In a control room in central Delhi, software watches a city. Cameras feed live streams. Algorithms scan faces. Number plates are read and matched against databases of stolen vehicles and persons of interest. A flag goes up when the system finds a match. An officer is dispatched. Sometimes a missing child is found. Sometimes a fugitive is arrested. Sometimes a person who happens to look like someone on a watch list is questioned, briefly inconvenienced, occasionally detained. Sometimes — though the data is hard to come by — a protester at a public demonstration is identified for later attention.
This is not a hypothetical scenario. It is the operating reality of policing in several Indian cities, including Delhi, Hyderabad, Lucknow, Chennai and Bengaluru, in the second half of 2026. The technology has spread faster than the conversation about it. The law has now arrived, with the Digital Personal Data Protection Rules notified on 14 November 2025 and a phased compliance timeline running through May 2027. The question, for an Indian citizen reading this article in 2026, is whether the law that has arrived is enough.
This article argues, with respect to both the police forces using these tools and the civil society organisations critiquing them, that the answer is: not yet.
What is actually happening
AI policing in India is not a single technology. It is a family of technologies deployed in different combinations across cities and states. Facial recognition systems match faces captured in video footage against databases of known faces — known offenders, missing persons, sometimes broader watch lists. Automatic number plate recognition reads vehicle plates from CCTV streams and matches them against records. Predictive policing software uses historical crime data to identify locations and times where particular crimes are statistically more likely. Crime pattern analysis links cases that might otherwise appear unrelated. Social media monitoring tools scan public posts for threats, hate speech and coordination. AI chatbots accept citizen complaints in regional languages. Forensic AI assists in voice matching, image enhancement and document analysis. Crowd monitoring estimates densities and movements at public gatherings. Drone surveillance extends aerial coverage.
The Delhi Police's network — described by The Mighty Brains in a November 2025 analysis — includes thousands of CCTV cameras and mobile units capable of scanning and comparing "millions of face records within seconds". During the 2020 northeast Delhi riots, facial recognition reportedly led to the identification of more than 137 suspects from CCTV footage, although legal scholars and civil society organisations have raised questions about the reliability of that evidence and the procedural standards under which it was admitted. Police forces in Jammu and Kashmir have used facial recognition to make arrests under the Unlawful Activities (Prevention) Act, the same source notes. Hyderabad, whose city police installed roughly five thousand CCTV cameras after the 2013 bombings, was an early adopter and operates one of the country's most extensive integrated surveillance networks, Fortune reported in its earlier coverage.
The Smart Cities Mission, launched in 2015 with a hundred urban centres designated for transformation, has been a major driver of CCTV expansion across Indian cities. The integration of those camera networks with state and central police computer-aided dispatch systems, with criminal databases like the Crime and Criminal Tracking Network and Systems (CCTNS), and increasingly with facial recognition layers, has happened in stages and with varying degrees of public visibility.
What the law now says
The Digital Personal Data Protection Act, passed by Parliament in August 2023, was India's first comprehensive data protection law. It establishes a consent-led framework for the processing of personal data, creates rights for data principals (citizens), imposes obligations on data fiduciaries (organisations that process data), and creates the Data Protection Board of India to handle grievances and impose penalties for violations. The Act, however, sat without operational rules for over two years.
On 14 November 2025, the Ministry of Electronics and Information Technology notified the Digital Personal Data Protection Rules, 2025, giving the Act operational effect. The Rules create a category of Significant Data Fiduciaries — entities processing large volumes of sensitive personal data — with enhanced obligations including the appointment of a Data Protection Officer, mandatory Data Protection Impact Assessments and audits. The Rules specify consent procedures, notice requirements, data breach reporting, retention periods and the operational mechanics of citizen rights. A phased compliance timeline running through May 2027 gives organisations eighteen months to adjust their systems and policies, according to legal analyses published by HyperVerge in March 2026 and by Law.Asia in February 2026.
For the purposes of AI policing, two specific provisions of the DPDP Act matter. Section 7 of the Act permits the processing of personal data without consent in specified situations, including for purposes of compliance with court orders, response to medical emergencies, and certain state functions. Section 17 provides broad exemptions for state agencies in the interests of sovereignty, integrity, security of the state, friendly relations with foreign states, public order and prevention of cognisable offences. The phrase "prevention of cognisable offences" is doing a great deal of work in those exemptions, and the gap between what it allows in theory and what citizens consent to in practice is the gap most civil liberties analysts have flagged.
The Internet Freedom Foundation, one of India's most consistent voices on digital rights, has called for a temporary moratorium on facial recognition deployment until stronger procedural safeguards are in place. The Foundation has also argued that the DPDP Act's broad state-agency exemptions, combined with India's still-incomplete legal framework around surveillance, leave significant gaps in citizen protection against arbitrary biometric data collection.
Why governments and police want these tools
The motivation behind AI policing in India is not malign. Indian police forces are chronically understaffed relative to population, by international benchmarks running roughly half the United Nations recommended ratio of officers to citizens. Cities are large. Crime patterns are complex. Resources are limited. AI offers, in principle, faster identification of suspects, more efficient deployment of patrols, better traffic enforcement at scale, faster tracing of missing persons and missing children, support for counter-terrorism operations, and improvements in evidence quality. For honest officers trying to do difficult work in cities of fifteen or twenty million people, these tools represent a way to multiply effectiveness without proportional increases in headcount.
The successful operational use cases are real. Facial recognition matched against the Track Child and other government databases of missing children has reportedly assisted in the recovery of thousands of children across multiple states. Number plate recognition has supported the recovery of stolen vehicles and the enforcement of traffic regulations at a scale that human enforcement alone could not match. Pattern analysis has helped link previously isolated investigations of organised cyber-fraud networks. These are not trivial benefits, and a balanced analysis of AI policing has to acknowledge them.
The problem: AI is not neutral
AI systems are trained on data, and the data they are trained on reflects the world that produced it, including its biases. Facial recognition systems studied by the United States National Institute of Standards and Technology and by academic researchers have consistently shown lower accuracy for darker-skinned faces, for women, and for the demographic minorities of the dataset on which the model was trained. False positives — the system identifying the wrong person as a match — are not randomly distributed. They cluster on those least able to push back against the consequences. If a facial recognition system was trained primarily on a dataset that under-represents certain Indian demographics — rural, lower-caste, certain religious minorities, women, the elderly — its performance on those groups in operational deployment will be unreliable in ways that are not visible from the headline accuracy numbers vendors typically cite.
Predictive policing has a related problem. If historical crime data reflects biased patrolling — over-policing of certain neighbourhoods, under-reporting in others — then a model trained on that data will recommend more patrolling in already over-policed neighbourhoods, generating more arrests there, generating more data, and so on, in a feedback loop. The model is not racist or casteist or classist by design. It is reproducing patterns that the historical data already encoded.
The risk is that the technology gives a veneer of objectivity to decisions that were never objective to begin with.
Privacy as a constitutional right
In August 2017, a nine-judge bench of the Supreme Court of India unanimously held, in Justice K.S. Puttaswamy (Retd.) v. Union of India, that the right to privacy is a fundamental right protected under Article 21 of the Constitution. The judgment, building on Articles 14, 19 and 21, recognised privacy as encompassing personal autonomy, informational privacy and decisional privacy. The Court was clear that any restriction on privacy by the state must satisfy a four-part test: a clear legal basis, a legitimate state aim, proportionality between the means and the aim, and procedural safeguards against abuse.
Whether India's current AI policing architecture satisfies the Puttaswamy test is the constitutional question that has not yet been definitively answered. Some deployments — facial recognition for missing children, criminal identification with magisterial oversight — are likely defensible. Others — bulk facial scanning of crowds at political protests, integration of multiple state databases without clear retention limits or audit trails, deployment of predictive policing software whose accuracy and bias performance has not been independently audited — sit in murkier constitutional territory. The DPDP Act and Rules provide a framework. They do not, on their own, resolve the constitutional question.
A private member's bill, the Facial Recognition Technology (Regulation of Police Powers) Bill, 2023, has been pending in Parliament for several sessions, Bar and Bench reported in April 2026. The Bill proposes magistrate-level oversight for police use of facial recognition, definitions of key terms, and procedural safeguards against arbitrary surveillance. Private member's bills rarely get enacted in India, and this one has not made significant legislative progress. The absence of a dedicated facial recognition law leaves the legal architecture to general data protection rules, executive guidelines and constitutional principles — a framework that civil liberties advocates argue is insufficient for the seriousness of what is being deployed.
What good safeguards look like
The constructive answer is not to ban these technologies. They are too useful in legitimate applications. The answer is to build the institutional architecture that lets them be used without becoming tools of unaccountable power.
The toolkit is well established in democratic jurisdictions globally. A clear statutory basis for surveillance, with parliamentary approval for the categories and scope of deployment. Independent audits of accuracy and bias across demographic groups. Transparent procurement, so citizens know which vendors are providing which systems to which police forces. Limited data retention periods with mandatory deletion after a defined window. Magistrate or judicial warrants for sensitive uses, including bulk facial scanning and surveillance of political activity. Human review of high-stakes decisions, particularly any decision that could lead to arrest, denial of services or restriction of movement. Robust grievance redressal for citizens wrongly identified or misidentified. Public reporting on system performance, false positive rates, demographic accuracy breakdowns, and the scale of deployment. Parliamentary oversight through dedicated committees with technical capacity. A privacy regulator — in India's case, the Data Protection Board of India under the DPDP Act — with genuine independence, adequate resources and the willingness to bite.
The European Union's AI Act, which came into force in 2024 with provisions phased in through 2026, categorises real-time biometric identification in public spaces as high-risk and imposes strict conditions on its use. China has moved in the opposite direction, building one of the most extensive AI-enabled surveillance systems on earth. The United States has fragmented its approach, with city-level bans on police facial recognition in some jurisdictions and aggressive adoption in others. India's policy trajectory has not yet decisively chosen a model. The DPDP Rules give the country a starting framework. The next several years will determine whether the framework is built out or left as scaffolding.
What this means for ordinary Indians
For most readers, the practical question is straightforward: what should I expect, and what rights do I have?
You should expect to be on camera in most Indian public spaces — train stations, airports, metro stations, major roads, government buildings, increasingly malls and markets and some neighbourhoods. You should expect, in cities with deployed facial recognition systems, that your face may be processed by software whether or not you know it. You should expect that the legal architecture governing all this is currently a patchwork that the DPDP Rules have only just begun to standardise.
Your rights, under the DPDP Act once the phased compliance is complete, include the right to know how your personal data is being processed, the right to access your data, the right to correction, the right to erasure in certain circumstances, the right to lodge grievances with data fiduciaries, and the right to appeal to the Data Protection Board of India. State agencies have broader exemptions than private fiduciaries, but the framework still creates accountability paths that did not exist before November 2025.
The harder question — what to do if you are wrongly identified by an AI system, or if you believe your privacy has been violated in a surveillance operation — does not yet have clean operational answers. The grievance mechanisms are new. The judicial precedents are limited. The capacity of civil society organisations to support individual cases is constrained. This is the architecture that will be built, case by case, over the next several years.
What most reports are missing
Most coverage of AI policing in India focuses either on the success stories — missing children recovered, criminals identified — or on the dystopian scenarios — protesters surveilled, minorities targeted. Both framings miss the central point.
The central point is that the technology itself is not the determining variable. The determining variable is the institutional architecture that surrounds its use. The same facial recognition system can recover a missing child or identify a peaceful protester. The same predictive policing software can deploy patrols more efficiently or reproduce historical biases in over-policing. The difference is not in the technology. The difference is in the laws, the audits, the procurement transparency, the judicial oversight, the regulatory independence, and the political habits of the system in which the technology operates.
The under-reported angle is the corporate dimension. Much of India's AI policing technology is built by private vendors — domestic and international — operating with limited public scrutiny of their algorithms, datasets, accuracy metrics or data handling practices. Procurement contracts are often not made public. Vendor lock-in is structural. Data security at the vendor level is an additional risk vector. The DPDP Rules require some transparency in this area, particularly for Significant Data Fiduciaries. Whether the requirements bite in practice is the question that will be answered in the coming years.
What happens next
Three trajectories are worth tracking.
The implementation of the DPDP Rules. The phased compliance timeline runs through May 2027. The genuine test will be whether the Data Protection Board of India is constituted with sufficient independence and resources, whether the Rules produce meaningful behaviour change in state agencies (not just private companies), and whether the broad state exemptions in Section 17 are interpreted narrowly enough to provide actual citizen protection.
The Facial Recognition Technology Bill. Whether the 2023 private member's bill, or a government-introduced equivalent, makes progress will signal the political will to build a dedicated framework for the most sensitive of the AI policing technologies. The Bill's approach — magistrate-level oversight, defined procedural safeguards, limits on indiscriminate use — is broadly the right template.
Judicial intervention. The Puttaswamy test will eventually be applied, by individual high courts and by the Supreme Court, to specific AI policing deployments. The first major case to reach the Supreme Court on these questions could set the framework for years.
Conclusion
AI can make policing faster, more efficient and, in some contexts, more effective. It can also, without proper safeguards, make state power more invisible, less accountable and more capable of harm than at any previous moment in Indian history. The choice between security revolution and surveillance state is not a choice between technologies. It is a choice about the laws, institutions, audits and political habits that surround those technologies.
That choice has not yet been made decisively in India. The DPDP Rules of November 2025 are the first significant national framework. They are necessary. They are not sufficient. The window in which the country can still consciously choose the architecture of its surveillance state — rather than discover it later through accumulated facts on the ground — is open, but it is closing. The cameras and the algorithms will be deployed. They already are. The question is whether the rules that govern them will be built before the consequences become irreversible. The constitutional answer to that question is already on the books. The political answer is being written now.