ARTICLE
21 August 2024

Biometric Data: Why Is It Problematic?

SR
S.S. Rana & Co. Advocates

Contributor

S.S. Rana & Co. is a Full-Service Law Firm with an emphasis on IPR, having its corporate office in New Delhi and branch offices in Mumbai, Bangalore, Chennai, Chandigarh, and Kolkata. The Firm is dedicated to its vision of proactively assisting its Fortune 500 clients worldwide as well as grassroot innovators, with highest quality legal services.
Use of biometrics in India has ingrained in the day to day life of workplace ecosystem be it private or government.
India Privacy

Introduction

Use of biometrics in India has ingrained in the day to day life of workplace ecosystem be it private or government. This digital transformation had led the biggest projects in India i.e. Aadhaar and DigiYatra1 2. Both based on unique authentication method to identify and verify the individuals.

A study conducted by NITI Aayog as a part of its National Strategy on Artificial Intelligence,3 on Digi Yatra (hereinafter referred to as the "Study") has flagged data privacy concerns regarding the use of facial recognition technology (hereinafter referred to as the "FRT") in India.

How does Digi Yatra collect information?

Digi Yatra uses Facial Recognition Technology to authenticate a passenger's travel credentials, which allows other checkpoints in an airport to be operated in an automated form with a minimal human involvement. The process involves collection of the following information:

  1. Name
  2. Mobile Number
  3. Email Address
  4. Aadhaar Number/ Driving License
  5. Face biometrics (in case the Digi Yatra enrolment is done for the day of travel only)

The aforementioned information then is verified and authenticated through Aadhaar and Digi Yatra ID. The Digi Yatra ID app extracts the reference face from e-KYC data which is then matched at the airport with the live face of passengers.

NITI Aayog's recommendations

The Study highlighted the risks and vulnerabilities under the Digi Yatra ecosystem and suggested measures to mitigate such risks. Some of the key recommendations are as follows:4

  1. Specify rules relating to deletion of other information collected from the passengers; ,
  2. Conduct frequent cybersecurity audits and vulnerability testing of DigiYatra platform to ensure reliability, usability, information security in the ecosystem
  3. Identify internal Standard Operating Procedures (SOP) for handling personal and sensitive personal data.
  4. Develop standards to avoid bias in the FRT and identify a body to create and maintain such standards.

The biometric data

According to Merriam-Webster, biometrics refers to "the measurement and analysis of unique physical or behavioral characteristics (such as fingerprint or voice patterns), especially as a means of verifying personal identity.

Biometric data is personal information that is unique to every individual and includes:5

  1. Fingerprints
  2. Eye retinas and irises
  3. Voice patterns
  4. Facial patterns
  5. Hand measurements
  6. DNA

Due to its sensitive nature and ability to uniquely identify an individual and rise in its collection by organisations across the globe, the concerns regarding its collection and processing have also arisen.

Why is biometric data valuable?

Some of the characteristics that make use of biometric data a business sense include:

  1. It is robust i.e. within any given individual, the trait is invariant over time
  2. It is distinctive i.e. the characteristic shows great variability within the target population
  3. Characteristics are innate and immutable, including physiological characteristics such as anatomical features or genome sequences. There characteristics are more permanent and difficult to modify. These characteristics also include both physiological and behavioral components. For examples, consider a wearable authentication device that analyses one's heartbeat and the way the heartbeat changes depending on what activities an individual indulge in.6

Use of biometric data has changed the parameters of business operations. Be it for convenience, meeting consumer expectations for hassle-free quick access to services, or to an effective verification and authentication practices, business round the world prefer use biometric technologies to steadfast their operations.

Use of biometric technology – The Statistics

More and more organisations today are seeking to harness biometric systems to drive value and efficiency. The global biometric market had reached US$39 Billion in 2023 which is further expected to reach US$144 Billion by 2032, exhibiting a growth rate (CAGR) of 15.2% during 2024-2032.7 Evidently, growing technological advancements and innovation constitute the major sources of influence on the biometric markets globally.

From social media platforms to government programs and initiatives, biometrics have been collected across industries and sectors for the purpose of enabling manual authentication identities of individuals. CCTV cameras are installed in almost all public places and private and government institutions and organisations. The technology used in CCTV cameras enables the camera to scan images and videos from devices and pick out faces.

The blurring line between ethical and invasive use of biometrics

Several businesses justify collecting biometric data but most often the justification comes across as less convincing. Biometric being a special category of personal data needs to be handled with care and responsibility. Digital data is difficult to protect and the responsibility to protect biometric data increases multifold.8

Challenges to privacy

  1. Biometric cloning – As per the statement dated July 31, 2024 issued by the Ministry of Home Affairs, there has been a significant increase in the number of cases of biometric cloning for financial frauds. Around 29,000 incidents under Aadhaar Enabled Payment System (AePS) frauds have been reported on National Cyber Crime Reporting Portal by citizens.9
  2. Undisclosed purpose – A significant risk in using the biometric technology is the potential for biometric data for unintended purposes which leads to privacy breaches.
  3. Covert collection - Covert collection arise from collection of biometric data in public spaces through cameras of FRT without the knowledge of the individuals whose data is collected.
  4. Inaccuracy due to technical factors – Vulnerable or erroneous systems can lead to inaccuracy or precision of the data collected.
  5. Bias – Biometric systems rely on categorization based on skin tone. In the Indian perspective, the issue of racial bias already persists. With the deployment of biometric systems, more particularly Facial Recognition System can be challenging.
  6. Security risks – The companies that develop or deploy such systems are often the target of hackers. Weak institutional data security practices can expose massive amount of personal data to data breach or leak affecting the privacy of individuals.
  7. Opacity of biometric systems – Often these systems use personal data for purpose other than the purpose specified for collection
  8. Violation of privacy – Individuals may not know about the secondary use of biometric data consented by them, undermining their consent and control over such data.

How are biometric systems operated in India

  1. Authentication Mechanism – Biometric data is used to authenticate individuals for accessing services and facilities such as authenticating and verifying attendance at workplace.
  2. Surveillance Technologies – Use of biometric data enhances security through surveillance systems, such as facial recognition technology in public spaces or at airports to identify potential threats.

Recently, a breach of the Tamil Nadu Police recognition Portal exposed 800,000 lines of data, including information of over 50,000 persons. This breach by Valerie, a group that claimed the responsibility led to five types of data being stolen, including names of police officers, phone phones, information on police stations and details of first information report (FIR).10

Addressing the challenges – India's Legal Framework

Presently, biometric data is protected under the Information Technology Act, 2000 read with the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules). The recently enacted Digital Personal Data Protection Act, 2023 will replace the SPDI Rules once enforced by the Government. The DPDP Act lays down the obligations on organisations collecting and processing personal data of individuals with additional compliance requirements for organisations collecting personal data based on sensitivity and volume, risks to data principals (whose data is collected), threat to national security, etc.

The data privacy regime in India forms its basis on the informed consent, legitimate use for a specified purpose and reasonable security practices which is on the lines of European Union's General Data Protection Regulations (GDPR).

How are Countries across the globe regulating biometric data?

  1. European Union – To meet the challenges related to Artificial Intelligence, the European Union has enacted The General Data Protection Regulations, the Data Protection Directive and the recently enforced Artificial Intelligence Act which categories FRT as "high risk" with the highest level of compliance requirements. [To read more about EU's AI Act, https://ssrana.in/articles/generative-ai-an-eu-indian-perspective/ ]
    The General Data Protection Regulations, 2018 classify biometric data as sensitive personal data under "special categories of personal data" and allows processing of biometric data only in certain exemptions.11
    A well-known e-commerce platform (hereinafter referred to as the Platform) was fined by the National Data Protection Authority of France, the CNIL, €32m for being "grossly negligent" about the European data protection law. In this case, the warehouse workers were equipped with scanners which documenting real time how employees carry out tasks such as packing. The data from scanners was used to calculate an individual's quality of work, productivity and periods of inactivity.
  2. United Kingdom – The Data Protection Framework in UK in covered through the Charter of Fundamental Rights of the European Union, 2000, the Data Protection Act, 2018 and the UK-GDPR. In a recent enforcement notice, the UK Information Commissioner's Office (ICO) ordered a major organisation and its associated entities to stop using facial recognition technology and fingerprint scanning to monitor attendance of staff. The ICO held that the organisation had been unlawfully processing the biometric data of more than 2000 employees across its 38 centres.12
    ICO Guidelines on use of biometric data
    The ICO has issued a set of clear guidelines on monitoring workers/employees at workplaces while also balancing the business rights with that of workers' rights and freedoms under the data protection law.13
  3. United States – Presently, there is no federal law in US to govern the use of biometric technology, however, the Federal Trade Commission has played an active role in regulating the biometric systems in the US. At state level, several states, such as California, Massachusetts have banned the use of FRT in cities, Alameda, Berkley, Boston, Brookline, etc.

Balancing Innovation and ethical use of biometric data
There is an impending requirement to balance the ethical use of biometric data with that of innovation in a manner that does not infringe or violate the privacy of those whose data is collected. The growing use of deepfake technology has mandated nations to urgently regulate the use of such technologies.

Footnotes

1. https://www.civilaviation.gov.in/sites/default/files/2023-07/Digi%20Yatra%20Policy%20%28DIGI%20YATRA%29.pdf

2. https://www.niti.gov.in/sites/default/files/2024-06/document.pdf

3. Responsible for AI, Adopting the Framework, A Use case study approach on Facial Recognition Technology

4. https://www.niti.gov.in/sites/default/files/2024-06/document.pdf

5. 5. Rule 2 (b) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

6. https://www.robinskaplan.com/-/media/pdfs/the-future-is-now-biometric-information-and-data-privacy.pdf

7. https://www.imarcgroup.com/biometrics-market

8. https://www.biometricupdate.com/202405/indian-police-adopt-facial-recognition-despite-risk-of-massive-data-breaches

9. https://pib.gov.in/PressReleasePage.aspx?PRID=2039647#:~:text=The%20latest%20published%20report%20is,Crime%20Reporting%20Portal%20by%20citizens.

10. https://www.biometricupdate.com/202405/indian-police-adopt-facial-recognition-despite-risk-of-massive-data-breaches

11. https://gdpr-info.eu/art-9-gdpr/

12. https://www.shoosmiths.com/insights/articles/ico-issues-updated-guidance-on-using-biometric-data-in-monitoring-workers

13. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/monitoring-workers/data-protection-and-monitoring-workers/#dp5

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More