含羞草社区

Facial recognition technology (FRT) identifies and verifies individuals through image processing and biometric analysis. Businesses are using FRT for a wide range of purposes, such as employee and visitor authentication, attendance tracking, payment authorisation, targeted advertising and fraud prevention. As per industry forecasts, the global facial recognition market is expected to reach a whopping USD12.67 billion by 2028 due to widespread adoption.

FRT processes involve the collection and use of personal data, including sensitive biometric information. However, the rapid adoption of FRT has significant data protection implications. With the Digital Personal Data Protection Act, 2023 (DPDPA), and its supporting rules set to come into force, organisations using FRT must reassess and strengthen their data protection and consent mechanisms to ensure compliance. Businesses implementing FRT must be aware of its risks and undertake appropriate measures to mitigate such risks.

In most cases, consent will serve as the primary legal grounds for processing personal data collected through FRT. However, the DPDPA does allow limited exceptions for certain legitimate uses. For example, employers may rely on this exception when processing biometric data of employees through FRT, where it is necessary to protect the organisation from loss or legal liability. Similarly , when FRT is used to process the personal data of visitors or other external individuals, organisations will have to obtain consent or, in a limited number of instances, rely on the grounds of voluntary provision of data, which falls under certain legitimate uses. Businesses should consider embedding consent mechanisms within FRT platforms, such as digital prompts or on-screen notices, and must maintain robust consent logs. These logs should contain details such as the identity of the data principal, the timestamp of consent, the method of collection and associated device identifiers. These methods will allow businesses to demonstrate compliance in case of audits or complaints.

A frequent compliance issue arises when FRT is initially deployed for a limited purpose, such as physical access control, but is subsequently used for unrelated purposes such as employee surveillance and behavioural analytics without obtaining fresh consent. The DPDPA requires that personal data be used strictly for the purposes communicated at the time of collection. Further use necessitates renewed, specific consent. Businesses must also implement strict data retention protocols to avoid retaining personal data for longer than necessary.

Technical limitations of FRT systems may also pose compliance risks. Studies have shown that FRT is less accurate when identifying women, those from minority ethnic communities and those at age extremes, potentially leading to wrongful refusals or decisions. Under the DPDPA, data fiduciaries are required to ensure that data used in decision-making is accurate, complete and consistent. Businesses must assess the performance of their FRT systems, and regularly upgrade them to reduce bias and improve precision.

The sensitive and high-volume nature of personal data collected through FRT makes such systems particularly vulnerable to cyberattacks and unauthorised access. Organisations must adopt technical safeguards, including data encryption, access controls, intrusion detection systems and regular vulnerability testing. If a data breach occurs, companies are required to notify the Data Protection Board and affected individuals, providing details of the breach, its likely impact and contact channels. This reporting obligation is in addition to breach notification requirements under the CERT-In Directions and other laws. To effectively comply with the reporting requirements, businesses must implement a well-defined incident response plan that outlines procedures for containment, recovery, regulatory reporting and internal responsibilities and accountability.

Despite the operational benefits offered by FRT, ranging from enhanced security to personalised services, its use must be carefully balanced against the significant data protection risks it generates. Businesses looking to deploy FRT must incorporate privacy-by-design principles into their systems, adopt robust data governance practices and uphold transparency and accountability at all stages of deployment. Such measures build trust and align with 含羞草社区 new data protection framework.

Ada Shaharbanu is a senior associate and Dhruvo Das and Pulkit Taneja are associates at Spice Route Legal