India is in the middle of a quiet but consequential build-out of biometric infrastructure in its public spaces. The DigiYatra Foundation, a not-for-profit company majority-owned by the Airports Authority of India and operating under the aegis of the Ministry of Civil Aviation, has now extended its facial-recognition-based boarding system to dozens of airports across the country, from Delhi and Mumbai to Pune, Kolkata and Coimbatore. In parallel, Delhi Police's Facial Recognition System (FRS) — first procured in 2018 ostensibly to trace missing children — has been deployed at protest sites, political rallies and large public gatherings. Both projects have been challenged repeatedly by the Internet Freedom Foundation (IFF) on the same essential ground: there is no statute that authorises them.
This is not an argument against face recognition. It is an argument for the boring, indispensable scaffolding of liberal-democratic technology policy: an enabling law, clear purpose limits, independent oversight, and a remedy when things go wrong. Without that scaffolding, even well-designed systems become liabilities — for citizens whose data flows through opaque pipes, for the start-ups and integrators building on top of them, and for an Indian tech sector that increasingly competes on trust as much as on cost.
The legal vacuum after DPDP
The Digital Personal Data Protection Act, 2023 (DPDP Act) was widely heralded as India's long-awaited privacy statute, the legislative answer to the Supreme Court's 2017 ruling in Justice K.S. Puttaswamy v. Union of India, which recognised privacy as a fundamental right. Yet the Act says strikingly little about the most invasive category of personal data — biometric identifiers — and contains broad exemptions for "instrumentalities of the State" in the interests of sovereignty, public order, and similar grounds. Crucially, the law was notified in 2023 but its implementing rules have only recently begun to take operational shape, and the Data Protection Board contemplated under the Act is still finding its feet.
In that interregnum, two things have happened. First, DigiYatra has gone from pilot to default at most major airports, with travellers nudged into onboarding through Aadhaar-linked verification on a private foundation's app. Second, police forces — Delhi's most visibly, but also units in Telangana, Uttar Pradesh and elsewhere — have continued to expand their use of FRS at street level. The Internet Freedom Foundation has filed RTIs, legal notices and representations arguing that neither deployment has the statutory backing the Constitution requires for a measure that interferes with the right to privacy.
Why "voluntary" is doing too much work
Officials describe DigiYatra as voluntary, opt-in, and decentralised, with face templates stored on the user's own device and purged within 24 hours of a flight. Those design choices matter and deserve credit. But voluntariness is a fragile guarantee when the alternative is longer queues, when airline and airport staff actively steer passengers toward the biometric lane, and when there is no independent auditor checking that data really is deleted, that no secondary use occurs, and that the foundation's private partners are bound by the same constraints. A privacy promise that depends on the goodwill of its operator is a marketing claim, not a legal right.
Delhi Police's FRS sits at the opposite end of the spectrum. Here there is no opt-in at all. Cameras at protests sweep the faces of citizens engaged in constitutionally protected assembly, match them against databases whose composition and provenance remain undisclosed, and feed results into investigative workflows that the public cannot scrutinise. Even granting that some applications — finding missing children, identifying unclaimed bodies — are legitimate and humane, the same toolset cannot be turned on dissenters without a law that says so, a court that can review it, and a remedy when the match is wrong.
The pro-innovation case for statutory rails
It is sometimes assumed that those who argue for legal limits on surveillance are hostile to the underlying technology, or to India's ambitions as a digital power. The opposite is closer to the truth. India's start-up ecosystem is in a strong phase: as Rest of World reported earlier this month, domestic venture capital firms are now outpacing Silicon Valley investors in funding Indian companies, a sign of a maturing market that will increasingly export trust-sensitive products — fintech, healthtech, identity rails, public-interest AI — to the rest of the Global South.
That export story is harder to tell from a jurisdiction where the state's biometric capabilities operate outside the rule of law. Customers in Africa, Latin America and Southeast Asia who buy India Stack components want assurances that the underlying governance is sound. Foreign airlines whose passengers are funnelled into DigiYatra want the comfort of an audit trail. And Indian users themselves, who have powered the world's largest digital-public-goods experiment, deserve more than the assurance that the government means well.
What a proportionate framework would look like
A workable Indian framework for public-space biometrics does not need to be exotic. It would: (i) place DigiYatra on an explicit statutory footing, with a designated regulator and binding purpose limits; (ii) require any police use of facial recognition to be authorised by a specific law, with judicial sign-off for deployments at assemblies; (iii) mandate independent audits and public transparency reports, of the kind the EFF has documented are routinely produced — and now, worryingly, restricted — for automated licence-plate readers in the United States; and (iv) give individuals a real remedy, including the right to know if they were matched, and to challenge the result.
India has the legal talent, the technical depth, and the constitutional doctrine to do this well. What it is missing, two and a half years after the DPDP Act, is the political decision to actually do it. Cameras are cheap. Trust, once spent at scale, is not.