Regulation of Biometric Data under the Digital Personal Data Protection Act, 2023
Introduction
Biometric Technology, as the name suggests, refers to technology based upon unique and distinct physical characteristics of a human. It enables an individual to a unique ID and/or demarcate between persons. The most common types of biometric identifiers are face, fingerprints and iris[1].
India is one of the leading nations in providing services relating to biometrics, while the biometric identification system used by the Government of India, known as the Aadhaar system, is the largest biometric platform in the world.
Table of Contents
The Aadhaar System
The purpose of the Aadhaar system is to provide a single source offline/online identity verification across the country for residents.[2] This further enables the Government to authenticate the identity of residents to distribute various government welfare services, subsidies, and benefits as provided under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”). The use of the Aadhaar has ensured that such vital resources reach their intended recipients and are not lost to middlemen.[3]
Conversely, private entities are prohibited from utilizing Aadhaar authentication or functioning as requesting entities to access information pertaining to individuals, without exception.
Private Entities
In contrast to the Aadhaar system, private entities are permitted to obtain biometric information for their business purposes. Such data is currently stored by several private organisations for different purposes such as unlocking public facilities, logging of employee attendance as well as protecting digital assets by using a face scan or fingerprint.
As biometrics is classified as personal information that is protected under the theory of informational privacy,[4] the use of such data will be subject to the provisions of the Digital Personal Data Protection Act, 2023 (the “Act”) due to risks of data theft, pilferage and leaks.
Implications of the DPDP Act on the Use of Biometric Technology
Given that authentication of an individual’s identity entails the collection, processing, sharing, storage and ultimately purging of biometric data, the Supreme Court[5] has advised government agencies and commercial entities to establish a “compelling legitimate purpose” in using biometric data as it has significant impact on the “right to privacy” of the citizens.
As a result, “consent” and “purpose limitation” are two core principles encapsulated under the Act that biometric data is not utilised for reasons other than compelling legitimate uses.
The Reserve Bank of India (“RBI”), for instance, authorises video-based systems in banks and lending institutions to oversee client onboarding and identification validation through the Know-Your-Customer (“KYC”) obligations. To fulfil the KYC obligations, the financial entity must precede the request for personal data with a notice to such individuals clearly stating purpose for processing the personal data and thereby receiving consent for the same.
Some of the key considerations in the collection and use of biometric data as encompassed under the Act are as follows:
- Application – In contrast to the past versions of the data protection bills, the Act disregards if personal data is sensitive, including biometric data. However, it may affect how the legal entities collect the data (the “Data Fiduciary”[6]), is categorised and penalised.
- Consent and Notice – Biometric data can only be gathered for legitimate purposes that are critical to the Data Fiduciary’s function. Such legal entity must seek verifiable consent from an individual (the “Data Principal[7]“) before collecting biometric data from her. This consent must be accompanied by a notice that specifies all of the Data Principal’s rights (as mentioned in Chapter III of the Act) in relation to the biometric data being collected. Details on the grievance redressal mechanism must also be supplied. Furthermore, parental consent is essential to acquire children’s biometric data.
- Data Retention – The collection of biometric data is subject to purpose limitation. Once such a purpose of processing is achieved, the biometric data collected must be discarded from the Data Fiduciary’s systems as well as any vendor (the “Data Processor[8]”), who had access to the same as per the consent received from the Data Principal.
- Disclosures – The Data Fiduciary needs the consent of the Data Principal before disclosing any biometric data to a third party or vendors. However, no consent is required for disclosure to comply with legal purposes such as identification, prevention, investigation, prosecution, and punishment of criminal activity.
- Transfer of Data – Biometric information may only be shared with third parties, both inside and outside of India with the agreement of the Data Principal in question or if doing so is required to carry out a valid contract between the Data Fiduciary and the Data Principal. Such cross-national data transfers will also be subject to whitelisting and blacklisting activities of the Government.
- Reasonable Security Measures – To avoid data breaches, a Data Fiduciary must have “reasonable security safeguards” in place. In the event, these procedures are not put in place, the Data Fiduciary might face fines of up to 250 crores. This covers any security lapses committed on behalf of a third party to whom such biometric data was transmitted. As a result, it is the duty of a Data Fiduciary to guarantee that a vendor has an adequate cybersecurity framework[9], and that the vendor has obligations under the contract in the event that a breach occurs.
- Appointment of Consent Manager and Data Protection Officer – Every Data Fiduciary has to designate a Consent Manager to supervise the consent management process. Such a person will be responsible for making sure that the Data Fiduciary deletes the biometric data from their systems as soon as the Data Principal withdraws her consent to process the data. Furthermore, given the sensitive nature of biometric data, it is likely that any company handling biometric data would be classified as a Significant Data Fiduciary, requiring it to designate an individual as a Data Protection Officer with a physical presence in India.
Conclusion
Biometric data is immutable from human existence. Thus, the Act establishes a comprehensive framework for the responsible use of biometric data, balancing the need for technological advancements with the protection of individual privacy and security.
In addition to the existing framework under the Act, establishing a precise definition of “lawful purpose” as previously seen in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 can offer essential clarity to organizations involved in the storage and processing of biometric data. Furthermore, the incorporation of a standardized and user-friendly consent mechanism is imperative to successfully implement a resilient framework under the Act.
[1]https://www.uidai.gov.in/en/media-resources/uidai-documents/circulars-memorandums-notification/reports/7091-biometrics-committee.html
[2]https://uidai.gov.in/en/my-aadhaar/about-your-aadhaar/usage-of aadhaar.html#:~:text=Aadhaar%20system%20provides%20single%20source,as%20the%20case%20may%20be.
[3]Shah, Jayminkumar. “Biometric Technology: Spreading Its Footprint In India.” Forbes, March 26, 2020. https://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2020/03/26/biometric-technology-spreadng-its-footprint-in-india/?sh=1e60ca3d765b.
[4] K.S. Puttaswamy and others versus Union of India and others, 2017 (10) SCALE 1
[5]Ibid
[6] Section 2(i) DPDP Act, 2023.
[7] Section 2(j) DPDP Act, 2023.
[8] Section 2(k) DPDP Act, 2023.
[9] https://www.bis.gov.in/system-certification-overview/certification-process/systems-under-certification/information-security-management-systems/
FAQs
What is the DPDP Act, and how does it relate to biometric data regulation in India?
DPDP Act is a data protection law in India that regulates the use of biometric data for privacy and security.
How does the DPDP Act address data retention in the context of biometric information?
It mandates that biometric data must be deleted once the purpose of processing is fulfilled.
Why must a Data Fiduciary appoint a Consent Manager and Data Protection Officer in the handling of biometric data?
These roles ensure proper consent management and data protection, especially for sensitive biometric data.
[1] https://uidai.gov.in/en/my-aadhaar/about-your-aadhaar/usage-of-aadhaar.html
[2]K.S. Puttaswamy and Anr. vs. Union of India, 2017 (10) SCALE 1
[3]Supra
[4] https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607
[5] Section 2(i) DPDP Act, 2023.
[6] Section 2(j) DPDP Act, 2023.
[7] Section 2(k) DPDP Act, 2023.
King Stubb & Kasiva,
Advocates & Attorneys
New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com
By entering the email address you agree to our Privacy Policy.