Government plans Amendment to Aadhaar Act for enhanced privacy and consent Controls

May 28, 2025
privacy and consent Controls

By Anuradha Gandhi and Rachita Thakur

Introduction

The Union Minister for Electronics and Information Technology Shri Ashwini Vaishnaw at the Aadhaar Samvaad emphasized the need for new Aadhaar Framework to align with the Digital Personal Data Protection Act, 2023.  He also unraveled the revamped Aadhaar mobile application, designed to simplify digital identity verification while bolstering privacy.

“Individuals no longer will be needed to share physical copies of Aadhaar ID as the new app will allow them to scan QR code and their face to verify digital identity, while maintaining privacy.[1] The app is secure and shareable only with users consent and is currently in beta testing phase. This can be seen as a step towards aligning the Aadhaar with Data protection laws.[2]

Aadhaar, the unique 12-digit identification number for every Indian resident, has changed identity verification. By capturing nominal data related to demographic and biometric details, it provides a secure, verifiable identity.[3] This extensive program has become the world’s largest digital identity initiative, as 138.04 crore Aadhaar numbers have been generated as per the 2024 data[4].

Risk associated with digital identity

Aadhaar is the basis and the core of India’s digital public infrastructure.[5] It is now more than just a tool for identity; it promotes distributive justice, builds public confidence in government operations, and empowers millions by making basic services easier to access.

When linked with a bank account, Aadhaar becomes the ‘financial addresses of an individual which helps to accomplish the country’s goal of financial inclusion. Alongside the use of digital identity systems carries significant risks, particularly in identity theft.

Once compromised, an individual’s digital identity can be misused for financial fraud, unauthorized access to services or even criminal impersonation. Centralized storage of biometric and demographic data makes such systems attractive targets for cyberattacks and data breaches, potentially exposing sensitive personal information.

Therefore, when it becomes such an important document for citizens and holding citizen’s data it needs to be aligned with Data Protections laws.[6]

Gaps and need for amendment

Consent implementation: Section 8A of the Aadhaar (targeted delivery of financial and other subsidies, benefits and services) Act, 2016 (hereinafter referred to as Aadhaar Act) establishes requirement for informed consent, directing that requesting entities inform Aadhaar number holders about:

  • The nature of information being shared
  • The uses of the information collected
  • Alternatives to submission of identity information

However, implementation challenges persist in practical scenarios for example, in the travel industry hotels and service providers often request Aadhaar copies without fully adhering to these standards. While the law requires alternatives to be provided, in practice, There is often a disconnect between legal standards and practical realities when Aadhaar is positioned as the default verification method without providing users with sufficient presentation or explanation of these choices.

Authentication History and Transparency Limitations: Aadhaar Authentication is the process by which Aadhaar number along with demographic information (such as name, date of birth, gender, etc.) or biometric information (fingerprint or iris) is submitted to UIDAI’s Central Identities Data Repository (CIDR) for its verification and UIDAI verifies the correctness of the details submitted, or the lack thereof on the basis of information available with it.[7]

The UIDAI website’s authentication history feature offers comprehensive logs of all authentication transactions for Aadhaar authentications completed by the concerned party during the last six month and maximum 50 records can be seen at a time.

Section 32 of the Aadhaar Act addresses the maintenance of authentication records. While the UIDAI maintains authentication records with purpose codes, the level of detail provided to individuals about specific purposes is often insufficient for true transparency. This limited visibility into authentication history creates a gap with the DPDP Act’s stronger emphasis on data subject rights and comprehensive transparency requirements.

Purpose Limitation Enforcement: The requirements for authentication are covered in section 8 of the Aadhaar Act such as consent, purpose specification, etc. still insufficient procedures in place to ensure that these stated goals are strictly followed, especially when Aadhaar data moves between several organizations or systems. When it comes to handling Aadhaar data, agencies that are not registered as Authentication User Agencies (AUAs) are subject to less regulation. The DPDP Act’s stringent standards for purpose limitation and data minimization, which mandate that every use of personal data be closely tied to clearly defined goals, are significantly violated by this.

Aadhaar and Data Protection Laws

The Aadhaar Act and Regulations therein align at some points with the data privacy principles.

  • Specific purpose of collection- A requesting entity (an agency or a person that submits Aadhaar number and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication[8]) under the Aadhaar Act and Regulation thereunder must inform the Aadhaar number holder:
    • The nature of information shared
    • The purpose for which the information is used
    • Identity information collected can only be used for the purpose specified at the time of authentication.[9]
  • Informed consent-The regulation provide for responsibility of individual agency or entity collecting Aadhaar number or any document containing Aadhaar number shall collect, store and use it for lawful purpose, inform the Aadhaar number holder of the purpose of collecting Aadhaar, whether mandatory or voluntary and shall obtain consent for collection, storage and use for specified purpose.[10]
  • Prohibition on storage-Core biometric information collected or captured by a requesting entity from the Aadhaar number holder at the time of authentication shall not be stored except for buffered authentication as specified and shall not be shared with anyone for any reason whatsoever.[11]
  • Masking of aadhaar number- Full Aadhaar number of the customers is not visible and first 8 digits are replaces with “xxxx-xxxx” while only last 4 digits of the Aadhaar Number are visible.
  • Security measures- UIDAI is actively collaborating with all user agencies to enhance data security protocols for safeguarding sensitive user data like Aadhaar. It uses innovative security technologies to keep data safe and upgrade them to meet emerging security threats and challenges.[12]

Conclusion

The Aadhaar represents a significant increase in India’s digital governance offering streamlined identity verification and improved access to public services. However its alignment with data privacy principles remain a critical concerns. While data privacy law focuses on stringent data protection measures, Aadhaar being a digital identity needs to be compliant with the same as it holds personal and sensitive information of millions of citizens.

Abhishekta Sharma, Junior Associate Advocate at S.S.Rana & Co. has assisted in the research of this article.

[1] https://uidai.gov.in/images/Aadhaar_Samvaad_Delhi_Media_coverage_April_2025.pdf

[2] https://uidai.gov.in/images/Integrating_AI_with_Digital_Public_Infrastructure.pdf

[3] https://opengovasia.com/2024/10/26/aadhaar-a-global-benchmark-in-digital-identity-and-governance/

[4] https://pib.gov.in/PressReleaseIframePage.aspx?PRID=2037598

[5] https://pib.gov.in/PressReleasePage.aspx?PRID=2067940

[6] https://www.medianama.com/2025/04/223-ashwini-vaishnaw-aadhaar-law-dpdp-act/

[7] https://uidai.gov.in/en/contact-support/have-any-question/303-faqs/authentication.html

[8] https://uidai.gov.in/en/ecosystem/authentication-ecosystem/authentication-requesting-agency.html

[9]Regulation 5 of The Aadhaar (Authentication And Offline Verification) Regulations, 2021

[10] https://uidai.gov.in//images/8_The_Aadhaar_Sharing_of_Information_Regulations_2016.pdf

[11]ibid

[12] https://uidai.gov.in/en/my-aadhaar/about-your-aadhaar/security-in-uidai-system.html

More Articles

  1. The Silent Heroes: Understanding Whistleblowers in India
  2. RCB bowled out: Court dismisses plea over Uber moto’s Travis head ad”
  3. Sanitary Napkins v. Medicines: Delhi High Court on Dissimilar Goods in Same class
  4. CORP CONNECT (JUNE, 2025)
  5. From Fashion to Courtroom: House of Masaba Strikes Back!
  6. Brief Customer confusion enough to prove trademark infringement: Delhi High Court
For more information please contact us at : info@ssrana.com