency, and periodic reporting are crucial for public accountability.

Human Rights and Privacy Impact Assessments (HRPIAs) should precede any mass surveillance or AI deployment. These assessments, rooted in the principles of transparency and proportionality, align with UN and OECD guidelines.

Conclusion

Digital policing promises efficiency but risks overreach. Without adequate safeguards, technology can transform law enforcement into surveillance. The Constitution demands that security measures respect liberty and privacy. Through proportional regulation and robust oversight, India can harmonize innovation with fundamental rights.

References

1. Justice K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1.
2. Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473.
3. Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal, (2020) 7 SCC 1.
4. Selvi v. State of Karnataka, (2010) 7 SCC 263.
5. People’s Union for Civil Liberties v. Union of India, (1997) 1 SCC 301.
6. Information Technology Act, 2000; IT (Procedure & Safeguards for Interception) Rules, 2009.
7. Digital Personal Data Protection Act, 2023.
8. CERT-In Directions, 2022.
9. Digital Rights Ireland Ltd. v. Minister for Communications, C-293/12, CJEU (2014).
10. UK Investigatory Powers Act, 2016; Germany Federal Data Retention Judgment (2010).
11. Internet Freedom Foundation v. Union of India (Pegasus Case, pending).
12. B.N. Srikrishna Committee Report on Data Protection (2018).
13. Bureau of Police Research & Development, Digital Evidence Handbook (2021).