The right to privacy has been included under the ambit of A.21 thus making it a
fundamental right after the judgement of the Hon'ble S Supreme Court in the
case of Justice K.S. Puttaswamy (Retd.) v Union of India
. Facial recognition
technology has been more or less unregulated before the Personal Data Protection
Information Technology Act, 2000
The Information Technology Act, 2000 classifies biometric data as sensitive
personal data, and contains rules for collection, disclosure and sharing of such
information. In the event of violation, recourse can be taken to section 43A of
the IT Act, which reads as follows:
Body corporate' possessing, dealing or handling any sensitive personal
data or information
Ě in a computer resource which it owns, controls or
operates is negligent in implementing and maintaining reasonable security practices and
Ě, and thereby causes wrongful loss or wrongful gain to any
person, this body corporate will become liable to pay damages as compensation to
the affected person.
However, the fundamental flaw with this is that it only applies to body
corporates and leaves scope of misuse by the government and its agencies.
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and
Services) Act, 2016
The Aadhaar Act was the first legislation in India specifically dealing with the
collection, storage and processing of biometric data. Three categories of
information are prescribed by the Aadhar Act:
- Section 2 (n) 'identity information'Ě in respect of an individual,
includes his Aadhaar number, his biometric information and his demographic
- Section 2 (g) 'biometric information'Ě means photograph, finger print,
Iris scan, or such other biological attributes of an individual as may be
specified by regulations;
- Section 2 (j) 'core biometric information'Ě means finger print, Iris
scan, or such other biological attribute of an individual as may be specified by
It goes on to classify biometric information as 'ėsensitive personal data or
information' as defined under the Information Technology Act, 2000.
The Aadhaar scheme permits a requesting entity (whether an individual or
agency), to seek authentication of the UID of an individual in relation to
his/her biometric information. The Act incorporates some principles reflected
in the GDPR such as seeking consent of principal, keeping individuals
informed about the purpose of data collection and provision for one's own
The violations of the Aadhaar Act may result in imprisonment that may extend to
3 years in some cases and a penalty with a maximum cap ranging from ten thousand
rupees to one-lakh rupees or both.
Personal Data Protection Bill, 2019
The PDP Bill has classified the use of facial recognition technology as
'sensitive personal data'. Relevant provisions of the bill:
- Clause 3 (7): 'biometric data' defined which includes 'facial images' as
a part of it.
- Clause 3 (36): categorizes 'biometric data' as 'sensitive personal
data', as compared to critical or general data.
- Clause 33: It states that 'sensitive personal data' may be transferred
outside India, but must be stored in India. Nevertheless, transfer of
'sensitive personal data' shall be subject to conditions laid out in.
- Clause 34: Lays down the conditions for transfer of sensitive personal
data outside India.
- After explicit consent is given by the data principal, transfer may be
- It is for an intra-group scheme approved by the Authority if rights are
protected and the data fiduciary assumes liability for non-compliance.
- The Central Government allows such transfer if it finds that such data
has had an adequate level of protection and the transfer does not affect the
enforcement of laws
- Such transfer has been allowed by the Authority for any specific
- Sensitive personal data may be transferred outside India on specified
grounds such as:
- A medical emergency as per S. 12.
- Transfer to a country or international organization where the Central
Government has concluded that it does not harm the security or strategic
interest of India.
- KS Puttaswamy v. Union of India, (2017) 10 SCC 641
- AA 2016, s. 2(u).
- AA 2016, s. 8(1).
- AA 2016, s. 8(2)(a).
- AA 2016, s. 8(3).
- AA 2016, s. 28(5).