29 October, 2019
Introduction
There has been an increasing discourse on ‘biometric data’ in the public domain without any real discussion on what it is. In its simplest form, biometric data is the data about a biological organism. Examples of biometric are facial images or iris scan or fingerprints. Since biometric data is related to human characteristics, which is capable of being used as an identification mechanism, defining the mechanisms and safeguards becomes important. The Indian courts have held that biometric data, by its very nature, brings together a variety of personal elements.
Various countries across the globe regulate the modes and mechanisms of handling biometric data, to ensure protection of a person’s intrinsic rights.
The recently promulgated General Data Protection Regulation of the European Union, in fact defines ‘biometric data’ as such personal data that results from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person.
In India, the collection, storage and handling of biometric data is governed by the information technology law contained under the Information Technology Act, 2000 (IT Act), primarily through the rules framed under it. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) lays out the specific conditions that regulate personal information and sensitive personal data or information, including biometric data. Besides this, certain other legislations too deal with some specific uses of biometric data, for instance to authenticate an individual’s identity through the Aadhaar card.
Regulation of Biometric Data in India
At present, the Indian law requires that the principles that have to be followed for dealing with sensitive personal data or information also apply to possessing, dealing or handling of biometric data. However, it is pertinent to note that IT Act regulates biometric data since such data can be collected and processed using a computer resource, and it constitutes to be a form of personal data.
The Privacy Rules describe ‘personal information’ as information that relates to a natural person and is capable of identifying such person, whether independently or in combination with other available information (Personal Data). Further, ‘sensitive personal data or information’ for a person is a category of Personal Data relating to the person’s sensitive details that warrant higher level of confidentiality, like password, certain financial information relating to bank account or cards, or biometric information etc. (Sensitive Data).
Generally speaking, Privacy Rules accord a higher level of protection and stricter rules for processing, dealing or handling of any data or information that qualifies as Sensitive Data. Since, the biometric data has been classified as Sensitive Data, the safeguards applicable to Sensitive Data need to be followed in handling of biometric data. Some of the key conditions applicable are as under:
1. Collection: To collect biometric data from a person, a body corporate (Entity) is required to obtain the data subject’s written consent regarding collection and usage of such data.
This consent would mean giving an option to not provide biometric data sought. Given its sensitive nature, biometric data can be collected only for a lawful purpose which is connected with and essential to the Entity’s function.
2. Retention: Once the purpose is fulfilled, the Entity can no longer retain the biometric data collected by it.
3. Disclosure: To be able to disclose any biometric data with a third party, the Entity must obtain the data subject’s permission. This permission may be obtained under the contract between the Entity and data subject. Disclosure may also be made for compliance with law or is being made to government agencies mandated to obtain information, which may be for identity verification, or for prevention, investigation, prosecution and punishment of offences.
4. Transfer: Biometric data can be transferred to any other person, in India or outside, only with concerned data subject’s consent to the transfer, or if transfer is necessary for performance of a lawful contract between the Entity and data subject. An important condition attached to such transfer is that the recipient needs to ensure same level of data protection as the transferring Entity.
Additionally, an Entity handling biometric data needs to implement and maintain ‘reasonable security practices and procedures’. If an Entity’s failure to implement ‘reasonable security practices and procedures’ results in wrongful loss to the data subject or wrongful gain to the Entity or any person, such Entity is liable to pay damages as compensation to the affected.
The IT Act is an exception to the general rule for damages in India to the extent that if wrongful gain is proven, then the violator Entity is required to compensate the data subject without the data subject having to prove that he / she suffered a wrongful loss on account of the Entity’s negligence in implementing reasonable security practices and procedures in handling biometric data (and only on account of someone’s wrongful gain). Regrettably, there are no judicial precedents to show if this has been done in India.
Biometric Data and Personal Data Protection Bill
The Indian government constituted committee of experts under chairmanship of Justice B. N. Srikrishna, submitted a draft bill, ‘Personal Data Protection Bill, 2018’ (Bill), to the Government in July 2018. The Bill prescribes the data protection regime for India and is intended to replace the existing framework. The Bill is currently only in the draft stage and it is time till it sees the light of the day.
The Bill continues classification of biometric data as ‘sensitive personal data’ and specific requirement to obtain explicit consent for processing of biometric data is proposed to be introduced.
A departure from the existing Privacy Rules is proposed in context of a cross-border transfer of biometric data in the manner that the Bill proposes the transfer to be in accordance with model contract clauses, which will be approved by the Data Protection Authority (envisioned under the Bill). Moreover, the Bill further proposes that a copy of such data should be stored on a data centre in India.
Stern penalties have been proposed for violation of provisions governing processing of biometric data or intentionally, knowingly or recklessly obtaining, disclosing, transferring or selling of biometric data.
Biometric Data as an Authentication Mechanism
In one of the recent celebrated judgements, Justice K.S. Puttaswamy (Retd.) and Another v. Union of India and Others, the Supreme Court of India (Supreme Court) ruled on collection and use of biometric data by non-government private bodies for purposes of authentication in the context of Aadhaar-based authentication. Aadhaar-based authentication mechanisms rely on the biometric data provided by individual at the time of issuance of Aadhaar.
This decision was made while deciding the larger issue of constitutionality of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Aadhaar Act).
One of the authentication mechanisms involves sharing of authenticated personal details of an individual as stored in the Aadhaar repository, by any authenticating agency. This mechanism, popularly known as e-KYC authentication, was permitted to be undertaken by government bodies as well as private non-government players.
The permission for private players to use this authentication mechanism resulted in use by a plethora of private players across sectors, such as by digital platforms, for issuance of e-wallets, etc. Over time with the advent of innovative technologies, use cases where such authentication mechanism is used based on biometric data collected, has only increased and that too exponentially. The Supreme Court noted that such use results in commercial exploitation of biometric data by private bodies.
In its ruling, the Supreme Court characterized biometric data as data which is intrinsically linked to humane characteristics. Given that authentication involves collection, analysis and storage of such innate data, in its decision, the Supreme Court required government agencies and private bodies to demonstrate a compelling legitimate interest in using biometric data.
Frowning upon such use by private players for commercial convenience purposes, Supreme Court read down the provisions of the Aadhaar Act that enabled a private player to collect an individual’s biometric data for authentication purposes.
Use of Biometric Data, post Aadhaar Judgement
Pursuant to the Supreme Court’s directions, the Government amended various legislations, such as the Prevention of Money Laundering (Maintenance of Records) Rules, 2005. This was amended to ensure conformity with the Supreme Court’s directives, through passing of the Aadhaar and Other Laws (Amendment) Act, 2019. The intent is to define scenarios in which, as well as extent up to which, a private body uses biometric data to carry out Aadhaar based authentication.
Recently, Reserve Bank of India (RBI) amended the Master Direction – Know Your Customer Direction, 2016 (KYC Directions), to include specific scenarios for use of Aadhaar authentication mechanisms. The KYC Directions prescribe customer identification procedures for RBI regulated bodies (such as banks, non-banking financial companies, payment system operators, etc.) to establish account-based relationships and monitoring of transactions.
In terms of the amended KYC Directions, only banks are permitted to use biometric data driven Aadhaar authentication facility for opening accounts of customers. This can however be done only if the customer voluntarily uses Aadhaar number for authentication. On the other hand, non-bank players are only permitted to use verification mechanisms that do not involve collection of biometric data.
Conclusion
To summarize, the current Indian law regime recognizes biometric data as Sensitive Data under the Privacy Rules and the Aadhaar Act, prescribes a specific use-case for biometric data which is for authentication purposes.
Post the Supreme Court judgment, it will be interesting to see authentication mechanisms that the government introduces which can be used without the use of biometric data as well as safeguards prescribed for such use by private bodies which are otherwise not regulated by regulators such as RBI.
For further information, please contact:
Arjun Uppal, AZB & Partners
arjun.uppal@azbpartners.com