“The right to privacy is inextricably bound up with all exercises of human liberty – both as it is specifically enumerated across Part III, and as it is guaranteed in the residue under Article 21. It is distributed across various articles in Part III and, mutatis mutandis, takes the form of whichever of their enjoyment its violation curtails.”

Bobde J. in Justice K.S. Puttaswamy v. Union of India

In the contemporary era, the convergence of surveillance and governance has become more profound than ever. The rapid development in information technology, coupled with the collection of biometric data, positions surveillance as a vital tool of national security and
business administration. Collection of biometric data sparks concerns over the maintenance of balance between technological advancements and the right of privacy of an individual. The legal complexities arising from technological developments were exemplified by the Aadhar initiative in India. Privacy and surveillance concerns, collection of sensitive personal data and requirement of identity authentication for essential services prompted legal challenges, leading to the landmark verdict of the Supreme Court in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India. The decision of the Supreme Court underscored the delicate balance between the benefits of Aadhar for efficient service delivery with the protection of an individual’s right to privacy with the restrictions posed on the use of biometric data and technology. With the enactment of the Digital Personal Data Protection Act, 2023 which introduced a comprehensive framework on the protection of personal data, the requirement of balancing the ethical use of biometric data with innovation in a way that does not infringe an individual’s right to privacy seems like a distant dream. What is also prevalent with the collection of biometric data is the threat posed to the creation of AI-enabled deep-fakes. Cybercriminals are leveraging deepfakes to bypass identity verification services to engage in malicious activities. The integration of VR with artificial intelligence intensifies privacy concerns, requiring legal scrutiny to prevent potential infringements. Operating VR metaverse environments in other countries may violate national privacy regulations, leading to legal challenges in cross-border data flows, jurisdiction, and surveillance. Furthermore, the intensified use of 5G in healthcare and wearables amplifies challenges in safeguarding sensitive biometric information. Although biometric data falls within the ambit of personal data and will be protected under the Digital Personal Data Protection Act, there is a need to specify and quantify the protection afforded to both primary and secondary biometric data.
The following are certain safeguards for the protection of biometric data collection in India:
1. It is crucial to explicitly define and categorise biometric data to enhance protection. National regulatory bodies should explicitly incorporate biometric data in legal frameworks, highlighting the necessity of consent for collection. Additionally, stringent compliance measures and accountability checks are essential at governmental and national levels. This emphasis on protection should extend,
especially to second-generation biometrics, given the increasing prevalence of Facial Recognition Technology.
2. The standardization of Privacy-Preserving Biometric Systems (PPBS) should be mandated both nationally and globally. These approaches encompass various methods, including biometric encryption, cancellable biometric databases employing bio hashing, and cancellable biometric databases with non-invertible transformed outputs. The International Organization for Standardization (ISO), through ISO/IEC JTC 1/SC 37, has defined standards addressing biometric storage, protection against false authentication attacks, and the need for verification. However, effective implementation requires governmental regulations standardizing sensors to detect attacks and ensuring the adoption of PPBSs at both organizational and governmental levels.
3. Diverse categories of data, encompassing primary biometric data, secondary biometric data, and the derived informatics, necessitate precise definitions with distinct levels of protection for dissemination and utilisation. Governing documents should precisely outline these categories, indicating clearance levels and implementing checkpoints to prevent misuse. Checkpoints may involve human supervision until automated systems achieve reduced error rates.
4. While regulations play a crucial role, legal assurances become imperative in instances of exploitation. For instance, individuals should have the right to retract their data if its use surpasses the initially granted consent. Additionally, in the absence of these regulations, organizations must be held responsible for adhering to submitted information. This entails the establishment of a regulatory body dedicated to overseeing the compliance and regulation of biometric data protection.
5. The level of protection afforded to data varies based on the governing body utilizing it and the intended purpose of its collection. This distinction enables greater individual autonomy and imposes purpose limitations in private-sector data gathering.

This article is authored by Gauri Gupta, who was among the Top 40 performer in the Cyber & Technology Laws Quiz Competition organized by Lets Learn Law.