Friday, May 29, 2026

Processing Biometric Data: A Guide to Data Protection Law

Introduction. Biometric data is very personal and poses significant security risks for organizations storing and processing such data. Besides the risk element for such data there is also the aspect of data rights of individuals. These factors make this field highly regulated and this might be a reason why banks and other organizations may choose to stay away from processing biometric data even though they are more secure than other forms of user authentication like OTP’s and PINs. As technology advances use of applications like facial recognition may become more widespread because of the unique benefits they offer over other commonly used methods of user authentication. On the other hand as the society grows more conscious of their data rights, governments may also seek to regulate these technologies more strictly. India has recently updated its data protection laws to provide for hefty penalties of up to ₹ 250 cr. for failure to comply with the provisions of the new law. 

Recent enactment of new law by India. India has recently enacted a comprehensive regime for personal data protection under the Digital Personal Data Protection Act, 2023 (the “Act”) supplemented by the Digital Personal Data Protection Rules, 2025 (the “Rules”). These laws are expected to fully come into force by 2027. Earlier, personal data such as biometrics were governed by the SPDI (Sensitive Personal Data or Information) Rules of the IT Act, 2000. The new law, once it comes fully into force, will replace the older law based on the IT Act. While some of the underlying core principles for data protection like user consent, transparency and limitation of data retention remain the same, the new laws are wider in scope and even mandate State entities to comply with its requirements. 

(Image Courtesy UserCentrics.com)

Core Principles of Data Protection. A set of core principles for data protection have emerged. Most modern data protection laws are built on these core principles; including in India, where they have been incorporated into the recently enacted Indian legislation. Keeping these principles in mind is essential for ensuring ethical development of software that may process personal data. 

Transparency: Every use of personal data must be accompanied with a formal notice that spells out what data is being requested and the purpose for which it will be used. See, Section 5 of the Act, “Notice”.

Purpose Limitation: The data that is sought can only be used for the purpose for which it is specified to be used. It cannot be later used for other purposes or shared with other entities. See, Section 6 of the Act, “Consent”.

Data Minimization: Only that data which is required for the purpose specified can be collected and no more. See Section 7 of the Act, “Certain Legitimate Uses”.

Accuracy: The data must be accurate and up-to-date. Users must be permitted to access the data and update it as and when they wish to. See, Section 12 of the Act, “Right to correction and erasure of personal data”. 

Storage Limitation: The data can only be kept as long as it is needed for the purpose for which it was collected. After the purpose has ceased, the data must be erased. See, Section 8(7) of the Act.

Integrity and Confidentiality: Data must be protected from unauthorized access, alteration, loss or destruction. Technical and organizational measures must be undertaken to ensure the security of personal data. See, Section 8(3), 8(4) of the Act.

(Image Courtesy UserCentrics.com) 

Accountability: The onus is on the organization collecting data to implement reasonable security safeguards to protect personal data and to prevent data breach. See Section 8, “Obligations of a Data Fiduciary”. For more on “reasonable security safeguards” see, Section 6 of DPDP Rules, “Reasonable security safeguards.”. 

Consent as cornerstone of Data Privacy. In addition to the core principles outlined above, a key aspect of data protection is consent. Biometric data cannot be processed without the consent of the user to whom it belongs. Such consent cannot be implied and it must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action”. The user must also have the facility to withdraw their consent as easily as it was given. Every such request for consent has to be accompanied with a notice that details the personal data requested and the purpose for which it will be used. For the purpose of administering the requirements of user consent, the new law creates a system of “Consent Managers” to act as intermediaries between users and organisations processing data. It is not mandatory, and an organisation may choose to manage user consent internally as well. However, appointing dedicated Consent Managers may streamline the compliance process and ensure best practices are in place for managing user consent. They also maintain accountability to the owners of the data and allow them the facility to manage their consent at any time. 

(Image Courtesy DPO India)

Data Processing by Third Parties. An organization may choose to appoint a third party to process biometric data on their behalf. Outsourcing is common in India; and an organization may seek to outsource for the purpose of implementing new technologies that process biometric data. This may be required when implementing a new biometric based solution for an organization. Here the third-party data processor is not in an agreement with the owners of the data but only with the organization seeking to outsource the processing of data.  This sort of arrangement is permitted by law; and an organization may involve a third-party data processor to process personal data on its behalf under a valid contract. The burden of compliance with the data protection laws here remains with the organization outsourcing the data processing. Through its contract with the third-party data processor, also called the Data Processing Agreement or “DPA”, the organization can ensure compliance with data protection law requirements like the implementation of reasonable security safeguards. The DPA might also include other provisions to indemnify the organization in case of breach on the part of the data processor and provisions to erase the personal data stored when the purpose of processing it has ceased. The DPA is the vehicle through which an organization ensures compliance with data protection regulations by the third-party data processor.

Breach of Data. It is vital to maintain best practices for obtaining consent from users. A breach of personal data may turn out to be very costly for an organization with penalties up to ₹250 cr. in the new law.  A breach of personal data is defined to include any “unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” If any breach occurs, the organization handling the data must intimate the affected parties and the Data Protection Board. The Board would then inquire into the breach, and if it considers the breach to be significant, impose penalties as provided in the law. It is mandatory to report any breaches of personal data and any failure to comply with it can attract heavy penalties from the Data Protection Board. 

Impact on Software Development Process. While software developers may not be the final users or processors of the personal data, the idea of “Privacy by Design” is relevant to the software development process. The basic idea is that data privacy is to be embedded into the design and architecture of systems as well as business practices. Privacy cannot be an afterthought or a post-launch activity. In other words, software developers must adopt a proactive approach to data protection from the get-go. To this end, the core principles of data protection mentioned above are important to keep in mind. Some examples of these in practice may be minimizing the collection of data and creating user interfaces that facilitate the right of users to give, modify or withdraw their consent. Building user-centric software is important to foster a sense of trust that will give users the confidence to store their data without hesitation that it will be kept secure. Finally, appropriate measures must be in place to ensure that data is processed securely. Methods like encryption, access controls and security testing are recommended for this purpose. 

Right of State to Collect and Process Personal Data. The State does not have an unchecked right to collect and process personal data. In India the right to privacy has been recognized as a fundamental right by the Supreme Court in the Puttaswamy judgement. This ensures a constitutional safeguard for the data rights of each individual from unauthorized use of data by the State or any other private organization. It must be noted however that though this right is recognized as a fundamental right, it is not absolute and reasonable restrictions may be imposed upon it by the State. For such a restriction to be legitimate, there needs to be a compelling state interest in favour of such a restriction. It may be found that the State indeed has a legitimate and compelling need to stay up to date with the latest technologies for maintaining public order and security. This is especially true if it can be demonstrated that technologies like facial recognition can improve the security of all citizens by spotting threats to public security early. Further, this is likely to become even more persuasive as technology advances over time because of the advantages that it will offer for public security over not using such technology. Thus, use of modern technologies for maintaining public order and security must be balanced with the constitutional rights of citizens to the privacy and autonomy of their data.  If a compelling state interest can be found in favour of using modern forms of maintaining public security, they may be justified despite the risk posed to privacy rights of citizens. The Act also makes provisions for the State to process personal data of individuals for performance of its functions under law or “in the interest of sovereignty and integrity of India or security of the State.”

 

Legislation:
Information Technology Act, 2000

https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)Rules, 2011 aka “SPDI Rules”

https://upload.indiacode.nic.in/showfile?actid=AC_CEN_45_76_00001_200021_1517807324077&type=rule&filename=GSR313E_10511(1)_0.pdf

Digital Personal Data Protection Act, 2023 

https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf

Digital Personal Data Protection Rules, 2025

https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf

 

Judgements: 

Puttaswamy v. Union of India

https://en.wikipedia.org/wiki/Puttaswamy_v._Union_of_India

 

Resources:

Biometric Data Regulation In India: Legal Landscape and Risks

https://www.azbpartners.com/bank/biometric-data-regulation-in-india-legal-landscape-and-risks/

Consent Management Under India’s DPDP Act: Best Practices for Compliance

https://www.dpo-india.com/Blogs/consent-management-india-dpdp-act/

Consent Managers under the Digital Personal Data Protection Act: A Game Changer or Compliance Burden?

https://www.barandbench.com/view-point/consent-managers-under-digital-personal-data-protection-act-game-changer-ot-compliance-burden

Privacy Policies vs. Privacy Notices: Decoding India’s New Data Protection Norms

https://www.lexology.com/library/detail.aspx?g=ae57d723-918c-41bc-a045-2c5ebadba2e1

Understanding the 7 data privacy principles

https://usercentrics.com/guides/data-privacy/data-privacy-principles/

Right to Privacy Under Indian Constitution

https://gitarattan.edu.in/wp-content/uploads/2020/11/giBS-Law-Journal-2020-Research-Paper-5.pdf

Privacy, Surveillance, and State Interest: Appraising the DPDP Act through a Constitutional Perspective

https://forum.nls.ac.in/ijlt-blog-post/privacy-surveillance-and-state-interest-appraising-the-dpdp-act-through-a-constitutional-perspective/

Aadhaar eKYC: Is It Required for Banks? The Answer Inside.

https://www.linkedin.com/pulse/aadhaar-ekyc-required-banks-answer-inside-meon-technologies-bqwtc/

Privacy by Design

https://en.wikipedia.org/wiki/Privacy_by_design

How Data Privacy Regulations Are Transforming the Software Development Lifecycle

https://medium.com/@Sangram.s_16290/how-data-privacy-regulations-are-transforming-the-software-development-lifecycle-b23a698a84c9

Data Privacy Regulations and Software Development: Navigating GDPR, CCPA, and Beyond

https://www.hackerone.com/blog/data-privacy-regulations-and-software-development-navigating-gdpr-ccpa-and-beyond

Obligations of Data Processors vis-à-vis Data Fiduciaries under the DPDP Act, 2023

https://ksandk.com/data-protection-and-data-privacy/data-processor-duties-under-indias-dpdp-act-2023/#contractual-mechanisms-data-processing-agreements-dp-as

Data Processors Under the DPDP Act: Key Compliance Insights

https://www.consent.in/blog/data-processors

The Importance of Data Processing Agreements under India’s Digital Personal Data Protection Act, 2023

https://www.linkedin.com/pulse/importance-data-processing-agreements-under-indias-digital-kulin-dave-gbdmf/

 

Thursday, May 28, 2026

Mig-21 Unmanned Combat Air System - A Resurrection


Victory smiles upon those who anticipate the change in the character of war, not upon

those who wait to adapt themselves after the changes occur.

 Giulio Douhet

The Command of the Air

 


 

A Sobering Thought   

A MiG-21 converted to a Kamikaze UCAS can be a very effective bunker buster with high KE penetration (1.4 - 1.8 GJ). Considering 400 kg of jet fuel and a 200 kg HE warhead, it delivers a thermobaric blast inside hardened structures caused by kinetic vaporisation followed by fuel-air catalysis with the warhead acting as secondary charge.   

For comparison, it possesses 60,000 times > KE than propeller driven Shahed-136 Kamikaze drone (7,500 times > jet-powered Shahed-238).  A Shahed-136 carries ≈ 50 kg explosives and ≈ 50 L fuel, generating roughly 2,000 MJ of total chemical energy with virtually zero kinetic penetration. The MiG-21 UCAS unleashes nearly 10 times the total energy of a standard drone strike, with the added capability of delivering that blast inside hardened bunkers due to its high speed kinetic entry.

 

EXECUTIVE SUMMARY

This white paper advocates for the strategic conversion of the Indian Air Force's (IAF) legacy MiG-21 BISON fleet into multi-role UCAS. These retired airframes represent a significant untapped resource for enhancing India’s mass, attrition tolerance, and technological edge in contested environments.

 

STRATEGIC RATIONALE

IAF currently operates around 30 fighter squadrons against a sanctioned strength of 42. Repurposing retired BISONs provides an effective solution to the combat fleet "thinning" in a cost effective manner. Unlike traditional scrapping or display, converting these aircraft into UCAS can bridge legacy manned operations and next-gen unmanned systems.

By breathing new life into these machines, the IAF can transform the perceived weakness of ageing aircraft into a "shield and a spear" for 21st-century conflicts. This strategy aligns with the "Atmanirbhar Bharat" agenda for acquiring autonomous flight controls and AI-enabled kill chain capabilities.

 

UCAS OPERATIONAL ROLES

The proposed BISON UCAS would fulfil three critical roles, maximizing the utilisation of the aircraft’s unique flight characteristics. However, prior to examining them it would be pertinent to briefly examine a typical layered air defence network with overlapping tiers of sensors, command networks, and weapons to detect, track, and neutralize aerial threats at various altitudes and ranges as shown in Figure 1.

Fig.1 – Layered Air Defence Network

1. Kamikaze and Decoy Platforms (SEAD Roles)

The UCAS can be deployed for Kamikaze strike or as attritable decoy.

·       Kamikaze Strike: UCAS could perform an expendable strike mission, carrying HE warhead (up to 500 kg) to destroy hardened infrastructure in high-risk zones.

·       Attritable Decoy: It could simulate RCS and electronic signatures of high-value assets like the Rafale or Su-30MKI, forcing enemy air defences to reveal their positions or exhaust expensive missile inventories on expendable targets.

2. Full Scale, High-Speed Aerial Targets

The UCAS will be uniquely suited for testing Surface-to-Air and Air-to-Air Effectors which require targets that can realistically mimic Mach 2, 17-km service ceiling, and high-G manoeuvres of modern fighter jets. As reusable targets, UCAS will provide far more realistic testing environment and test data than existing low speed targets.

For training missions where no live ordnance is used, the UCAS is flown autonomously, and flying crew practice tracking and locking onto the UCAS using Radar and EO/IR sensors. In such cases, the UCAS lands safely and is reused for future flights. 

In ‘live-fire’ testing and advanced combat exercises, a pilot or AD system actually fires an effector at the UCAS. If the missile makes a direct physical hit or detonates within lethal range, the UCAS is destroyed and crashes into the sea. The retrofitted MDI System provides accurate data on the effector performance as shown in Figure 2. 

Fig.2 – Realistic, Supersonic Target with MDI

 3. Manned-Unmanned Teaming

In an M-UMT framework, the UCAS acts as a "sensor amplifier" for a mothership (e.g., Su-30 MKI or Rafale). Controlled by the manned fighter, the drone could fly ahead for high-threat area surveillance, provide supplementary cover, and engage targets autonomously if required. This collaborative combat role significantly enhances the survivability of the human pilot by allowing the UCAS to absorb enemy fire during deep-strike operations.

Instead of relying on remote ground operators, a ‘loyal wingman’ uses edge-computed AI autonomy to perform dynamic mission profiles based on the manned fighter's real-time needs: -

·       Sensor Forward Scouting: Flying ahead of the crewed fighter to expand the tactical radar and EO/IR image while shielding the human pilot from enemy defences.

·       Weapon Extension: Carrying supplementary effectors that can be targeted and fired via commands from the manned fighter.

·       EW: Active jamming of adversary radars and communication nodes to create safe corridors for the strike package.

·       Tactical Decoys: Flying in high-visibility swarm profiles to confuse enemy AD and absorb incoming missile strikes.

·       Affordable Attritability: Built intentionally at a lower cost-point so they are economically expendable in high-threat, Anti-Access / Area-Denial (A2/AD) zones.

Once policymakers and warfighters absorb the attributes of human-CCA teams, they can address how CCA should operate, manoeuvre, and partner with humans to achieve mission success. Figure 3 illustrates one such concept.

 

Fig.3 – Exploiting CCA for a First-Shot, First-Kill Advantage

A collaborative combat mission scenario with effective communication and survivability for CAP with support of 02 UCASs is shown in Figure 4. 


Fig.4 – CAP with Support of Two UCAS

The friendly fighter's radar detects an enemy aircraft flying towards the airspace. The fighter and UCAV immediately head towards the enemy aircraft. The fighter uses its radar to identify the enemy aircraft. After identifying the enemy aircraft, the fighter, and UCAV divide the tasks. The friendly fighter carries out a frontal attack while the UCAV attacks enemy aircraft from behind.

M-UMT survivability metrics with variable number of UCAVs (‘loyal wingmen’) in a Lethal Envelope Model is shown in Figure 5. 

Fig.5 – M-UMT Survivability Metrics

Note: - Full scope of M-UMT capability discussed in this paper may not be realised in the prototype MiG-21 UCAS or its initial serially produced versions. However, the platform will be a experimental testbed for refining the philosophy and technologies for M-UMT and autonomous combat air vehicles which will control the skies in the near future.  

 

TECHNICAL PROCESS & CONVERSION PATHWAY

The conversion of BISON into UCAS is a complex but manageable engineering task, leveraging mature technologies. The four conversion phases are as follows:-

Phase 0

·       Aircraft Survey: Survey available MiG-21 BISON Airframes and Engines at IAF bases & storage sites 

·       Aircraft Selection: Identify suitable candidate Airframes and Engines for prototype UCAS and serial production 

·       Condition based Life Extension: Limited life extension checks relevant for UCAS role based on sample checks on retired airframes. 

·       Storage Servicing & Preservation:  Develop servicing & preservation schedule of ac in UCAS role based on legacy ac  maintenance schedule 

·       Life Extension of Aircraft:  Perform LE of  prototype UCAS candidates 

·       Servicing of Aircraft:  Storage servicing and preservation of serial production candidates will be performed periodically

The conceptual view of the conversion process is given in Figure 6.

Fig.6 – UCAS Conversion Concept 

Phase 1 – Structural Modification

·       Remove Crew Systems: Non-essential subsystems like Cockpit Controls, Life Support Eqpt, Gun, Ejection Seat & Displays are removed to reduce weight and free internal volume for new avionics.

·       Structural Integrity: Maintain integrity for new autonomous Flight Loads

Phase 2 – Avionics Integration

·       New Systems: Since the BISON lacks modern fly-by-wire systems, an autonomous flight control system and autopilot with terrain matching must be installed to actuate control surfaces and integrated with existing INGPS.

·       Sensor Suite and Avionics Integration: INGPS and Terrain Matching Systems

·       C2: Installation of Mission Computer with real-time telemetry / data links & remote functions.

Core components are shown in Figure 7.

Fig. 7 Core UCAS Components

Phase 3 - Combat Subsystems & Payload Integration

·       Weapon Systems: Installation of HE Warhead with autonomous weapon targeting and fire control systems with modification of existing pylons for payload flexibility.

·       Sensors & EW: Integration of existing Radar, new EO/IR Suite & EW Payloads with MDI & other Sensor Pods. Existing self-protection suite to be retained.

·       Cognitive Ability: Integration of Autonomous Target Recognition & Engagement Capabilities in Control Algorithms 

Note: - While the BISON has a large RCS (making it a good decoy), combat-oriented variants could be coated with Radar Absorbent Material (RAM) to provide limited low-observability during approach.

The conversion process requires significant IAF support in terms of: - 

·       Airbase Infrastructure.

·       MiG-21 BISON Airframes and Engines.

·       Ground and Flight Testing.

·       Airworthiness.

Brief elucidation of the required support is given at Figure 8.

         Fig. 8 – Required IAF Support

Note: - IAF support excludes trained manpower required to perform the conversion. Typically this would be provided through private industry initiative.  

COST BENEFIT ANALYSIS – COMPELLING ECONOMICS

The financial logic of conversion is a powerful argument for UCAS.

·       Conversion Costs: Transforming a BISON into an expendable target drone is estimated to cost between 5 to 10 crore. A more complex, reusable combat drone conversion is estimated at 50 to 100 crore.

·       Procurement Comparison: In contrast, procuring a new advanced UCAV like the MQ-9B costs several hundred crores.

·       Maintenance Savings: By utilizing retired airframes as expendable assets, the IAF eliminates the long-term, multi-decade maintenance costs associated with keeping 50-year-old jets airworthy for manned flight.

 

COMPARITIVE GLOBAL PRECEDENTS

·       China: The PLAAF has successfully converted hundreds of J-6 and
J-7 aircraft into a "zombie fleet" designed to saturate enemy air defences in regional conflicts.

·       United States: The USAF uses retired F-16s as QF-16 FSATs and utilizes them in the Skyborg program to test AI-enabled autonomous flight through Project VENOM.

 

CHALLENGES & MITIGATION

Critics of conversion cite the logistics of maintaining an aging fleet and the scarcity of spare parts as major hurdles. Judicious use of existing inventory and newly installed systems can mitigate this concern. As realised by strategists, these airframes are meant to be attritable and expendable and their primary value lies in acting as testbeds for future autonomous technologies and providing mass in "drone-centric" warfare — roles where they are expected to be lost in combat.

 

CONCLUSION

The Indian Air Force stands at a crossroads. Scrapping the MiG-21 BISON fleet would be a loss of high-performance airframes that can still serve the nation as low-cost, supersonic unmanned assets. By converting these aircraft into UCAS for Kamikaze / Decoy, High Speed Aerial Target and M-UMT roles, the IAF can achieve "algorithmic deterrence," enhancing the credibility of its military options while preserving its human capital and high-end fighter fleet.

Actionable Recommendation: The Indian Air Force should seriously consider authorizing a pilot project to convert two BISON aircraft into UCAS for field trials. 

Processing Biometric Data: A Guide to Data Protection Law

Introduction.   Biometric data is very personal and poses significant security risks for organizations storing and processing such data. Bes...