Aadhaar Authentication by Private Entities from Data Privacy Perspective

By Anuradha Gandhi and Rachita Thakur

Introduction

In a significant move, the Ministry of Electronics and Information Technology has notified The Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Rules, 2025 (hereinafter referred to as the ‘Amendment’) on January 31, 2025 which seeks to enhance the scope and utility of Aadhaar authentication with improved transparency and inclusivity. The Amendment enables both, the government and non-government entities to avail Aadhaar authentication service for providing services in the public interest for related purposes like enablement of innovation, spread of knowledge, promoting ease of living of residents and enabling better access to services for them.

As a result now the Amendment extends Aadhaar authentication to entities in private sector for the following purposes, on voluntary basis:[1]

1. Usage of digital platforms to ensure good governance;
2. Promoting ease of living of residents and enabling better access to services for them
3. prevention of dissipation of social welfare benefits; and
4. Enablement of innovation and the spread of knowledge.

Key Legal Issue pertaining to User Privacy discussed by the Court

“Aadhaar Authentication” is a process by which the Aadhaar number along with demographic information (such as name, date of birth, gender etc.) or biometric information (Fingerprint or Iris) of an individual is submitted to Unique Identification Authority of India (UIDAI’s) Central Identities Data Repository (CIDR) for its verification and UIDAI verifies the correctness of the details submitted, or the lack thereof, on the basis of information available with it.[2]

Why was the Amendment done?

The move significantly came after the Government blocked several websites that exposed sensitive personal information, such as Aadhaar and PAN card details of Indian citizens.

The UIDAI had lodged a complaint with the police authorities concerned for violation of the prohibition under Section 29 (4)[3] of the Aadhaar Act on public display of Aadhaar information. Basis which the action was taken by the Indian Computer Emergency Response Team (CERT-In), the Ministry of Electronics and Information Technology (MeitY) after finding security flaws in those websites.[4]

Who can benefit from the Amendment?

With this Amendment, for the first time now, private sector enterprises offering services in public interest can apply to use Aadhaar Authentication through regulated framework. Now a broad spectrum of entities in different industries and domains can apply for the license to authenticate Aadhaar such as:

1. E-commerce platforms for onboarding merchants and buyers;
2. Healthcare institutes for authenticating patients for telemedicine, online appointments, maintaining records, etc.
3. Educational institutions can authenticate Aadhaar for examination registration, verifying student and parent identities for admissions, online learning;
4. Hospitality and travel businesses can benefit for verifying guest identities and seam-less check-ins;
5. Credit rating companies and Non-Banking Financial Companies can enhance fraud detention and credit profiling based on Aadhaar based authentication;
6. Aggregator platforms such as ride-hailing, delivery and homes services platforms can benefit with verifying gig workers ensuring safety and build customer trust;

Benefits of the Amendment- A definite game-changer in Aadhaar outreach ecosystem

1. Ease of onboarding users on digital platforms
2. Seamless verification of identities thereby reducing delays in verification process
3. Reduction in identity frauds in
4. Authenticating user genuinity through biometric and OTP authentication
5. Easy integration of APIs systems for efficient workflow

Gap Assessment- How is the industry operating currently?

Several aggregator platforms including ride-hailing companies, food delivery, and digital service startups are now evaluating applying to the union government for an explicit approval for Aadhaar authentication given their struggle to verify gig workers engaged with such platforms.

Presently, verification of identities of gig-workers by these platforms is depended on assistant channels based on unauthorized means which makes the entire process complicated and unregulated. Further, with the government blocking startups like Zoop, Surepass, Digitap to arrest unauthorized access to government databases has impacted the verification process greatly.[5] In the absence of formal authorization from the UIDAI, most of the companies resorted to manual KYC onboarding procedures with minimal to no conformity with the applicable data protection requirements.

Data Privacy implications for Entities that await government nod to use Aadhaar KYC

Compliance in alignment with the Digital Personal Data Protection Act, 2023

The Entities now seeking approval from the government for Aadhaar authentication will have to demonstrate and comply with the obligations under the Digital Personal Data Protection Act, 2023 along with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

The MeitY has also launched Aadhaar Good Governance portal to streamline approval process for Aadhaar authentication requests, an effort in sync with the Amendment.[6] Clearly this is in alignment with the Digital Personal Data Protection Act, 2023 to uphold data and informational privacy of individuals. The UIDAI specifies the following security practices to be undertaken and ensured at the end of the entities requesting authentication. Therefore, the private entities that now receive approval for authentication will have to ensure the same is complied (as specified hereinunder) with in case they wish to receive government approval to serve as authentication entity under the Aadhaar ecosystem. [7]

Data Privacy Compliances for Private entities for Aadhaar Authentication under the Aadhaar Act read with the Aadhaar (Data Security) Regulations, 2016 (Aadhaar Data Security Regulations):

1. Consent Management – Section 8 of the Aadhaar Act mandates that the request for authentication should be based on the consent of the individual before collecting their identity information for the purpose of authentication. Further, such an individual must be informed about the nature of information that may be shared upon authentication along with the uses of the said information.
2. Purpose Limitation – A requesting Entity has to ensure that the information is used for the submission to the Central Indentities Data Repository for authentication. Section 40 of the Aadhaar Act places penalty of imprisonment upto 3 years or with fine upto INR 10,000 for using the collected information for any other purpose.
3. Transparency – Where the Requesting Entity fails to inform the individuals about the use of their information, shall be liable for a penalty upto INR 1,00,000, which in case of a company may be extended to INR 10,00,000.
4. Security Measures – Requesting entities shall only be given authorization if the UIDAI is satisfied that such entity is compliant with security standards of the UIDAI [Section 4(4) (a)].
   1. Furthermore, the Data Security Regulations require compliance with the UIDAI’s information security policy and periodically report such compliance to the UIDAI.
   2. Report to the UIDAI, any security incidents affecting confidentiality, integrity and availability of the information
   3. Not using Aadhaar number as a domain specific identifier.
   4. In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.
   5. Personal Identity Data (PID) block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
   6. The encrypted PID block should not be stored unless it is for buffered authentication for a short period, currently configured as 24 hours.
   7. Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
   8. The meta data and the responses should be logged for audit purposes.
5. Confidentiality of the information – Ensure confidentiality obligations are maintained during the terms and on termination of the agreement
6. Accountability – All service providers and agencies to have their systems audited by an information systems auditor certified by a recognized body under the IT Act.

For more information, kindly refer to our articles:

1. https://ssrana.in/articles/madras-hc-allows-aadhaar-checks-for-online-real-money-games/
2. https://ssrana.in/articles/trai-launches-pilot-project-for-digital-consent-management-in-partnership-with-rbi-and-banks/
3. https://ssrana.in/articles/rbi-introduces-regulations-on-prevention-of-financial-frauds-perpetrated-using-voice-calls-and-sms/

Akshara Gupta, Intern at S.S.Rana & Co. has assisted in the research of this article.

[1] Section 29(4) of the Information Technology Act – Prohibition on public display of sensitive information

[2] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2059179

[3] Rule 3 of the Aadhaar Authentication for Good Governance (Social, Welfare, Innovation, Knowledge) Rules, 2025

[4] https://uidai.gov.in/en/contact-support/have-any-question/303-faqs/authentication.html

[5] https://economictimes.indiatimes.com/tech/technology/startups-weigh-government-nod-to-use-aadhaar-kyc-for-gig-workers/articleshow/122284165.cms?from=mdr

[6] https://www.pib.gov.in/PressReleasePage.aspx?PRID=2106755

[7] https://uidai.gov.in/en/ecosystem/authentication-ecosystem/authentication-requesting-agency.html