By - King Stubb & Kasiva on November 2, 2023
Biometric Technology, as the name suggests, refers to technology based upon unique and distinct physical characteristics of a human. It enables an individual to a unique ID and/or demarcate between persons. The most common types of biometric identifiers are face, fingerprints and iris[1].
India is one of the leading nations in providing services relating to biometrics, while the biometric identification system used by the Government of India, known as the Aadhaar system, is the largest biometric platform in the world.
The purpose of the Aadhaar system is to provide a single source offline/online identity verification across the country for residents.[2] This further enables the Government to authenticate the identity of residents to distribute various government welfare services, subsidies, and benefits as provided under Section 7 of the Aadhaar (Targeted Delivery of Financial and other Subsidies, Benefits and Services) Act, 2016 (the “Aadhaar Act”). The use of the Aadhaar has ensured that such vital resources reach their intended recipients and are not lost to middlemen.[3]
Conversely, private entities are prohibited from utilizing Aadhaar authentication or functioning as requesting entities to access information pertaining to individuals, without exception.
In contrast to the Aadhaar system, private entities are permitted to obtain biometric information for their business purposes. Such data is currently stored by several private organisations for different purposes such as unlocking public facilities, logging of employee attendance as well as protecting digital assets by using a face scan or fingerprint.
As biometrics is classified as personal information that is protected under the theory of informational privacy,[4] the use of such data will be subject to the provisions of the Digital Personal Data Protection Act, 2023 (the “Act”) due to risks of data theft, pilferage and leaks.
Given that authentication of an individual’s identity entails the collection, processing, sharing, storage and ultimately purging of biometric data, the Supreme Court[5] has advised government agencies and commercial entities to establish a “compelling legitimate purpose” in using biometric data as it has significant impact on the “right to privacy" of the citizens.
As a result, “consent” and “purpose limitation” are two core principles encapsulated under the Act that biometric data is not utilised for reasons other than compelling legitimate uses.
The Reserve Bank of India (“RBI”), for instance, authorises video-based systems in banks and lending institutions to oversee client onboarding and identification validation through the Know-Your-Customer (“KYC”) obligations. To fulfil the KYC obligations, the financial entity must precede the request for personal data with a notice to such individuals clearly stating purpose for processing the personal data and thereby receiving consent for the same.
Some of the key considerations in the collection and use of biometric data as encompassed under the Act are as follows:
Biometric data is immutable from human existence. Thus, the Act establishes a comprehensive framework for the responsible use of biometric data, balancing the need for technological advancements with the protection of individual privacy and security.
In addition to the existing framework under the Act, establishing a precise definition of "lawful purpose" as previously seen in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 can offer essential clarity to organizations involved in the storage and processing of biometric data. Furthermore, the incorporation of a standardized and user-friendly consent mechanism is imperative to successfully implement a resilient framework under the Act.
[1]https://www.uidai.gov.in/en/media-resources/uidai-documents/circulars-memorandums-notification/reports/7091-biometrics-committee.html
[2]https://uidai.gov.in/en/my-aadhaar/about-your-aadhaar/usage-of aadhaar.html#:~:text=Aadhaar%20system%20provides%20single%20source,as%20the%20case%20may%20be.
[3]Shah, Jayminkumar. “Biometric Technology: Spreading Its Footprint In India.” Forbes, March 26, 2020. https://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2020/03/26/biometric-technology-spreadng-its-footprint-in-india/?sh=1e60ca3d765b.
[4] K.S. Puttaswamy and others versus Union of India and others, 2017 (10) SCALE 1
[5]Ibid
[6] Section 2(i) DPDP Act, 2023.
[7] Section 2(j) DPDP Act, 2023.
[8] Section 2(k) DPDP Act, 2023.
[9] https://www.bis.gov.in/system-certification-overview/certification-process/systems-under-certification/information-security-management-systems/
DPDP Act is a data protection law in India that regulates the use of biometric data for privacy and security.
It mandates that biometric data must be deleted once the purpose of processing is fulfilled.
These roles ensure proper consent management and data protection, especially for sensitive biometric data.
[1] https://uidai.gov.in/en/my-aadhaar/about-your-aadhaar/usage-of-aadhaar.html
[2]K.S. Puttaswamy and Anr. vs. Union of India, 2017 (10) SCALE 1
[3]Supra
[4] https://www.rbi.org.in/CommonPerson/english/scripts/notification.aspx?id=2607
[5] Section 2(i) DPDP Act, 2023.
[6] Section 2(j) DPDP Act, 2023.
[7] Section 2(k) DPDP Act, 2023.
King Stubb & Kasiva,
Advocates & Attorneys
Click Here to Get in Touch
New Delhi | Mumbai | Bangalore | Chennai | Hyderabad | Mangalore | Pune | Kochi
Tel: +91 11 41032969 | Email: info@ksandk.com