Biometric data refers to a human being’s unique and distinct physical and other characteristics, which biometric technology can use to create a unique identification to differentiate between different persons. While physical biometric identifiers include a human being’s face, fingerprints, or iris, behavioural biometrics use AI to identify a person by his behaviour, such as gait, signature, or handwriting.
Given their relative accuracy and speed, physical biometric identifiers have seen increasing applications in areas ranging from computer passwords to door access. According to the 2023 Online Authentication Barometer, biometrics is the most preferred method for consumers to sign in to online accounts, apps, and smart devices, and it is also seen as the most secure method.
Unpacking the Legal and Ethical Issues in Biometric Data Collection
The Indian government’s Aadhaar system, the world’s largest biometric platform, uses fingerprint patterns for identification and various government applications. Recently, facial recognition technologies (FRTs) have also been implemented for security purposes. Biometric data, which uniquely identifies individuals, raises significant privacy concerns due to potential misuse, such as identity theft and surveillance. Unlike passwords, compromised biometric data cannot be easily reset, making its protection crucial. The introduction of the Criminal Procedure Identification Act, 2022 and the landmark Digital Personal Data Protection Act (DPDPA), 2023, directly impact the use and processing of biometric data, underscoring the need for stringent safeguards.
Ethical data collection requires respect for autonomy and informed consent from individuals. People must know the entire data collection cycle and then give their consent. Other concerns include bias and discrimination. Systems based on biometrics or face scans, especially those using AI. As they might behave with an unfair bias for or against people. Privacy, therefore, becomes a very severe concern, as the widespread use of biometric surveillance may render a sense of loss of control and individual freedom.
Balancing biometric technology’s benefits with these legal and ethical challenges is crucial for fostering trust and ensuring the responsible use of biometric systems.
The Criminal Procedure Identification Act: Implications for Privacy Rights
The Criminal Procedure Identification Act (CrPI) of 2022 was enacted in April 2022. Under the act, the police can now collect the biometric data or “measurements,” i.e. fingerprints, palmprints, footprints, photographs, iris scans, retina scans, physical/biological samples and behavioral attributes including signatures, handwriting or other exam – of any person arrested or detained or under preventive detention for committing an offence punishable by imprisonment for seven or more years. Such data can be stored for a period of 75 years and shared with other police and law enforcement agencies, with penalties for resisting data collection.
Some had contended that the CrPI Act seriously compromised people’s privacy and civic rights and, hence, could make India a surveillance state. At the time of its passage, India did not have appropriate legislation on data protection.
Another area of concern is the overt use of facial recognition systems that both the central and state governments have at their disposal without any control or censorship.
The Digital Personal Data Protection Act
The DPDPA requires consent and purpose limitation in the collection or use of personal data, i.e. data about an individual who is identifiable by origin in relation to such data.
Entities that wish to collect and process personal data must establish a compelling, legitimate purpose for using biometric data and verifiable consent from individuals.
The concept of consent and notice also stand as important safeguards in the collection of biometric data. Biometric data can only be collected for valid and reasonable needs necessary for the Data Fiduciary to operate. Before collecting biometric data, the Data Fiduciary must secure verifiable consent from the Data Principal (the individual whose data is being captured). The consent must be accompanied by a notice that outlays the rights of the data principal – as notified under Chapter III of the Act – and the grievance redressal mechanism. Parental consent is also required for a data principal who is a minor.
The collection of biometric data is subject to purpose limitation. This implies that once the end goal of processing the data is met, the said data must be erased from the systems of both the Data Fiduciary and any Data Processor.
Governmental Oversight: Interplay of the Legal Provisions
While these provisions may be effective in stopping private actors like tech companies and financial institutions from misusing biometric data (a subset of personal data under DPDPA), the act does not provide safeguards from potential misuse by the police or similar state actors.
In fact, under section 7(c), the DPDPA provides the processing of personal data by the state or its instrumentalities under any law in force or in the interest of sovereignty or security of the state to be a legitimate use case, for which the consent of the data principle isn’t mandatory to be taken. This broad and unspecific exception can potentially allow the misuse of biometric data, which, according to the CrPI Act, could be stored for up to 75 years. This extended period increases the likelihood of data breaches and unauthorised access.
Under Section 7(b) of the Act, government entities are allowed to circumvent the consent and purpose limitations on personal data. This loophole can allow the state to combine multiple databases, providing it with surveillance over the citizens.
Finally, Section 17(2) exempts the central government from the whole act in the interests of India’s sovereignty, integrity and security; giving the centre complete powers to possibly become an Orwellian state.
Looking Ahead: Strengthening Biometric Data Protections
The use of biometric data for identification poses significant legal and ethical dilemmas when one considers the various ways in which a bad actor can misuse someone’s data. The DPDPA does not act as a good safeguard against the government’s use of personal data. Particularly, the DPDPA’s shortcomings, when read with the powers provided under the CrIP Act, reveal the true picture of the state of biometric data, ripe for misuse by the state itself. To provide credibility and ensure trust, the exemptions provided to the state under the DPDPA must undergo reconsideration.
