How is Biometric Data Protected Under Indian Law?

INTRODUCTION 

Biometric data, including fingerprints, facial scans, and voiceprints, plays an increasingly prominent role in modern security and authentication systems because it offers ease and seamlessness.  

A broad range of organisations collect or process biometric data. Financial institutions use it for secure logins or transaction approvals. E-commerce platforms use it to enable faster checkout processes. Technology companies such as Apple and Samsung integrate it into their devices, and healthcare providers, including telemedicine platforms and health applications, use it for secure patient identification. 

In many cases, devices store biometric data locally. However, some applications process biometric data remotely, which often raises data privacy concerns. 

In India, the Digital Personal Data Protection Act, 2023 (DPDPA), which Parliament enacted in August 2023, establishes a framework that regulates the collection, processing, and storage of sensitive data. How does it deal with biometric data? Ronin Legal takes a closer look.  

WHAT THE DPDPA SAYS ABOUT BIOMETRIC DATA 

The DPDPA classifies biometric data as sensitive personal data due to their immutable nature, capable of identification.  

Unlike names or addresses, biometric data cannot be changed if compromised, making its protection critical. The Act applies to all digital personal data processed in India or related to offering goods and services to Indian citizens, even if processed abroad.  

Organisations (Data Fiduciaries) must adhere to strict rules for collecting, processing, and storing biometric data.https://www.meity.gov.in/writereaddata/files/Digital_Personal_Data_Protection_Act_2023.pdf 

KEY PRINCIPLES FOR BIOMETRIC DATA 

The DPDPA emphasises several principles for handling biometric data. 

First, organisations must process data only for a lawful purpose with explicit, informed consent from the individual, known as the Data Principal.  

Second, data minimisation requires collecting only what is necessary. Third, data must be deleted once the purpose is fulfilled, unless required for legal compliance.  

Finally, organisations must implement robust security measures, such as encryption, to prevent breaches. 

CONSENT AND NOTICE REQUIREMENTS 

Before collecting biometric data, organisations must provide a clear notice detailing the data collected, its purpose, the Data Principal’s rights, and how to file complaints with the Data Protection Board of India (DPB).  

For instance, if a bank requires the fulfilment of KYC obligations by a customer, prior to collecting their personal data, it will be required to send a notice to such customer, stating the purpose and seeking consent to process the data for the specified purpose, along with expressly stating the customer's rights and procedure to file complaints. 

Consent must be specific, informed, and verifiable, with an easy option to withdraw it at any time. For children under 18, parental consent is mandatory.  

These requirements ensure transparency and give individuals control over their biometric data. 

ORGANISATIONAL RISKS OF NON-COMPLIANCE 

Mishandling biometric data under the DPDPA can expose organisations to significant risks, including reputational harm and penalties up to INR 250 crore (approximately USD 30 million). 

Four key risks organisations face are: 

1. Collecting Biometrics Without a Clear Purpose 

The DPDPA mandates that biometric data, like fingerprints or facial scans, be collected only for a “compelling legitimate purpose.”  

For instance, using biometrics for unlocking devices or verifying identities is acceptable, but collecting data without a defined need violates the Act’s purpose limitation principle.  

Organisations risk penalties if they cannot justify data collection. Additionally, the Supreme Court of India has emphasised that biometric data impacts the right to privacy, making unauthorised collection a serious violation. 

To mitigate this, companies must document and communicate the specific purpose of data collection. 

2. Using Bundled Consent 

Consent under the DPDPA must be specific and not bundled with other permissions. For example, a company cannot include biometric data consent within a broad terms-of-service agreement. 

Bundled consent invalidates the processing of biometric data, as it fails to meet the Act’s requirement for informed and explicit consent. 

This can lead to fines of up to INR 50 crore for non-compliance. Organisations should use clear, standalone consent mechanisms, such as opt-in checkboxes, to ensure compliance. 

3. Non-DPDPA-Compliant Vendors 

Many organisations rely on vendors, or Data Processors, to handle biometric data, such as cloud storage providers or biometric software vendors. Such reliance is placed through information sharing to third parties, requiring the informed consent of the Data Principal, before such disclosure. 

The Data Fiduciaries are held accountable for ensuring vendor compliance. If a vendor processes biometric data without adhering to consent, security, or data deletion requirements, the Data Fiduciary faces penalties.  

For example, a non-compliant vendor could expose data to breaches, triggering mandatory breach notifications to the DPB and affected individuals within 72 hours. 

To avoid this, organisations must establish contractual agreements with vendors that enforce DPDPA compliance.https://www.meity.gov.in/writereaddata/files/Data_Protection_Guidelines.pdf 

4. Undefined Data Retention Timelines 

The DPDPA requires that biometric data be deleted once its purpose is fulfilled, unless retention is necessary for legal reasons. Undefined or excessive retention periods violate the Act’s storage limitation principle. For instance, retaining employee fingerprints after their employment ends without justification risks penalties.  

Moreover, prolonged retention increases the chance of data breaches, which could lead to fines of up to INR 250 crore. 

Organisations must define clear retention timelines and ensure vendors delete data promptly upon consent withdrawal or purpose completion. 

DATA TRANSFER AND SECURITY 

Biometric information sharing with third parties is permitted within and outside India, either with the explicit consent of the Data Principal or if such transfer is being made to carry out a valid contract between the Data Fiduciary and Data Principal, where such consent for the specified purpose of the contract is implied. 

The Data Fiduciary is expected to implement ‘reasonable security measures’ to avoid data breaches and mitigate vulnerabilities, in the event of any lapse in the security measures taken by the third party to whom such data was transmitted.  

Failure to have such measures in place may attract significant penalties. 

HOW CAN ORGANISATIONS STAY COMPLIANT? 

Organisations can stay compliant with the DPDPA while processing biometric data by adopting the following practices: 

1. Obtain Explicit and Informed Consent 

Biometric data can only be processed with clear, informed consent from the data principal. This consent must be informed, with a specified purpose, scope, and duration of data use. 

Maintain detailed consent logs and ensure that withdrawal mechanisms are simple, with processing ceasing immediately once the consent is withdrawn. 

2. Purpose Limitation and Data Minimisation 

Use biometric data strictly for the specific purpose stated at the time of collection. Avoid using the data for new or unrelated reasons. 

3. Conduct a Data Protection Impact Assessment (DPIA) 

Before deploying biometric systems, especially for Significant Data Fiduciaries (SDFs) processing large-scale sensitive data, carry out a DPIA to identify potential risks and document mitigation strategies. 

4. Implement Robust Data Security Measures 

Protect biometric data with encryption during storage and transmission, strict access controls and authentication protocols and continuous monitoring for unauthorised access or anomalies. 

If data is handled by third parties or transferred cross-border, comply with localisation requirements and transfer rules under the DPDPA. 

5. Appoint a Data Protection Officer (DPO) 

SDFs must appoint a DPO based in India to oversee compliance. The DPO is the primary point of contact for both data principals and the Data Protection Board (DPB). 

6. Maintain Transparency and Accountability 

Inform individuals about why their biometric data is collected, how long it will be retained and whether it will be shared with third parties. 

7. Facilitate Data Principal Rights 

Enable individuals to access their biometric data, understand how it is processed and request correction or deletion where applicable. 

Role of Consent Managers 

The DPDPA introduces Consent Managers, independent DPB-registered entities that facilitate consent management for Data Principals. These managers provide a platform for individuals to grant, review, and withdraw consent transparently.  

Organisations can use Consent Managers to streamline compliance, particularly for large-scale biometric data processing.  

LOOKING AHEAD 

The public consultation period for the DPDP Draft Rules, initially scheduled to close on February 18, 2025, was extended to March 5, 2025, and has now concluded. The finalised Rules are expected to introduce additional compliance requirements for organisations, including detailed notice formats and mandatory record retention periods. 

Civil rights groups and media organisations have raised significant concerns about the legislation during the consultation process, particularly regarding its potential impact on access to public information and press freedoms. 

Despite these concerns, the government has indicated that no changes are being considered to the DPDP Act or draft Rules, citing the extensive consultation process that incorporated inputs from multiple stakeholders, and is expected to issue frequently asked questions (FAQs) to provide implementation guidance.