CCTV Data for Public Safety Can Be Double-Edged, India’s Surveillance Expansion and the Unanswered Questions About Privacy
As AI-Powered Cameras Multiply Across Cities and Databases Link Together, the Promise of Public Safety Must Be Weighed Against the Threat to Fundamental Rights
On March 24, a report in this newspaper detailed how the police solved two cases by utilising CCTV and facial recognition systems deployed by the Mumbai Railway. One case involved the harassment of a tourist, while the other concerned the disappearance of a child. CCTV and facial recognition systems have proved effective in resolving numerous cases across the country; however, regarding the data associated with these systems and the privacy of the general public, there are many unanswered questions.
The shift toward AI and algorithm-guided surveillance is no longer restricted to metropolitan cities. On March 16, Mauvin Godinho, the Goan transport minister, informed the assembly about his plans to install AI-powered cameras at 92 locations, equipped with automatic number plate recognition to scan vehicles and link them to enforcement databases. Even Delhi’s streets are quietly transforming into an AI-powered surveillance system. Under the guise of public safety, the government is rolling out massive camera networks, databases, and algorithms.
This is not a story of isolated initiatives. It is a story of a national transformation—one that is happening without a corresponding national debate about its implications, without clear rules governing data collection and retention, and without the transparency that a democracy requires.
The Safe City Project
India’s Safe City project is a leading example. Launched in Delhi in 2018, it aims to link thousands of cameras into a central police control system. In the first phase from October 2025, the city began deploying about 3,500 AI-enabled cameras, along with gunshot sensors and smart alert systems. The scale is immense, and it is growing.
The logic behind Safe City is compelling. In a city like Delhi, which has one of the highest rates of crimes against women in the country, the promise of a surveillance network that can deter criminals and help solve crimes is appealing. Cameras that can identify vehicles, track movements, and alert police to incidents could make the city safer. But the logic is also incomplete. It does not address the question of who has access to the data, how long it is kept, what oversight exists, and what happens when the systems fail or are misused.
The Data Silos
Not relying on cameras anymore, we build massive data silos for information. Take NATGRID, which pulls together what once stayed separate. Originally conceived out of need after 26/11, it connects dots across sectors today. In 2026, it was officially connected to the National Population Register, giving law enforcement “real-time access to family-level demographic data of nearly 119 crore residents.”
NATGRID was designed to give intelligence agencies access to data from multiple sources—banking, immigration, tax, telecommunications—to help track terrorist networks. But its expansion to include the National Population Register means that the government now has a database that links biometric and demographic information for almost the entire population. The intention may be security. The effect is a surveillance infrastructure of unprecedented scale.
The Regulatory Gap
All these tools rest on evolving regulations. The IT Rules, 2021 imposed due diligence and traceability obligations on intermediaries. The Digital Personal Data Protection Act, 2023 provides a framework for data processing and limits certain uses of personal data. These laws aim to protect citizens, but focus on platforms and providers, not the government’s data systems. There is no surveillance law requiring transparency on how the state collects, retains or uses information from cameras or databases.
This is a critical gap. The laws that regulate how Facebook or Google handle your data do not apply to how the government handles data from CCTV cameras. There is no provision that requires the police to disclose how many cameras are operating, how long footage is kept, who has access to it, or what safeguards prevent misuse. The data collected by the state is subject to fewer protections than the data collected by private companies.
The Security Risks
Official digital systems have shown serious flaws. In 2023, a hacker’s bot allegedly exploited India’s CoWIN portal, exposing the personal data of millions who had registered for COVID-19 vaccines. A survey carried out in 2025 by LocalCircles found that nearly 87 per cent believed their private details were already exposed.
The irony is stark: the same systems that are supposed to make us safer often make us more vulnerable. A camera network that can be hacked is not just ineffective; it is dangerous. A database that can be breached becomes a source of insecurity, not security. And when the government holds data on hundreds of millions of citizens, the consequences of a breach are catastrophic.
The Constitutional Framework
For a democracy like India, every surveillance camera and database query is a potential disruption of privacy. The Supreme Court has ruled in Puttaswamy that any state restriction on privacy must be lawful, necessary, and proportionate. This is the standard that any surveillance system must meet.
Is the current expansion of surveillance lawful? There is no specific law authorising it. The police have general powers to maintain public order, but do those powers extend to blanket surveillance of entire populations? Is the surveillance necessary? There is little evidence that the massive camera networks in Delhi or Goa are the result of a careful assessment of threats. Is it proportionate? Are the cameras targeted at high-crime areas, or are they blanketing entire cities?
The answer to these questions is not clear, because the government has not been transparent about its plans. There is no public discussion of the costs and benefits, no parliamentary oversight of the systems being deployed, no independent review of their effectiveness.
The Need for Rules
Before launching a surveillance system, we need rules on data collection that ensure deletion after the data have served their purpose. There should be limits on how long data can be kept. There must be accountability in algorithms and independent reviews. Then, we can say it is both safe and free.
The European Union’s General Data Protection Regulation (GDPR) provides a model. It requires that personal data be collected for specified, explicit, and legitimate purposes. It requires that data be kept only as long as necessary. It gives individuals the right to access their data and to have it corrected or deleted. It requires that automated decision-making be subject to human oversight.
India has no equivalent framework for government surveillance. The DPDPA does not apply to the government’s own data processing. The IT Rules do not regulate the government’s camera networks. There is no law that gives citizens the right to know what data the government holds on them, or to have it corrected or deleted.
The Path Forward
The benefits of surveillance are real. Cameras help solve crimes. They deter criminals. They provide evidence in court. But the costs are also real. Surveillance erodes privacy. It creates opportunities for abuse. It changes the relationship between the state and the citizen.
The answer is not to abandon surveillance. It is to regulate it. To require transparency. To impose limits. To ensure oversight. To give citizens rights.
The Supreme Court has laid down the framework in Puttaswamy. Any state restriction on privacy must be lawful, necessary, and proportionate. The government must now demonstrate that its surveillance systems meet this test. It must pass a law that authorises their deployment. It must show that they are necessary to achieve legitimate security goals. It must prove that they are proportionate to the threat.
Until then, the cameras that watch us are an exercise of power without accountability. They are a promise of safety that comes at the cost of freedom.
Q&A: Unpacking India’s Surveillance Expansion
Q1: What is the scale of India’s AI-powered surveillance expansion?
A: The Safe City project in Delhi is deploying about 3,500 AI-enabled cameras in its first phase, along with gunshot sensors and smart alert systems. Goa plans to install AI-powered cameras at 92 locations with automatic number plate recognition. NATGRID has been connected to the National Population Register, giving law enforcement real-time access to family-level demographic data of nearly 119 crore residents. The shift toward AI-guided surveillance is no longer limited to metropolitan cities and is expanding rapidly.
Q2: What is NATGRID and why is its expansion significant?
A: NATGRID (National Intelligence Grid) was originally conceived after the 26/11 attacks to connect data across sectors for intelligence agencies. In 2026, it was officially connected to the National Population Register, creating a massive database linking biometric and demographic information for nearly the entire Indian population. This gives law enforcement unprecedented access to integrated personal data, raising significant privacy concerns.
Q3: What regulatory gaps exist in India’s surveillance framework?
A: While the IT Rules, 2021 and the Digital Personal Data Protection Act, 2023 regulate private platforms and intermediaries, there is no surveillance law that requires transparency on how the state collects, retains, or uses information from cameras or databases. The government’s data systems operate with fewer protections than private sector data processing. There are no rules requiring data deletion after use, limits on retention periods, or independent reviews of surveillance algorithms.
Q4: What security risks have been demonstrated in government digital systems?
A: In 2023, a hacker’s bot allegedly exploited India’s CoWIN portal, exposing personal data of millions who had registered for COVID-19 vaccines. A 2025 LocalCircles survey found that nearly 87 per cent of respondents believed their private details were already exposed. This demonstrates that government data systems are vulnerable to breaches, creating security risks that undermine the very safety surveillance is meant to provide.
Q5: What legal standard must surveillance systems meet according to the Supreme Court?
A: In the Puttaswamy judgment, the Supreme Court ruled that any state restriction on privacy must be lawful, necessary, and proportionate. This means surveillance systems must be authorised by law (not just executive action), must be shown to be necessary for legitimate security goals, and must be proportionate to the threat—targeted rather than blanket, limited rather than unlimited. Currently, India’s surveillance expansion has not been assessed against this standard, and there is no public transparency about how these systems meet the test. The author argues that before launching such systems, India needs rules on data collection, retention limits, accountability in algorithms, and independent reviews.
