Introduction. Biometric data is very personal and poses significant security risks for organizations storing and processing such data. Besides the risk element for such data there is also the aspect of data rights of individuals. These factors make this field highly regulated and this might be a reason why banks and other organizations may choose to stay away from processing biometric data even though they are more secure than other forms of user authentication like OTP’s and PINs. As technology advances use of applications like facial recognition may become more widespread because of the unique benefits they offer over other commonly used methods of user authentication. On the other hand as the society grows more conscious of their data rights, governments may also seek to regulate these technologies more strictly. India has recently updated its data protection laws to provide for hefty penalties of up to ₹ 250 cr. for failure to comply with the provisions of the new law.
Recent enactment of new law by India. India has recently enacted a comprehensive regime for personal data protection under the Digital Personal Data Protection Act, 2023 (the “Act”) supplemented by the Digital Personal Data Protection Rules, 2025 (the “Rules”). These laws are expected to fully come into force by 2027. Earlier, personal data such as biometrics were governed by the SPDI (Sensitive Personal Data or Information) Rules of the IT Act, 2000. The new law, once it comes fully into force, will replace the older law based on the IT Act. While some of the underlying core principles for data protection like user consent, transparency and limitation of data retention remain the same, the new laws are wider in scope and even mandate State entities to comply with its requirements.
(Image Courtesy UserCentrics.com)
Core Principles of Data Protection. A set of core principles for data protection have emerged. Most modern data protection laws are built on these core principles; including in India, where they have been incorporated into the recently enacted Indian legislation. Keeping these principles in mind is essential for ensuring ethical development of software that may process personal data.
Transparency: Every use of personal data must be accompanied with a formal notice that spells out what data is being requested and the purpose for which it will be used. See, Section 5 of the Act, “Notice”.
Purpose Limitation: The data that is sought can only be used for the purpose for which it is specified to be used. It cannot be later used for other purposes or shared with other entities. See, Section 6 of the Act, “Consent”.
Data Minimization: Only that data which is required for the purpose specified can be collected and no more. See Section 7 of the Act, “Certain Legitimate Uses”.
Accuracy: The data must be accurate and up-to-date. Users must be permitted to access the data and update it as and when they wish to. See, Section 12 of the Act, “Right to correction and erasure of personal data”.
Storage Limitation: The data can only be kept as long as it is needed for the purpose for which it was collected. After the purpose has ceased, the data must be erased. See, Section 8(7) of the Act.
Integrity and Confidentiality: Data must be protected from unauthorized access, alteration, loss or destruction. Technical and organizational measures must be undertaken to ensure the security of personal data. See, Section 8(3), 8(4) of the Act.
(Image Courtesy UserCentrics.com)
Accountability: The onus is on the organization collecting data to implement reasonable security safeguards to protect personal data and to prevent data breach. See Section 8, “Obligations of a Data Fiduciary”. For more on “reasonable security safeguards” see, Section 6 of DPDP Rules, “Reasonable security safeguards.”.
Consent as cornerstone of Data Privacy. In addition to the core principles outlined above, a key aspect of data protection is consent. Biometric data cannot be processed without the consent of the user to whom it belongs. Such consent cannot be implied and it must be “free, specific, informed, unconditional and unambiguous with a clear affirmative action”. The user must also have the facility to withdraw their consent as easily as it was given. Every such request for consent has to be accompanied with a notice that details the personal data requested and the purpose for which it will be used. For the purpose of administering the requirements of user consent, the new law creates a system of “Consent Managers” to act as intermediaries between users and organisations processing data. It is not mandatory, and an organisation may choose to manage user consent internally as well. However, appointing dedicated Consent Managers may streamline the compliance process and ensure best practices are in place for managing user consent. They also maintain accountability to the owners of the data and allow them the facility to manage their consent at any time.
(Image Courtesy DPO India)
Data Processing by Third Parties. An organization may choose to appoint a third party to process biometric data on their behalf. Outsourcing is common in India; and an organization may seek to outsource for the purpose of implementing new technologies that process biometric data. This may be required when implementing a new biometric based solution for an organization. Here the third-party data processor is not in an agreement with the owners of the data but only with the organization seeking to outsource the processing of data. This sort of arrangement is permitted by law; and an organization may involve a third-party data processor to process personal data on its behalf under a valid contract. The burden of compliance with the data protection laws here remains with the organization outsourcing the data processing. Through its contract with the third-party data processor, also called the Data Processing Agreement or “DPA”, the organization can ensure compliance with data protection law requirements like the implementation of reasonable security safeguards. The DPA might also include other provisions to indemnify the organization in case of breach on the part of the data processor and provisions to erase the personal data stored when the purpose of processing it has ceased. The DPA is the vehicle through which an organization ensures compliance with data protection regulations by the third-party data processor.
Breach of Data. It is vital to maintain best practices for obtaining consent from users. A breach of personal data may turn out to be very costly for an organization with penalties up to ₹250 cr. in the new law. A breach of personal data is defined to include any “unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data.” If any breach occurs, the organization handling the data must intimate the affected parties and the Data Protection Board. The Board would then inquire into the breach, and if it considers the breach to be significant, impose penalties as provided in the law. It is mandatory to report any breaches of personal data and any failure to comply with it can attract heavy penalties from the Data Protection Board.
Impact on Software Development Process. While software developers may not be the final users or processors of the personal data, the idea of “Privacy by Design” is relevant to the software development process. The basic idea is that data privacy is to be embedded into the design and architecture of systems as well as business practices. Privacy cannot be an afterthought or a post-launch activity. In other words, software developers must adopt a proactive approach to data protection from the get-go. To this end, the core principles of data protection mentioned above are important to keep in mind. Some examples of these in practice may be minimizing the collection of data and creating user interfaces that facilitate the right of users to give, modify or withdraw their consent. Building user-centric software is important to foster a sense of trust that will give users the confidence to store their data without hesitation that it will be kept secure. Finally, appropriate measures must be in place to ensure that data is processed securely. Methods like encryption, access controls and security testing are recommended for this purpose.
Right of State to Collect and Process Personal Data. The State does not have an unchecked right to collect and process personal data. In India the right to privacy has been recognized as a fundamental right by the Supreme Court in the Puttaswamy judgement. This ensures a constitutional safeguard for the data rights of each individual from unauthorized use of data by the State or any other private organization. It must be noted however that though this right is recognized as a fundamental right, it is not absolute and reasonable restrictions may be imposed upon it by the State. For such a restriction to be legitimate, there needs to be a compelling state interest in favour of such a restriction. It may be found that the State indeed has a legitimate and compelling need to stay up to date with the latest technologies for maintaining public order and security. This is especially true if it can be demonstrated that technologies like facial recognition can improve the security of all citizens by spotting threats to public security early. Further, this is likely to become even more persuasive as technology advances over time because of the advantages that it will offer for public security over not using such technology. Thus, use of modern technologies for maintaining public order and security must be balanced with the constitutional rights of citizens to the privacy and autonomy of their data. If a compelling state interest can be found in favour of using modern forms of maintaining public security, they may be justified despite the risk posed to privacy rights of citizens. The Act also makes provisions for the State to process personal data of individuals for performance of its functions under law or “in the interest of sovereignty and integrity of India or security of the State.”
Legislation:
Information Technology Act, 2000
https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf
Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information)Rules, 2011 aka “SPDI Rules”
Digital Personal Data Protection Act, 2023
https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
Digital Personal Data Protection Rules, 2025
https://www.meity.gov.in/static/uploads/2025/11/53450e6e5dc0bfa85ebd78686cadad39.pdf
Judgements:
Puttaswamy v. Union of India
https://en.wikipedia.org/wiki/Puttaswamy_v._Union_of_India
Resources:
Biometric Data Regulation In India: Legal Landscape and Risks
https://www.azbpartners.com/bank/biometric-data-regulation-in-india-legal-landscape-and-risks/
Consent Management Under India’s DPDP Act: Best Practices for Compliance
https://www.dpo-india.com/Blogs/consent-management-india-dpdp-act/
Consent Managers under the Digital Personal Data Protection Act: A Game Changer or Compliance Burden?
Privacy Policies vs. Privacy Notices: Decoding India’s New Data Protection Norms
https://www.lexology.com/library/detail.aspx?g=ae57d723-918c-41bc-a045-2c5ebadba2e1
Understanding the 7 data privacy principles
https://usercentrics.com/guides/data-privacy/data-privacy-principles/
Right to Privacy Under Indian Constitution
https://gitarattan.edu.in/wp-content/uploads/2020/11/giBS-Law-Journal-2020-Research-Paper-5.pdf
Privacy, Surveillance, and State Interest: Appraising the DPDP Act through a Constitutional Perspective
Aadhaar eKYC: Is It Required for Banks? The Answer Inside.
https://www.linkedin.com/pulse/aadhaar-ekyc-required-banks-answer-inside-meon-technologies-bqwtc/
Privacy by Design
https://en.wikipedia.org/wiki/Privacy_by_design
How Data Privacy Regulations Are Transforming the Software Development Lifecycle
Data Privacy Regulations and Software Development: Navigating GDPR, CCPA, and Beyond
Obligations of Data Processors vis-à-vis Data Fiduciaries under the DPDP Act, 2023
Data Processors Under the DPDP Act: Key Compliance Insights
https://www.consent.in/blog/data-processors
The Importance of Data Processing Agreements under India’s Digital Personal Data Protection Act, 2023
No comments:
Post a Comment