The Indian government has changed Aadhaar authentication rules, now allowing private businesses to use Aadhaar verification for customer identification. The Ministry of Electronics and IT (MeitY) announced the change this month, stating that it will make life easier for people and improve access to services.
However, experts are concerned about data privacy and security risks since there are no clear safeguards against the misuse of biometric data.
This amendment follows earlier government efforts to permit private players, particularly in the financial sector, to conduct Aadhaar biometric authentication after demonstrating compliance with security standards.
What has changed?
Previously, only the government and a few approved organisations could use Aadhaar authentication for three purposes: promoting good governance, stopping misuse of public funds, and making services more accessible.
Now, the new Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2025, have widened the scope. Private companies in sectors like e-commerce, travel, hospitality, and healthcare can now use Aadhaar verification to improve service delivery. A notable new addition is the "promotion of ease of living".
This change updates a 2020 law that had limited private access to Aadhaar data after a Supreme Court ruling. It follows nearly two years of government discussions, but the feedback from public consultations has not been made public.
What Are The Concerns Of Privacy?
The new changes may conflict with the Supreme Court's 2018 ruling, which struck down Section 57 of the Aadhaar Act, preventing private companies from using Aadhaar for KYC.
However, tech lawyer Salman Waris argued that these changes don’t necessarily defy the Act. He explained that according to Section 2(u), the Act defines a "requesting entity" as anyone submitting Aadhaar details for authentication, which can include corporations.
While the previous provision was vague, leading to its removal, the new rules provide clear procedures. He further said, “As long as requesting entities follow data security and privacy measures, these rules may not violate the Act. However, the rules should ensure that these entities comply with the Act’s security provisions.”
Waris also noted that the government has implemented these "vaguely defined rules" before the DPDP Act came into force, showing a "callous approach" toward data privacy.
Expounding on yet to be implemented India’s data protection law, Meemansa Agarwal, Senior Research Associate at The Dialogue, said, “The DPDP Act requires organisations to implement security measures to protect personal data. While the Draft Rules mention measures like encryption, data masking, and access control, they do not define these measures.”
She emphasised that protecting biometric data held by private entities depends on "the organisation's commitment to privacy safeguards, prioritisation of data security, and how effectively authorities enforce compliance."
Clear parameters for assessment are necessary to mitigate misuse, an issue the Supreme Court had flagged earlier, she added.
Approval Process and Vague Criteria
Any company wanting to use Aadhaar authentication must submit a proposal outlining the justification for its use, based on one of the four specified purposes in the rules.
Proposals for Aadhaar authentication must be submitted to the relevant government department or ministry responsible for overseeing the intended purpose of authentication. These proposals will then be reviewed by the Unique Identification Authority of India (UIDAI) and the Ministry of Electronics and Information Technology (MeitY), which hold the authority to approve them.
Additionally, companies must ensure that their request to use Aadhaar authentication aligns with the "interest of the state".
However, experts argue that the phrase "in the interest of the state" is vague and leaves room for arbitrary approvals. According to Waris, such undefined terms could allow discretionary decision-making.
He said, “This clause may be misused to justify any type of content as the Indian government’s stance on data processing has been very lenient. Even though there may be some prima facie safeguards, the amendment still raises privacy concerns with respect to the biometric data of individuals.”
Agarwal stressed that "establishing clear approval criteria is crucial to ensuring transparency and preventing inconsistent decision-making." She added, “Legal precision fosters certainty, allowing individuals to better navigate and plan their interactions with such systems."
Aadhaar Licensing: Then and Now
It is not that private companies were not allowed to use Aadhaar authentication before. A licensing regime already existed, requiring government approval to ensure authentication was used only for specific, legitimate purposes while maintaining privacy and security.
In 2019, the government allowed private entities like banks and telecom firms to use Aadhaar for KYC under this system.
In 2023, it proposed the same amendment that has now been formalised. Even before this, 22 private financial firms, including Amazon Pay (India) and Hero FinCorp, were permitted to use Aadhaar authentication.
LinkedIn also introduced Aadhaar-based verification for Indian users last year. While the new rules officially expand access, the shift has been in progress for years.
However, with the new regulations, gaps in the approval process for Aadhaar authentication could emerge due to unclear rules, Agarwal said. "There are no clear, uniform criteria, which means different entities can interpret the rules differently. This could lead to inconsistent implementation and potential misuse," she explained.
She stressed the need for a well-defined approval framework. "A unified system would bring clarity, reduce uncertainty, and make compliance easier,” Agarwal added.
Building on this, Waris explained that biometric data is classified as sensitive personal data information (SPDI) under Section 30 of the Aadhaar Act, which mandates stricter privacy rules.
“While the DPDP Act treats all data equally, the government can classify entities handling Aadhaar data as ‘Significant Data Fiduciaries’ under Section 10, thereby enforcing stricter obligations and imposing higher fines for non-compliance,” he said.