Guest Column| Aadhar and DPDP Act: Bridging gaps to strengthen accountability
Weak enforcement, inadequate training, and occasional misuse undermine the safeguards built into Aadhaar’s legal framework. The Digital Personal Data Protection Act, 2023, introduces a stronger, more enforceable privacy regime that may help correct these gaps.
The relationship between Aadhaar, the government-backed digital identity, and constitutional rights has long been mired in debates on privacy, purpose, and consent. While Aadhaar has become indispensable for welfare delivery, financial inclusion, and social access, its expanding use continues to generate concerns, even after the Supreme Court upheld its validity. With the enactment of the Digital Personal Data Protection (DPDP) Act, 2023, and its implementation rules, it may be timely to re-examine Aadhaar’s compliance with India’s new privacy regime, which emphasises data minimisation, purpose limitation, and informed consent. Equally important is assessing whether the Aadhaar Act meets these standards not only in principle but also in practice.

To evaluate Aadhaar under the DPDP framework, one must first understand what kind of identity Aadhaar represents. The World Bank’s ID4D framework distinguishes between two broad types of digital identities. Functional identities, such as driving licences, voter cards, and ration cards, serve specific sectoral purposes. Foundational identities, in contrast, provide a universal proof of identity that can be used across services and sectors.
Aadhaar was conceived as a foundational identity: A unique, biometric, universally accepted proof enabling residents to authenticate themselves anywhere. Prior identity documents lacked universality and conclusive verification. Aadhaar’s purpose was to bridge this gap by establishing both identity and uniqueness, enabling the government to match beneficiaries accurately and deliver services efficiently.
Data minimisation
Data minimisation is central to the DPDP Act, which mandates that entities collect and process only what is strictly necessary for the specified purpose. Section 6 explicitly restricts data fiduciaries, including government agencies and the Unique Identification Authority of India (UIDAI), from gathering excessive or irrelevant personal data. This echoes global norms such as the European Union’s General Data Protection Regulation (GDPR), which requires data to be “adequate, relevant, and limited to what is necessary”.
Tracing Aadhaar’s design history reveals conscious adherence to this principle. Early proposals suggested collecting multiple identity numbers, PAN, EPIC, ration card, BPL card, at enrolment to link them upfront. However, this was rejected because the UIDAI’s mandate was limited to verifying identity, not managing functional databases.
A government committee concluded that four demographic attributes — name, date of birth, gender, and address — were sufficient to establish identity. But since these could overlap between individuals, biometric data was added solely to ensure uniqueness. Thus, Aadhaar’s data architecture was deliberately minimalistic, designed to collect only what was necessary to issue a unique identifier.
Purpose limitation
Purpose limitation under the DPDP Act requires personal data to be collected for clear, specific, lawful purposes and prohibits further processing inconsistent with those purposes without fresh consent. The Aadhaar Act, 2016 contains similar restrictions. It states that identity information may be used only for generating Aadhaar numbers and for authentication under the Act. Section 29 further bars requesting entities from using or sharing Aadhaar data for purposes beyond what was explicitly disclosed and consented to at the time of authentication.
Aadhaar is often accused of ‘functional creep’, the perception that Aadhaar, initially meant for welfare delivery, has expanded into countless domains. This misunderstanding stems from reading the Act’s title as limiting Aadhaar to subsidies alone. In reality, Aadhaar’s foundational purpose is to provide a unique digital identity. Therefore, any transaction requiring establishment of identity, whether it be opening bank accounts, obtaining SIM cards, or accessing government schemes, logically falls within its legitimate use. The issue, therefore, is less about purpose expansion and more about ensuring that each use is accompanied by proper notice, consent, and compliance by requesting entities.
Consent framework
The DPDP Act places informed consent at the centre of lawful data processing. Consent must be free, specific, unambiguous, informed, and given through affirmative action. Users must receive clear notices on what data is collected, why, how it will be used and how they may withdraw consent. Withdrawal must be as easy as giving consent, and data must be erased or anonymised unless retention is legally required.
The Aadhaar Act similarly mandates notice and consent for authentication. Regulation 6 of the Aadhaar Authentication Regulations requires clear disclosure of purpose and prior consent, written or electronic, before processing. Aadhaar holders must also be informed of their right to withdraw consent. Unlike broader data protection laws, however, Aadhaar withdrawal does not automatically require deletion of data except in specific cases. The most explicit deletion right is under Section 3A, which allows individuals enrolled as children to cancel their Aadhaar within six months of turning 18.
Implementation challenges
While the Aadhaar Act remains congruent and compliant with the provisions of the DPDP Act, real world gaps in implementation exist and should be acknowledged. Aadhaar’s architecture aligns with data minimalism; its legal framework adheres to purpose limitation; and its authentication ecosystem incorporates notice and consent. However, challenges arise not from the Act itself but from inconsistent implementation, particularly by third-party agencies.
Weak enforcement, inadequate training, and occasional misuse undermine the safeguards built into Aadhaar’s legal framework. The DPDP Act introduces a stronger, more enforceable privacy regime that may help correct these gaps. With clearer obligations, penalties, and oversight mechanisms, it promises to strengthen accountability among all entities using Aadhaar. ddgrochd@uidai.net.in

The writer is deputy director general of the Unique Identification Authority of India. Views expressed are personal.

E-Paper

