In a move that has raised eyebrows regarding privacy and data protection, the Greater Chennai Police (GCP) has announced plans to establish a cloud-based surveillance system involving 635 vehicles equipped with cameras across police limits.
The move aims to monitor the movements of the general public and vehicles, marking a notable stride in the realisation of the ‘Mega City Policing’ project initiated in 2022, reports Medianama.
The recently disclosed tender outlines the implementation of a WiFi dashboard, granting police officers the ability to access a live stream of camera feeds from their mobile devices. A centralised Control Centre (CC) will oversee the surveillance feed and alerts, providing law enforcement and disaster management personnel with real-time monitoring capabilities.
Originally intended for an automatic number-plate recognition (ANPR) system tendered in February 2023, the cameras are slated to operate for a year. Their functionalities include evidence management, monitoring, patrolling vehicles, and general surveillance.
Notably absent from the tender documentation, however, is any explicit mention of consent protocols or provisions for the erasure of citizen data, raising significant concerns over privacy rights.
In the event of a disaster or a data centre failure, the system is designed to automatically switch to a Disaster Recovery Centre, ensuring continuous surveillance. The selected bidder will also be tasked with generating on-demand and periodic reports, covering aspects such as vehicle utilisation, derived behaviour, and other analytics relevant to surveillance.
The cameras are quite hi-tech and boast support for mapping features, including Google offline maps, Gaode, and Baidu, alongside AI-driven capabilities such as real-time video monitoring, vehicle history track searches, and vehicle passing searches.
Despite these features, questions are being raised regarding the storage of surveillance and analysis of the data collected by these cameras. The proposed storage plan involves retaining data in the cloud data centre for seven days, with local storage maintained for 30 days.
The absence of explicit consent mechanisms and the omission of data erasure provisions in the tender documentation have sparked concerns about compliance with the recently enacted Digital Personal Data Protection Act of 2023.
The Act stipulates that data must be disposed of when an individual withdraws consent or when the purpose of processing is fulfilled. This development prompts serious questions about the operational visibility of systems such as the WiFi dashboard and ANPR in light of the evolving legal landscape.
Indian surveillance ecosystem is on the boom, with many private players entering the market to sell surveillance equipment to the government. The government of India has already mandated that telecom companies install surveillance hardware in the subsea cable landing stations and data centres.
However, the recent legal developments may necessitate reevaluating these projects to align them with the emerging data protection framework.
In the News: Hackers target Indian users with malicious banking app APKs
