From Consent to Verification: Decoding the Impact of India’s new Aadhaar authentication rules
India’s updated Aadhaar rules formally recognise face authentication and strengthen user consent, improving digital identity security and enabling safer online verification across government and private services under the new privacy-focused framework.
India(BHARAT)’s digital identity platform Aadhaar will see a fundamental policy shift, as the government has amended the Aadhaar (Targeted Determination Service and Benefits Management 2.0) regulations to legalise face authentication as a mode of verification, while simultaneously putting in place enhanced user consent and privacy protections to better align its operation with contemporary expectations of biometric-enabled digital identity systems.
The new rules, which were notified by the Unique Identification Authority of India(BHARAT) (UIDAI) last week, aim to open up offline or “real world” use cases for Aadhaar, and make for a more mature digital identity verification process beyond the more traditional use cases around government transactions, a move that has also been driven in part by India(BHARAT)’s recently passed Digital Personal Data Protection (DPDP) Act which among other things, highlights the need for purpose limitation and explicit user consent for processing personal data, for all organisations.
Face Authentication now Gets Legal Recognition
Aadhaar-based face authentication, which verifies an individual’s identity through a “live face scan” to validate an enrolment photograph associated with their Aadhaar number, has thus far been informally adopted without regulatory clarity, having been experimented with by some organisations on and off for some time. Face authentication is now receiving legal recognition in the updated regulations, along with other existing Aadhaar authentication methods such as OTP, fingerprint, and iris matching.
“This move is important because it gives a legal basis to use face authentication where other means of Aadhaar authentication are not feasible, such as the use of face authentication in case of unreadable fingerprints. While we have had limited use of the API, this move will be a driver to support its more widespread use. As the UIDAI only issues Aadhaar, having a legal basis for organizations and entities to adopt Aadhaar face authentication gives them confidence that they are not in a legal grey area by providing an Aadhaar-based service to users,” the government added in a statement.
Privacy and Consent now take centre stage
In addition to formalising Aadhaar face authentication, the updated Aadhaar framework now places a particular emphasis on user consent and data privacy. The UIDAI will now only verify the identity of a person where such a request is made with prior consent and for a specific purpose, in compliance with the country’s data privacy legislation. Moreover, it mandates that entities verify an individual’s identity will explicitly seek consent, and also gives users an option to allow sharing of limited attributes (age, photograph) instead of their full Aadhaar details.
“The updated framework requires authentication requests to be for a specific purpose with consent provided by the Aadhaar number holder. This is similar to the requirement in DPDP which requires organizations to provide a notice at the time of collection and processing of personal data. The principle of purpose limitation and explicit consent for processing will now be reflected in Aadhaar,” it added.
Allaying privacy concerns for users
The new framework places special importance on informed user consent for Aadhaar authentication. In addition to other changes such as the explicit consent requirement, it is designed to ensure users can’t be compelled to authenticate using Aadhaar. Authentication requests will also be allowed only for government schemes, digital welfare services, financial services or subsidies. Entities not covered under these must use Aadhaar to collect alternate information which is “prescribed by or not inconsistent with law”.
UIDAI chief Vijay Sharma has also clarified that the legal recognition of face authentication in the new Aadhaar rules are specifically to enable government agencies to use the biometric identification tool “in controlled, offline and limited environments”, seeking to allay privacy concerns over the new verification mode. The Aadhaar app has been redesigned to enable these offline use cases, with features such as local storage of credentials on the user’s device, QR-based authentication, and offline face authentication among others.
What's Your Reaction?
