BIOMETRICS VS. PERSONAL DATA
Author: Disha Mazumdar, I year of LL.M. from Hidayatullah National Law University, Raipur
We all have witnessed thriller movies where the detectives catch the murderer with help of various clues and evidence. The best kind of evidence can be biometrics which is very useful to solve the identity question in any crime. The fingerprint, iris, retina, signature odor, anything can be useful to separate him from the others accused. These physical and behavioural patterns can be useful for comparing and detecting a variety of patterns. There can be multiple models to analyze the pattern. In the cyber world where every activity occurs in the virtual space, the passwords and the pins are not something that can guarantee our virtual security. Remembering them is again a tough task and because of the convenience of these biometric patterns are majorly utilized. Although the use of biometrics helps solve cyber crimes it makes us conscious about our data.
Key Features of Biometrics
The selection process depends on the circumstances involved in each case. But there can be certain key features which are very essential to be taken into consideration. The biometric should be universal; it should be valid universally and cannot be questioned on others grounds of validity. The uniqueness which makes the biometrics different from one another and they can be easily compared can be another important nature. The permanence of biometrics is also essential as it can be easily measured and digitized.
Fingerprint, iris, the retina is all unique for identification and it gets impossible to replicate or copy the same. Stealing such unique identity features are also very difficult and hence it helps to give an end to end encryption to protect our data. Identity theft, data breach etc. can be easily traced through this mechanism and people do not have to memorize or write down their passwords or pins to gain access to their devices or perform any monetary transactions.
Governments across the world use such a mechanism to curb the crime rate. The citizens and their data are taken by enrolling the citizens in the biometric system and the representation of such data is only stored and no other data is taken by the system. Such data which is entered by the system is then stored as a template for future references. It forms a one-way street as the algorithm has copied the original data of fingerprint or retina in the template and no alteration can be done. These systems are less fragile and have more capacity to withstand fraud and hacking by any outside source. This mechanism can be used especially by the banks where the number of monetary frauds is high. The inclusion of online transactions made the cases even worse as tracing the entity becomes very difficult.
Biometric and the question of Privacy
The features of biometrics are such that it can be very beneficial to recognize the biometric data anytime. If biometrics are made a compulsory mechanism for verification it would be next to impossible that any individual can deny the same. The biometric data can be specifically used for medical examination, employment purposes and many more. The retina scans can be used for detecting our health problems which can be incurred in the future. Biometric identification and authentication are two different processes while the authentication can be only for legitimate causes it can be sometimes difficult to differentiate between the two terms.
For individuals who use the biometric system for authentication purposes, such data is stored in the computer network. The computer networks keep a log of all the activities through biometric access and computer networks. This computer system is going to keep a record of the biometric data even if there has been no specific record feed into it. The same also can happen in case the user has a password to log in or accessing a file on the system, but firstly the biometric system limits the access to such files and systems and also is the more authentic way of protecting the file. Even in cases where the network has been used by multiple people, the authentication is difficult to tamper with and rather than relying on multiple passwords and long pins the system becomes more secure. Companies that deal with financial data or even those organizations which work in high security have to keep their employee data safe and secure. Biometrics are more reliable and correct evidence in cases of cyber frauds and data thefts but sometimes can be questioned based on privacy.
India and the question of Biometrics
For the collection, storage and transmission of biometrics, India does not have specific legislation. The issue of privacy has been time and again raised before the courts due to the collection of such data.
The law which governs the domain of biometrics is the Information Technology Act, 2000. Biometrics form the intrinsic part of every human being and hence they are classified as the most important asset; sensitive personal data. The debates for the Aadhar act have raised many questions on the usage of such biometrics to monitor the individual and hence the landmark judgment of Aadhar was witnessed by the constitutional bench of the Supreme Court.
How is Biometric data regulated?
India governs the dealing of personal data with certain restrictions being imposed on the sensitive personal data or information while the processing of such data. Such compliances also have to be followed during the collection of the data. The collection of biometric data falls under the domain of sensitive personal data and hence need more degree of care. The rules which have been notified by the government define the term personal information as that information that can be used alone or with the combination of other information to identify the person. The domain of sensitive personal data falls under the more intrinsic domain that is the category of information that relates to that information which can cause loss to the individual and can be a reputational or monetary loss. The collection of biometrics can be done only for a lawful purpose also the consent of the individual is a must. No data can be processed without consent and the consent should be given for the same purpose for which the data is being collected by the entity. Retention of data by the entity is again another aspect and the retention of data can be only done for the lawful purpose where the entity has been specially authorized by the government or under any law to do so.
Disclosure of the data which has been collected by the entity also requires a proper mechanism and no such disclosure is possible with the third party unless there has been consent for the same. There is an execution of a contract which is present between the data provider, data fiduciary and the third party. All the details of the contract have to be disclosed and also agreed upon by all the parties before obtaining the information. Transferring the data which has been collected from the individual also has to be regulated and can be transferred outside India if the law permits.
For crimes which are extraterritorial in nature transfer of data to another country becomes a mandate under law but apart from the procedure established under the law, the biometrics data can be transferred only when it has been consented for. Maintaining reasonable standards to protect the biometric data is also the duty of all the entities and in case there is a wrongful loss of data or breach of the contract between the individual and the entity, the entity can be liable for legal actions and penalty. Under the IT Act, the position of the individual is stronger as there is no heavy burden of proof of data breach rather the individual has to prove that he has suffered a wrongful loss due to the negligence of the other party. The laws are implemented in a strict sense for such commercial utilization of biometric data.
Data Protection Bill and the concept of Biometrics
The Personal Data Protection Bill, 2018 which was introduced in the Parliament faced huge criticism and backlash as it did not include many of the points stated in the draft introduced by the B.N Srikrishna committee. The bill gave enormous power to the government and governmental agencies to collect the data and also excluded from the domain of consent. Biometric data has also been a major concern due to its nature and sensitive information. Even for the utilization and processing of such data, consent is required. The data protection bill has a strong nexus with data localization, where India has regulated a strong centralized scheme for data localization after the collection and processing of such data. The cross-border transfer of the data is also based on consent from the Data protection authority without whose consent the data cannot be transferred. The transfer of data is majorly governed by the contractual terms between the individual and the entity who collected the data. Huge penalties can be incurred in case of violation of such rules and procedures where the intention of the data fiduciary/ entity to collect and exploit the data is established.
The judgment which changed the definition of data privacy by recognizing the right to privacy as the fundamental right under Article 21of the Constitution was K.S Puttaswamy v Union of India. The Aadhar Act was collectively questioned and then to answer the dilemma between two landmark judgments the court formed a constitutional bench to decide the question of privacy. This scheme is based on the collection of biometrics that was taken during the time of registration of Aadhar. The constitutional validity of the Aadhar Act, 2016 was the main matter of the dispute where people were not comfortable with the mandatory linking of their Aadhar accounts with that of the banks.
The sharing of data which includes personal sensitive data of any individual can be stored in the Aadhar repository by the authenticated sources and agencies. The government came out with the KYC authentication process popularly known as the Know Your Customer which had to be undertaken mandatorily by the government and private players in the market. This was used by the digital platforms in transactions through e-wallets. The development of technology has made us connected to the world and each activity is possible with ease through the internet. Whether it is the payment of bills or booking of tickets online platforms can perform each task without any problem. Due to this development, it was evident enough that the biometrics which were collected by the government and even the private players can in many cases lead to exploitation and misuse. Hence biometrics are intrinsically important and directly linked with our right to life and personal characteristics. The collection, storage and usage of such data can be done only for legitimate purposes and not for the process of surveillance. The Supreme Court of India decided that the Aadhar Act cannot be made mandatory but can be used by banks and private organizations. Individual data cannot be collected just for authentication unless there is legal backing to the same.
After the Supreme Court judgment which upheld Aadhar but directed to amend certain sections which were forced for the collection of data. Even the money laundering rules 2005 was amended to adjust the use of biometrics under the act and also to make it closely balanced with the Aadhar Act, 2006 and the other laws. The main intention was to analyze the scenarios where the private bodies which collected the individual data would exploit the same. The Reserve Bank of India also had to amend its policies of known Customers Directions, 2016 to make it in compliance with the new Aadhar mechanism. This mechanism helps the bank to regulate all the transactions in a better way through the identification procedure. This helps to regulate the account of the consumers and also track suspicious activities and transactions.
Biometrics is the new set of evidence under the law and can be very beneficial to track cybercrimes. Computer networks have an intrinsic link between each other and tracing crimes in the virtual world has many inherent issues like the change of jurisdiction, the application of different laws, the investigation and collection of the evidence. Biometrics in cybercrimes can solve a lot of disputes in the extraterritorial domain by maintaining the right balance between the privacy of the individuals and the culprit.
· Vidhi Doshi, A Security Breach in India Has Left a Billion People at Risk of Identity Theft, WASH. POST (Jan. 4,2018),https://www.washingtonpost.com/news/worldviews/wp/2018/01/04/a-security-breach-in-india-has-left-a-billionpeople-at-risk-of-identity-theft
· Madison Julia Levine, Biometric Identification in India Versus the Right to Privacy: Core Constitutional Features, Defining Citizens’ Interests, and the Implications of Biometric Identification in the United States, 73 U. Miami L. Rev. 618 (2019)