Answer By law4u team
Biometric data, which includes fingerprints, facial recognition, iris scans, and other unique identifiers, has become increasingly important in various sectors like banking, security, and government services. As the collection and use of biometric data grow, ensuring its protection from misuse, unauthorized access, and breaches is critical. In India, the legal landscape around biometric data protection is evolving, with several laws and regulations attempting to safeguard individuals’ privacy and rights.
Laws Governing Biometric Data Protection in India:
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:
Under the Information Technology Act, 2000, the 2011 rules provide a framework for the protection of sensitive personal data, including biometric information. Organizations collecting biometric data must:
- Obtain explicit consent from individuals before collecting or processing biometric data.
- Ensure the data is stored securely and protected against breaches.
- Inform individuals about the purpose of data collection and the duration for which the data will be retained.
- Implement reasonable security practices to protect the data.
The Aadhaar Act, 2016:
One of the most significant uses of biometric data in India is for the Aadhaar system, which collects biometric data (fingerprints and iris scans) to provide individuals with a unique identification number. The Aadhaar Act outlines specific rules for the collection, storage, and use of biometric data under the program:
- Biometric data is collected only after obtaining informed consent from the individual.
- The Aadhaar Data Protection Bill (yet to be enacted) aims to regulate the collection and use of Aadhaar-related biometric data, ensuring stricter control over how the data is handled, stored, and shared.
- The law limits access to biometric data to authorized entities, preventing unauthorized use or data leaks.
The Personal Data Protection Bill, 2019 (Proposed):
Although not yet passed, the Personal Data Protection Bill (PDPB) is a major step toward strengthening data protection laws in India. The bill contains provisions related to biometric data:
- It classifies biometric data as sensitive personal data (SPD), subject to stringent protections.
- It mandates explicit consent from individuals for the collection and processing of biometric data.
- It requires organizations to notify individuals about the purpose of data collection, and the rights to access, rectify, and erase their data.
- It establishes a data protection authority to enforce these provisions.
The Global Context: General Data Protection Regulation (GDPR):
Although not an Indian law, the GDPR has significant influence on global data protection practices. For organizations in India that handle biometric data of EU residents, the GDPR provides a comprehensive framework for biometric data protection:
- Biometric data is classified as special category data, requiring explicit consent for its processing.
- It mandates strong security measures to protect biometric data from breaches and unauthorized access.
- Individuals have the right to access their data and request deletion.
Security Measures and Data Retention:
Data Encryption and Secure Storage:
Biometric data must be encrypted and stored securely to prevent unauthorized access and data breaches. This is mandatory under both Indian and international data protection frameworks.
Retention Period:
Biometric data should not be retained indefinitely. Under the Aadhaar Act, for example, biometric data should only be stored for as long as necessary to complete the verification process. Similarly, under the PDPB, organizations must have clear retention policies and ensure data is not kept longer than required.
Data Anonymization:
In some cases, data anonymization may be required to further protect individual privacy, especially if biometric data is used for large-scale purposes.
Legal Protections and Accountability:
Consent:
Consent is a foundational principle in biometric data protection. Without explicit, informed consent from the individual, the collection or processing of biometric data would be considered illegal.
Data Subject Rights:
The law grants individuals rights over their biometric data, including the right to access, rectify, and delete their information. This ensures that individuals can maintain control over their personal data.
Breach Notification:
In case of a data breach involving biometric data, organizations must notify affected individuals and regulatory bodies within a specific time frame, as mandated by the PDPB and other data protection laws.
Example:
A bank in India requires customers to use biometric authentication (fingerprints) for accessing their accounts. Under the Information Technology Rules, 2011, the bank must obtain explicit consent from the customer before collecting their biometric data, store it securely, and only retain it for the duration of the transaction or account access. If the bank suffers a data breach, they must notify the affected customers and take appropriate measures to secure the data.
