AUIDAI Head Confirms Full Adherence to Data Protection Legislation for Aadhaar
The Digital Personal Data Protection (DPDP) Act, recently enacted in India, is set to impact the usage and protection of Aadhaar data. The Act applies broader data privacy principles, such as informed consent, purpose limitation, and data minimization, to the processing of personal data, including Aadhaar information, particularly when processed by private entities.
The Aadhaar Act already allows private sector usage of Aadhaar authentication for various services, like e-commerce, healthcare, education, and financial services, but under strict regulatory controls and penalties for misuse. The DPDP Act further mandates clear, informed consent for collecting and processing personal data, usage only for explicit purposes, and data minimization to prevent excess data collection.
This means that organizations using Aadhaar data must ensure compliance with DPDP Act norms while conducting authentication or any related processing, enhancing privacy protections beyond those under the Aadhaar Act alone.
However, concerns about expanded state surveillance and the integration of biometric systems like Aadhaar with various government initiatives persist, highlighting tensions between privacy rights and security interests under evolving laws, including the DPDP Act.
Bhuvnesh Kumar, CEO of the Unique Identification Authority of India (UIDAI), has assured that Aadhaar will be fully within the boundaries of the DPDP Act. The UIDAI is also taking steps to enhance the system's security, investing in AI and machine learning tools to improve fraud detection and working with agencies like the Registrar General of India to identify and de-activate Aadhaar numbers of deceased individuals to reduce fraud.
It is important to note that Aadhaar is not mandatory for most services and cannot be stored or retained without explicit permission. Sharing Aadhaar data requires consent with purpose limitations. Transaction logs in the Aadhaar system are stored for six months and then deleted.
The UIDAI has extended the free Aadhaar update deadline to December 14, 2024, and is working on updating Aadhaar card procedures. To update Aadhaar online, follow the steps provided. The government has permitted private entities to use Aadhaar authentication under strict conditions tied to the DPDP framework.
Aadhaar imposes tighter controls on how data is stored and shared compared to many other systems. The automation of Aadhaar's processes acts as a core safeguard, ensuring everything flows through secure channels. Aadhaar is designed to prevent data from being re-used for profiling or surveillance.
In summary, the DPDP Act strengthens the governance of Aadhaar data by enforcing data protection principles that require informed consent, restrict purpose usage, and limit data collected, particularly impacting private entities’ use of Aadhaar authentication, while complementing the Aadhaar Act's existing protections and penalties against misuse.
- The DPDP Act, in conjunction with the Aadhaar Act, imposes stricter data protection principles on private entities using Aadhaar authentication, such as required informed consent, purpose limitation, and data minimization.
- The UIDAI is investing in technology and AI tools to bolster the security of Aadhaar, particularly for fraud detection, while ensuring compliance with both the Aadhaar Act and the DPDP Act.
- The DPDP Act's mandate for clear, informed consent and usage for explicit purposes, as well as data minimization, aims to prevent excess data collection in the personal-finance, business, market, and data-and-cloud-computing sectors relying on Aadhaar authentication.
- Aadhaar's design emphasizes the prevention of data re-use for profiling or surveillance; its automation processes ensure that data flows securely through secure channels, aligning with the evolving privacy rights needs under laws such as the DPDP Act.
