ARTICLE
14 August 2025

Biometric Data Regulation In India: Legal Landscape And Risks

AP
AZB & Partners

Contributor

AZB & Partners is one of India's premier law firms with 500+ lawyers and offices across the country. The firm was founded in 2004 with a clear purpose to provide reliable, practical and full–service advice to clients, across all sectors. Having grown steadily since its inception, AZB & Partners now has offices across Mumbai, Delhi, Bangalore, Pune and Chennai. We are recognized by most international publications for our legal expertise.
The use of biometric data has become ubiquitous in the recent past. From employee monitoring and fingerprint-based access at workplaces to identity verification (including through platforms such as DigiYatra and Aadhaar), biometric authentication is being employed for a variety of use cases in both the public and private sectors
India Privacy

The use of biometric data has become ubiquitous in the recent past. From employee monitoring and fingerprint-based access at workplaces to identity verification (including through platforms such as DigiYatra and Aadhaar), biometric authentication is being employed for a variety of use cases in both the public and private sectors. As biometric based technologies and applications evolve and continue to become more entrenched in our daily lives, the legal implications of the collection and use of biometric data become increasingly important. Given the highly sensitive nature of biometric data, the legal and regulatory frameworks that govern biometric data must be periodically evaluated to ensure adequate protection is being afforded to the privacy and security of individuals. Below we seek to outline the prevailing regulatory landscape in India and highlight risks and challenges arising from gaps in our data protection framework.

Risks of Biometric Data

Biometric data (such as fingerprints, retina and iris scans, voice and facial patterns) are fundamentally different from most other types of personal data as they cannot be replaced or changed if compromised. Biometric data therefore poses a unique set of risks along with a correspondingly serious set of consequences. Unlike passwords or government issued identification numbers, biometrics are permanently and inherently linked to an individual for life and if leaked or stolen, leave an individual permanently exposed to identity theft, fraud or misuse by malicious actors who are in a position to exploit such data indefinitely. A single breach of biometric data also necessarily leads to a compromise across all platforms or applications where such data has been submitted by the individual in question. In light of the increasing number of cyber attacks and breaches on a global scale, the implications of biometric data being insufficiently safeguarded are therefore particularly grave.

The unauthorised collection or storage of biometric data even by trusted entities such as governments or employers, could lead to unwanted outcomes such as unauthorized surveillance or profiling of individuals, thereby violating their fundamental right to privacy (in most cases without their knowledge). The nature of certain kinds of biometric information such as voice or facial patterns also make it fairly simple to have some data captured covertly / surreptitiously, with the individual being none the wiser. These risks are not merely theoretical with the Indian government noting that approximately 29,000 incidents of Aadhar Enabled Payment System frauds owing to 'biometric cloning' have been reported by citizens on the National Cyber Crime Reporting Portal as of July2024. Of note amongst these is an incident in Uttar Pradesh where four men in their early 20s were apprehended by the police and charged for using forged biometric access in order to tamper with the details contained in Aadhaar cards and generating fake passports, several of which successfully passed the UIDAI's validation process. Another such instance was a breach of the Tamil Nadu Police's Facial Recognition Portal, wherein over 8,00,000 data points were leaked, including reports from their Facial Recognition System which used facial biometric data to identify criminals.

Indian legislation

i. SPDI Rules

There is currently no dedicated statute governing the collection and use of biometric data in India and such activity is primarily governed by the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 ("SPDI Rules") issued under the Information Technology Act, 2011 ("IT Act"). The SPDI Rules which define 'biometrics' inclusively as the "technologies that measure and analyse human body characteristics, such as 'fingerprints', 'eye retinas and irises', 'voice patterns', 'facial patterns', 'hand measurements' and 'DNA'", recognise biometric data as 'sensitive personal data or information' ("SPDI"). Consequently, the collection and subsequent processing of any biometric information requires the explicit, prior consent of the data subject. Other requirements relating to SPDI include: (i) collecting SPDI for lawful purposes alone with the SPDI being collected being necessary for such purpose; (ii) ensuring data subjects are aware of the fact that data is being collected and the types of data being collected; (iii) providing data subjects details of the intended recipients of the SPDI as well as details of the agencies that will be collecting and retaining the information.

Under the SPDI Rules, the transfer or disclosure of biometric information requires the explicit prior consent of the data subjects. Data subjects are also required to be provided the option not to provide such information and the option to withdraw a previously provided consent. Use restrictions (i.e. limited to purpose for which it was collected alone) and limitation on the retention period (i.e. not longer than is required for the purpose for which it was collected / as required by law) are also applicable. Reasonable security practices and procedures are required to be adopted and implemented to protect information that is collected, with the International Standard, IS/ISO/IEC 27001 on "Information Technology – Security Techniques – Information Security Management System – Requirements" being the only standard explicitly referred to under the SPDI Rules.

Importantly however, the SPDI Rules are not applicable to the State or instrumentalities thereof which result in no protections being afforded in the context of collection or processing of biometric data by the Government. Additionally, a specific exception to the prior consent requirement is provided for under the SPDI Rules, permitting (upon written request) the disclosure by collectors of SPDI to government agencies 'for the purpose of verification of identity, or for prevention, detection, investigation including cyber incidents, prosecution, and punishment of offences'. The stated purposes are wide enough to effectively permit government agencies to obtain SPDI of individuals from other private entities in almost all situations.

ii. Aadhaar Act

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 ("Aadhaar Act") and rules made thereunder also contain provisions on the collection and use of biometric information. The Aadhaar Act also recognises biometric information as 'sensitive data' – with facial images, all 10 fingerprints and scans of both irises being collected as part of the Aadhaar enrollment process – and seeks to safeguard such data by limiting its use. Biometric information may only be collected / used for authentication or enrollment purposes and its storage is strictly regulated under the Aadhaar Act and is restricted to the central repository alone. Additional safeguards such as standards for devices utilised to collect and verify biometric information and encryption during the transfer of data are also prescribed.

The restrictions and safeguards under the Aadhaar Act and its supplementary rules are however limited to the Aadhaar infrastructure alone. Their application is therefore limited to the service providers within the Aadhaar ecosystem and not to other public or private entities that collect biometric information outside the Aadhaar context.

iii. DPDPA

The Digital Personal Data Protection Act, 2023 ("DPDPA") when enforced, proposes to comprehensively overhaul the data protection regime in India. The DPDPA however, in contrast to other regulations, recognizes only one category of personal data without provision for any special categories of sensitive or special data, such as biometric information. Under the DPDPA regime, obligations in relation to personal data (such as biometric information) will include, inter alia, the requirement that processing be grounded in the free, specific, informed, unconditional and unambiguous consent of the data principal. Such consent must be obtained through a clear affirmative action and must be strictly limited to the defined purpose for which the biometric data is necessary. A notice will also need to be issued to the data principal, providing an itemized description of the data being collected (which we believe will require the explicit inclusion of any biometric information that is being collected), the precise purposes of processing, and the mechanisms available for the data principal to exercise rights or withdraw consent at any time. Where the data principal is under eighteen years of age, verifiable consent must first be secured from a parent or lawful guardian; the draft rules mandate technical and organisational controls to ensure that the consenting party is an identifiable adult and that the consent itself is authentic. As to security safeguards, amongst other measures, encryption, obfuscation, masking and the use of virtual tokens have been provided for under the draft rules.

The DPDPA also allows for the processing of personal data on the basis of 'certain legitimate uses'. Of particular relevance to biometric information, are: (i) 'for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State'; and (ii) 'for the purposes of employment or those related to safeguarding the employer from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee'. The only qualification provided in respect of the processing of personal information for legitimate uses, is that the data must be processed in accordance with the DPDPA and for a lawful purpose – defined to be any purpose that is not expressly forbidden by law. Given the extremely broad and vague nature of the legitimate use provisions, these provisions could effectively defeat the safeguards provided for under the DPDPA and provide a free hand to employers and the State to collect biometric information of individuals without consent and without such individuals being made aware of the collection.

While the DPDPA aims at bolstering the existing privacy regime in India, in the context of biometric data, it may ultimately not offer any additional safeguards or security as compared to regulations in force as on date (and in some cases may even result in undermining the safeguards that currently exist – for example, in the context of processing pursuant to the legitimate uses that are discussed above).

Foreign legislation

i. European Union – GDPR

The European Union's General Data Protection Regulation ("GDPR") recognized biometric information as a special category of data and prohibits processing of biometric information save for certain exempted purposes, including pursuant to valid consent having been obtained for specified purposes and where necessary for exercising rights of the data subject in the fields and employment and social security. Data controllers and processors are required by the GDPR to collect only that amount of data which is relevant and necessary for their specific legitimate purpose (data minimisation) and must implement appropriate technical security measures. The GDPR also requires data controllers to undertake a Data Protection Impact Assessment prior to processing (to be conducted where there is a high risk to the rights of the data subject by virtue of the processing). Member states have also been permitted to introduce additional protections or limitations with respect to the processing of biometric information.

ii. China – PIPL

The Personal Information Protection Law of the People's Republic of China ("PIPL") follows a similar framework to that prescribed by the SPDI Rules, with biometric data being classified as 'sensitive personal information' and being made subject to a higher standard of care prior to processing. The PIPL requires separate (and where prescribed, written) consent to be obtained from an individual prior to processing their biometric data. Appropriate security measures need to be in place, a personal information protection impact assessment will need to be conducted prior to processing and any cross-border transfer of personal information can take place only if limited specified criteria are met.

iii. Singapore – PDPA

Singapore's Personal Data Protection Act, 2012 ("PDPA") aligns more closely to the DPDPA, opting not to draw a distinction between different classes of personal data and instead to offer the same level of protection to all forms of personal data. Subject to certain exemptions (including where processing is necessary for an investigation and in the case of mergers and acquisitions), the consent of an individual must be obtained by an organisation prior to processing any personal data. The purpose for which any personal data is being collected must be limited and organisations are required to maintain reasonable security arrangements in place. In addition, organisations will be required to notify the Personal Data Protection Commission and any affected individuals in case of a data breach which resulted / may result in significant harm.

Bridging existing gaps

India's regulation of the processing of biometric information is fragmented at best. While through the SPDI Rules and Aadhaar Act, the critical nature of biometric information has sought to be recognised and safeguarded, these regimes are limited in their scope and applicability. While the DPDPA represents an opportunity to address the unique risks associated with biometric information, in its current form, it prescribes a generalised approach which lacks the required specificity and fails to recognise the inherently sensitive nature of biometric data. As discussed above, the legitimate uses provided for under the DPDPA result in sweeping exemptions which seem to permit and likely encourage the most concerning activities associated with biometric data. It is essential that appropriate changes and additional safeguards be provided for in the upcoming legislation. In our opinion given its critical nature, a distinct and dedicated classification should be provided for biometric data under the DPDPA, which is subject to a higher standard of compliance and conditions for its collection and processing including but not limited to:

  • mandatory encryption: encryption of all biometric information should be made mandatory with minimum encryption levels being prescribed for the transfer and storage of such data. To this end, specified standards of devices used for the collection of biometric information (similar to the standards prescribed under the Aadhaar Act) can also be provided for in respect of collection by specified entities;
  • legitimate use exemptions: consent should be the sole basis for the collection and processing of biometric data and any collection or processing should not be permitted absent the explicit and informed consent of the data principal. Biometric data should therefore ideally be excluded from all 'legitimate uses' and any collection without the knowledge of the data subject should be prohibited and unlawful;
  • defined retention periods: especially in the context of private entities a clearly defined and minimal time limit (that is distinct and more stringent than the general requirement under the DPDPA of the earlier of the withdrawal of consent or when it is reasonable to assume that the specified purpose is no longer being served) should be provided for the retention of biometric data, post which it should be automatically deleted. In case continued use of the data is required, a fresh consent should be sought, and data should be recollected. This approach will ensure that biometric data is not used for trivial purposes and will prevent misuse or unauthorized access.
  • limitation on state use: where it is not feasible to entirely limit the collection and use of biometric data by the State and instrumentalities thereof, any such use must be strictly and narrowly defined and limited to critical functions alone such as national security or public safety. Exhaustive thresholds for such collection must also be provided for along with a rigorous oversight mechanism to ensure transparency and accountability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More