DNA Evidence: Legislation, Databases and Privacy

The United States built its national DNA infrastructure in layers. The DNA Identification Act 1994 authorised the FBI to establish CODIS and set rules for participation by state laboratories. Initial collection was limited to convicted sex offenders, then extended to all federal felons. The DNA Analysis Backlog Elimination Act 2000 addressed a growing problem: crime-scene samples that had been collected but not yet profiled because laboratory capacity could not keep up. The Debbie Smith Act (2004 and renewed) allocated federal funds specifically to clear the backlog of unanalysed rape kits.

The most legally contested expansion came with the collection of DNA from arrestees, people charged but not yet convicted. Many states passed arrestee-collection statutes from the mid-2000s onward. In Maryland v King, 569 US 435 (2013), the Supreme Court upheld Maryland's arrestee DNA collection statute in a 5-4 decision. The majority characterised buccal swab collection as a minor intrusion comparable to fingerprinting, justified by the state's interest in identifying detainees. The dissent, written by Justice Scalia, argued that the majority's identification rationale was pretextual: DNA is stored and searched for crime-detection purposes, not merely to confirm the identity of the person in front of the booking officer.

Federal law requires that profiles of people who are arrested but not convicted, or whose convictions are overturned, must be expunged from NDIS on application. In practice, expungement rates are low because the burden falls on the individual to apply. The Innocence Project and civil liberties organisations have identified wrongful retention of profiles as a persistent compliance problem.

The UK built the National DNA Database (NDNAD) from 1995 under the Criminal Justice and Public Order Act 1994. By the mid-2000s it was the largest per-capita forensic DNA database in the world, holding profiles for approximately 8 percent of the population. A 2001 legislative change permitted the retention of profiles, cellular samples, and fingerprints from anyone who had been arrested and sampled, regardless of whether they were charged, tried, acquitted, or had charges dropped. The database thus accumulated profiles from hundreds of thousands of people with no criminal record.

S and Marper v United Kingdom [2008] ECHR 1581 challenged that regime. S was a minor whose profile had been taken after an arrest for attempted robbery; he was acquitted. Marper was arrested for harassment; the charge was discontinued. Both applied for deletion of their profiles, cellular samples, and fingerprints. The House of Lords dismissed their claims. The Grand Chamber of the European Court of Human Rights disagreed. It held that blanket and indefinite retention of biometric data of persons not convicted of any offence was a disproportionate interference with Article 8 of the European Convention on Human Rights (respect for private life) and could not be justified under Article 8(2).

The UK Parliament responded with the Protection of Freedoms Act 2012, which created a tiered retention framework. For unconvicted adults, profiles must generally be deleted unless the arrest was for a qualifying serious offence, in which case the Commissioner for the Retention and Use of Biometric Material (the Biometrics Commissioner) can authorise retention for up to three years, renewable once. Profiles of convicted persons may be retained indefinitely. Cellular samples must be destroyed within six months of profiling. The Act also created the Biometrics Commissioner as an independent oversight body.

India's statutory framework for forensic DNA is fragmentary compared to the US and UK. The Bharatiya Nagarik Suraksha Sanhita 2023 (BNSS), which replaced the Code of Criminal Procedure 1973 with effect from July 2024, authorises the collection of blood, saliva, swabs, hair, and semen samples from accused persons under Section 53 and from victims under Section 53A. The Bharatiya Sakshya Adhiniyam 2023 (BSA), which replaced the Indian Evidence Act 1872, governs the admissibility of the resulting analysis as expert opinion under Section 39.

No centralised national DNA database statute exists. The DNA Technology (Use and Application) Regulation Bill 2019 was passed by the Lok Sabha but lapsed when the Rajya Sabha could not consider it before dissolution. The Bill would have established a national DNA databank, created a DNA Regulatory Board, defined categories of databanks (crime scene, suspects, undertrials, missing persons, unknown deceased), and set rules for consent, retention, and expungement. Privacy advocates criticised the Bill for including an undertrial index that would have profiled persons not yet convicted, for inadequate oversight mechanisms, and for the breadth of the databank categories.

Indian courts have addressed DNA evidence primarily at the admissibility stage, examining whether samples were collected lawfully and whether the expert's methodology was sound. The Supreme Court has affirmed the admissibility of DNA evidence in paternity disputes, criminal identification, and missing-persons matters, treating it as a high-weight but not conclusive category of expert opinion. The absence of a database statute means that the privacy and proportionality questions that dominated UK and European litigation have not yet been squarely litigated in Indian courts.

The European Union approaches forensic DNA through two instruments. The Prum Convention (2005), later incorporated into EU law by Council Decision 2008/615/JHA, requires member states to give each other automated access to their national DNA databases for the purpose of cross-border criminal investigation. A search runs as a hit/no-hit query: a state receives only a yes or no as to whether its profile matches a profile in another state's database. If there is a hit, it must then request the associated personal data through existing mutual legal assistance channels.

The retention and processing of DNA data for law enforcement purposes within member states is governed by Directive 2016/680 (the Law Enforcement Directive, LED). The LED requires that personal data processed for criminal justice purposes be retained only for as long as necessary for the purpose, be accurate and kept up to date, and be subject to meaningful oversight. It distinguishes between data on convicted persons, suspects, and victims, and requires member states to set different retention periods for each category. This mirrors the proportionality framework the European Court of Human Rights developed in S and Marper, applied now as positive statutory obligation rather than as a constraint on existing national law.

The General Data Protection Regulation 2016/679 (GDPR), which governs most non-criminal data processing in the EU, classifies genetic data as a special category requiring explicit consent or a specific statutory basis. Criminal justice processing falls outside the GDPR and within the LED, but the conceptual framework, proportionality, purpose limitation, data minimisation, and individual rights, is shared across both instruments.

Standard forensic database searching looks for a full or near-full match between a crime-scene profile and a stored profile, seeking the person who left the biological material. Familial searching is a distinct operation: it looks for partial matches that suggest the unknown contributor may be a close relative of a database member, then generates an investigative lead pointing to that relative rather than to the database member personally.

The United Kingdom was the first jurisdiction to use familial searching operationally, under guidance from the Forensic Science Service and later the National Police Chiefs' Council. The most cited early case is the identification of Craig Harman for the 2003 motorway bridge death: a partial NDNAD match pointed to his brother, leading to Harman. In the United States, California introduced familial searching guidelines in 2008; several other states followed. The federal NDIS does not permit familial searching by policy, though states may run familial searches within their own SDIS databases.

The legal objections cluster around three points. First, familial searching subjects people to investigative attention based solely on their biological relationship to someone in the database, and that person may have been profiled after a minor conviction or, in pre-2012 UK law, without any conviction. Second, the search process generates information about family structure, including cases where expected relatives do not match (potentially revealing non-paternity or adoption). Third, in countries with racially skewed databases, where certain communities are over-represented in conviction statistics, familial searching extends that over-representation to the relatives of those individuals. Procedural safeguards typically include senior authorisation requirements, restriction to cases involving serious violence or sexual offences, independent review of proposed searches, and prohibition on using familial match results as standalone evidence.

A database cold hit changes the shape of a criminal case but does not resolve it. Courts in the US, UK, and most other jurisdictions have held that a cold hit is an investigative lead, not evidence of guilt. The profile must be independently re-analysed from retained samples before it is used at trial. The defence must have access to the profiling data, the statistical calculation, and the laboratory's accreditation and quality records. Any discontinuity in the chain of custody from scene sample to trial report must be explained.

The statistical framework for DNA evidence has evolved significantly. Early cases relied on the product rule applied to allele frequencies. Courts in several jurisdictions initially expressed concern about the prosecutor's fallacy: the tendency to treat the match probability (the probability that a random person would match the profile) as if it were the probability that the defendant is innocent, which requires Bayes' theorem and prior probability estimates that are rarely available to jurors. Modern guidance in England and Wales, found in the FSR-G-212 guidelines, requires that the reporting scientist calculate a likelihood ratio rather than a simple match probability, and that the report present the statistic in a way that avoids the prosecutor's fallacy.

Admissibility of the underlying database or its records at trial raises separate questions. Under the Bharatiya Sakshya Adhiniyam 2023, electronic records require a certificate under Section 63 (formerly Section 65B of the Indian Evidence Act) confirming that the computer output was produced during regular use of the computer and that the computer was operating properly. Under the US Federal Rules of Evidence, Rule 702 governs expert testimony and Rule 702's application to DNA profiling methodology was firmly settled after Daubert v Merrell Dow Pharmaceuticals (1993). See Admissibility Standards Around the World for a comparative account of how those frameworks apply.