The DNA Technology (Use and Application) Bill, 2019 has, once again, come in the news, after being listed for “consideration and passing” in the ongoing Monsoon Session of Parliament. The Bill was first introduced in the Lok Sabha in 2018, and then again in July 2019, after which it was referred to the Parliamentary Standing Committee on Science and Technology. In February 2021, the Standing Committee submitted its report, raising various issues of privacy, profiling, and independence of the proposed regulator, the DNA Regulatory Board.
The Bill aims to regulate the use and application of DNA technology to establish the identity of certain persons and for its use in the criminal justice system. It envisages the creation of National DNA Data Banks and Regional DNA Data Banks to store DNA profiles, requires accreditation for labs undertaking DNA testing, and establishes the Board to, among other things, assist in criminal investigations.
However, the Bill suffers from various issues, such as the infringement of privacy and autonomy, lack of purpose limitation, lack of safeguards against violation of bodily and informational privacy, and wide discretionary powers to the State.
DNA Data Banks And Unclear Definitions
Under the Bill, every DNA Data Bank shall maintain a crime scene index, a suspects’ index (or undertrials index), an offenders’ index, a missing persons’ index, and unknown deceased persons’ index. Each of these indices contains detailed DNA profiles (derived from DNA samples) based on their specific type. For instance, the suspects’ index means a list of entries of DNA profiles taken from “suspects” or “undertrials” in a DNA Data Bank, although neither of those terms is defined in the Bill.
The lack of definition gives wide discretion to law enforcement authorities to categorise persons as “suspects”, given that the law does not require “suspects” to be formally charged in a case.
Extending the idea first articulated by Justice Lokur, this means that in a riots case, the police have unfettered discretion to name any person as a suspect, regardless of the nature of evidence against them. Despite being presumed in law to be innocent, each of these suspects will now have to undergo invasive DNA profiling.
Given the prevalence of caste and community-based profiling in our criminal justice system, and the historical, representational, and measurement biases in our policing practices, there is a real fear that certain vulnerable and minority groups (including de-notified criminal tribes) will bear the disproportionate burden of being included suspects’ index or undertrials’ index. The concerns are further exacerbated as DNA information can be used to create familial linkages, thereby allowing group-based profiling and spreading the risk across communities. The presumption of innocence for these persons may be turned on its head to a presumption of criminality.
Aziza Ahmed has voiced similar ethical concerns regarding using DNA databases for crime control in the US context that range from enhanced surveillance of minority communities, guilt by association, and disruption in family harmony (when family members come under the state’s radar despite no connection with the crime).
The Lack Of Procedural Safeguards
The Bill provides vast powers to the state but does little to contain its discretion. For instance, Clause 29(2) states that information relating to a person’s DNA profile contained in the suspects’/undertrials’/offenders’ index “shall be communicated only to the authorised person”. Apart from the fact that the person does not have a right to access their own DNA profile, the Bill does not even define the term “authorised persons”. This leaves open the door for unchecked sharing of such sensitive personal data. Without restrictions on sharing such sensitive data, the DNA Data Bank can always be linked with other surveillance or facial recognition tech systems without any public knowledge, transparency, accountability, or oversight.
Additionally, amidst the global debate on the regulation of the collection, storage, and use of DNA data, there is growing consensus on the need for safeguards to ensure the destruction of DNA samples and the deletion of DNA profiles of innocent people. However, the present Bill reverses the presumption of innocence by mandating the permanent storage of DNA data obtained under all categories, including those obtained from a criminal investigation. It fails to provide adequate timelines for retention and/or deletion of data, instead relying on the vague phraseology that “the information contained in the crime scene index shall be retained”.
This may even result in a situation where an individual’s data, when collected from a crime scene, finds its way to the DNA Data Bank without explicit consent. While there is an application process for any suspect who has been acquitted to seek removal of their samples, there is no verification mechanism to verify the data has really been purged.
Even with respect to DNA data in a suspects’ index, the law does not provide for automatic or permanent deletion in case the “suspect” is not accused or if the police are delaying in filing a chargesheet, further infringing the privacy of individuals. Finally, the Bill fails to put in place strict access control and data security mechanisms to protect the confidentiality and security of sensitive personal data. In fact, under Clause 35, all the information contained in the National DNA Data Bank and Regional DNA Data Banks may be made available to private personnel of the DNA labs “for the sole purpose of training”, without any anonymisation or de-identification procedures being followed.
The Bill suffers from many other concerns, including the inadequacy of the standard of consent, the wide ambit of “DNA profile”, and the unchecked powers of the Central government to appoint and control the functioning of the regulator. The Bill does not adequately incorporate principles of collection limitation, data minimisation, and privacy, by design. Worse still, without a robust data protection framework, there are no external checks and balances that can control the functioning of this Bill.
It may be better for the government to first focus on passing the proposed Personal Data Protection Bill that has been pending for nearly two years, rather than rushing through the DNA Bill.
(Vrinda Bhandari is an Advocate in Delhi. She is also a volunteer with SaveOurPrivacy.in and helped in drafting the model India Privacy Code, 2018. This is an opinion piece and the views expressed above are the author’s own. The Quint neither endorses nor is responsible for the same)