As the name implies, biometric technology is technology that is based on a person's particular bodily traits. It allows a person to distinguish himself from other people and/or create a unique ID. Facial, fingerprint, and iris biometric identifiers are the most widely used kinds.

India is one of the top countries in the world for biometric services, and the Aadhaar system, the government of India's biometric identity system, is the biggest biometric platform globally.

Implications of the DPDP Act on the Use of Biometric Technology:

Since biometric data collection, processing, sharing, storage, and eventual removal is necessary for identity authentication, the Supreme Court has advised governmental and private organisations to establish a "compelling legitimate purpose" before utilising biometric data because it significantly affects citizens' "right to privacy."

Therefore, two fundamental principles enshrined in the Act are "consent" and "purpose limitation," which state that biometric data shall not be used for anything other than compelling lawful applications.
For example, the Reserve Bank of India (RBI) permits banks and lending institutions to use video-based systems for managing the Know-Your-Customer (KYC) requirements related to client onboarding and identity confirmation.

Some Of The Key Considerations In The Collection And Use Of Biometric Data As Encompassed Under The Act Are As Follow:

1. Application: Unlike previous data protection bill iterations, the Act does not take into account the sensitivity of personal data, including biometric data. It might, however, have an impact on how the legal organisations gather data (the "Data Fiduciary"[6]), classify it, and apply penalties.
2. Consent and Notice: Only lawful uses that are essential to the Data Fiduciary's job may collect biometric data. Before obtaining biometric data from a person (the "Data Principal[7]"), such a legal body must have her verifiable consent.
3. Disclosures: Prior to providing any biometric data to suppliers or other third parties, the Data Fiduciary must obtain the Data Principal's consent. To meet with legal purposes, such as the identification, prevention, investigation, prosecution, and punishment of illegal conduct, disclosure is not necessary to get consent.
4. Data Retention: There are restrictions on the uses for which biometric data can be collected. The biometric data must be removed from the Data Fiduciary's systems and from any vendor (referred to as the "Data Processor[8]") that may have accessed it with permission from the Data Principal after this type of processing goal has been fulfilled.
5. Data Transfer: Only with the consent of the concerned Data Principal or insofar as necessary to fulfil a legally binding agreement between the Data Fiduciary and the Data Principal may biometric data be shared with third parties, both inside and outside of India. The government would also have the authority to whitelist and ban such cross-border data exchanges.
6. Reasonable Security Measures: A Data Fiduciary must use "reasonable security safeguards" in order to prevent data breaches. If these protocols are not implemented, the Data Fiduciary may be subject to fines of up to 250 crores. This includes any security failures made on behalf of a third party that received the transmission of such biometric data. Because of this, a data fiduciary's responsibility is to ensure that a vendor has a sufficient cybersecurity framework[9] and that the vendor is bound by the terms of the agreement in the case of a breach.

What is meant by data protection and data privacy:

Here, data protection and privacy are the two factors at play. Data privacy refers to the circumstances under which, in what manner, and to what degree a customer's personal information may be disclosed to third parties. Names, addresses, phone numbers, marital status, and ethnicity are examples of personal information. The necessity for data privacy laws is crucial given the rise in internet usage over time. On the other side, data protection refers to the legal measures taken to protect data against corruption, loss, or harm. Data protection from unapproved sources is a major concern since data is currently being collected at a rate never seen before.

Need for data protection and data privacy laws in India:

1. The fact that we now live in a digital age when everything is displayed on screens cannot be denied. Every aspect of our lives�from data to money, from music and films to retail�has gone digital.
2. Information is vital in a world that is so digitally advanced. With everything being transferred to our digital gadgets in this era of digitalization, both our private and public data has been transferred. Consequently, the risks to our privacy regarding data have multiplied.
3. India's economy is expanding on its own, and along with it, the value of our private information has been acknowledged. Strong data privacy regulations have lately become more important in India following the Puttaswamy ruling, which held that the right to privacy is indeed a fundamental right.

The Need For Data Protection And Privacy Laws Can Be Summarised As Follows:

Offers protection for people's non-personal and personal information: The goal of data privacy legislation is to guarantee that citizens' non-personal and personal information is properly protected and secured. These rules govern the gathering and use of information, the basis for individuals' consent, the consequences for businesses that fail to secure data as required by law, and other matters.

• Maintains right to private: As we've already discussed, the Indian Constitution recognises each person's right to privacy as a basic freedom. This suggests that each and every person is entitled to their own data. They can choose when to withdraw their consent or object to the processing of their data, as well as how they want their data to be used.
   
• Lack of awareness: Another reason to propose such a regulation is the glaring ignorance of data privacy in our country. Individuals frequently utilise the internet, yet they are generally unaware of the legal implications. At the moment, they are unable to understand the ramifications of their acts. People will be more aware of the value of privacy on digital platforms and it will be simpler to inform them of their rights and responsibilities while using these platforms once such a legislation is in place.
   
• Stops identity theft, data breaches: The number of persons participating in the digitalization process is growing, which increases the likelihood of crimes like fraud, identity theft, data breaches, etc. In order to put such measures in place that would aid in the prevention of these acts, data privacy regulations are essential.
   
• Enhances Economic Growth and Innovation: A nation with well-regulated data protection laws can encourage the development of a legislative framework that strikes a balance between the growing digital economy and the individual's right to privacy. As more startups establish themselves, data privacy will likewise become increasingly important. If their data protection system is robust, then more countries and businesses will think about making investments in our firms.
   
• Individual rights: The data protection rules provide people multiple forms of empowerment. They are entitled to information about how personal data is collected, stored, and transferred, as well as a right of recourse in the event that this is violated. They receive just compensation for any compromised data. It informs people of their rights about their data and establishes an efficient grievance redressal system.

As more individuals start using the internet, data protection rules are becoming more and more important in many parts of the world. Legislation that enables people to have faith and confidence in digital media is necessary. They must understand how and what information on them is gathered, as well as how it will be utilised, transmitted, stored, disposed of, etc. They will be able to comprehend the privacy practices of the businesses they deal with or buy goods from thanks to these legislation.

Overview of the Digital Personal Data Protection Act, 2023

1. A recent piece of legislation regarding the processing of personal data in India is the DPDP Act. Almost six years after the Supreme Court upheld the basic right to privacy in Article 21, it was ultimately adopted.
2. The DPDP Act addresses privacy and protection requirements pertaining to personal data and is presented against the backdrop of global privacy legislation, such as the GDPR of the European Union.
3. It is believed that the DPDP Act has broad applicability that extends beyond the region and directly incorporates several principles from the GDPR.
4. Governmental organisations are exempt from several of the Act's provisions, despite the fact that the Act on the one hand sets strict penalties for handling personal data improperly.
5. The DPDP Act established a comprehensive framework for the processing of personal data and has replaced the limited provisions of the IT Act.

Applicability of data protection and data privacy laws in India
The following organisations are eligible to apply for the DPDP Act:

1. The organisation handles digital personal data that can be used to identify the data principle who is the rightful owner of the acquired information.
2. The organisation is gathering the data it is processing in digital format.
3. The organisation processes personal data on Indian soil, or if personal data is processed outside of India but in relation to an activity that provides products or services to people in India.

Innovative facts about the DPDP Act

The DPDP Act is regarded as a groundbreaking piece of legislation, given that safeguarding privacy rights and protecting data are essential to our very survival. The following unique and fascinating details concerning the DPDP Act highlight how much more important it is in the modern world:

1. The DPDP Act adheres to the SARAL principle, which calls for:
• the use of straightforward language,
• the use of pictures to aid in understanding,
• the absence of provisos, and
• the least amount of cross-referencing between sections.
2. The DPDP Act is a sign of the trend towards giving people more power and ability to manage, oversee, and safeguard their personal information.
3. Additionally, it guarantees careful data processing with authority responsibility and inspires trust in the security of data with Data Fiduciaries.
4. The DPDP Act gives the Data Principal's opinion great authority because it emphasizes permission as a crucial basis for the permissible processing of personal data.
5. Additionally, it enables the data principal to update any inaccurate or missing information and to withdraw consent at any time.
6. The DPDP Act is groundbreaking because it refers to "she" rather than "he."
7. While the prior legislation was silent on the subject, it holds all Data Fiduciaries responsible for actions taken in cases where the data principal withdraws their consent.

Penalties And Fines For Violating Data Protection Laws

The DPDP Act's Chapter 8 addresses fines and adjudication. According to Section 33, the Board will impose a monetary penalty following the completion of an investigation into the Act's violations and following the availability of a fair opportunity for the person in question to be heard. To determine the monetary punishment amount, the Board will take into account the following factors:

1. Nature, gravity, and duration of the breach.
2. Type and nature of the personal data affected by the breach.
3. Whether the person, due to consequences of such breach, has gained or avoided any loss.
4. Whether the person concerned took any action in order to mitigate the effect and consequences of the breach, and timeliness and effectiveness of such action.
5. Whether the monetary penalty to be imposed is proportionate and effective considering the need to ensure observance of provisions and to have a deterrent effect.

Conclusion:
The DPDP Act in India aims to protect personal data, empower Data Principals, and establish accountability for data protection authorities. It emphasizes principles like data minimisation, accuracy, and purpose limitation. However, it faces criticism for missing provisions on sensitive personal data and creating exemptions for the government. The Act is expected to balance its achievements and criticism