India is quietly becoming one of the world's largest live testbeds for public-space facial recognition. Since the DigiYatra Foundation — a public-private entity in which the Airports Authority of India holds the majority stake — launched its face-based boarding system in December 2022, the program has scaled to more than two dozen airports, including all the major metros and a growing list of Tier-2 hubs. Running on a parallel track, police forces in Delhi, Telangana and several other states operate their own facial recognition systems (FRS), while the National Crime Records Bureau continues to build out the National Automated Facial Recognition System (NAFRS). What is missing is not the technology. It is the law.
Two rollouts, one accountability gap
DigiYatra is, on its own terms, a useful convenience product. Passengers who opt in match a verified Aadhaar-linked face template against their boarding pass at security and gate checks, shortening queues. The Foundation has consistently said enrolment is voluntary, that data is stored on the user's device, and that face templates are deleted within 24 hours of the flight. Those design choices matter. They are also self-imposed, not statutory — and they tell us nothing about how the same infrastructure will behave once interoperability with other government systems becomes politically attractive.
The police-side deployments are the harder problem. Delhi Police's FRS has been in use for crowd matching at protests and large public gatherings, Telangana's TSCOP app puts face-matching capability in officers' pockets, and NAFRS is designed as a national-scale identification layer. Unlike DigiYatra, none of these systems are voluntary in any meaningful sense for the people whose faces are scanned in public. And unlike, say, the UK's Live Facial Recognition deployments by the Metropolitan Police — which are now subject to a published policy, a College of Policing framework and judicial review (Bridges v South Wales Police, 2020) — India's police FRS deployments operate without a dedicated legislative basis, without independent prior authorisation, and without a clear post-deployment audit regime.
The Puttaswamy promise, still unredeemed
In its landmark 2017 Justice K.S. Puttaswamy v. Union of India ruling, a nine-judge bench of the Supreme Court recognised informational privacy as a fundamental right and laid down the now-familiar four-part test for any state intrusion: legality, legitimate state aim, proportionality, and procedural safeguards. Public-space facial recognition trips the first wire almost immediately. There is no surveillance statute in India that specifically authorises bulk biometric capture and matching in public spaces. The Digital Personal Data Protection Act 2023, while a meaningful step forward, has broad state exemptions under Section 17 and is not yet fully operational pending rules and the constitution of the Data Protection Board. Civil society groups including the Internet Freedom Foundation — whose Project Panoptic has tracked over 100 active or planned FRS deployments across India — and Article 19 have repeatedly flagged this gap.
The pro-innovation case for a real rulebook
It is tempting to read the criticism above as anti-technology. It is not, and it should not be. Biometric authentication can shorten airport queues, reduce identity fraud, and help locate missing persons. A blanket ban — the path the EU AI Act flirted with for real-time public FRS before settling on a narrow law-enforcement carveout — is the wrong destination for India. But so is the current state of affairs, where deployment runs years ahead of the rulebook.
A proportionate framework would do four things:
- Pass a dedicated surveillance statute that specifies which agencies can use FRS, for which purposes, with what thresholds for confidence scores, and for how long match logs may be retained.
- Require independent ex-ante authorisation for live public-space FRS deployments — at minimum a designated judicial officer or an empowered DPB, not a self-certification by the deploying agency.
- Mandate published audits and accuracy reporting, including demographic-disaggregated error rates. NIST's FRVT testing has shown wide variance across vendors and demographic groups; Indian deployers should be required to disclose, not just assert, performance.
- Operationalise DPDP Section 17 carefully. The state exemption is justified for narrow national security uses, but it cannot become the default carve-out that swallows the rule. Sectoral guidance from MeitY on biometric processing in public spaces is overdue.
Why this matters for India's digital ambitions
India is exporting its Digital Public Infrastructure (DPI) playbook — UPI, Aadhaar-style identity stacks, ONDC — to partners across the Global South. The country's credibility as a DPI exporter depends on demonstrating that scale and rights protection are not in tension. A clean statute on public-space biometric surveillance, paired with full DPDP enforcement, would be a genuine differentiator. It would also be the strongest reply to the standard critique that India's digital state moves faster than its safeguards.
DigiYatra at the airport gate is not the threat. The absence of a law that draws the line between DigiYatra and a future, far less benign deployment is. Parliament should close that gap before another two dozen rollouts make the question moot.