Once the Digital Personal Data Protection (DPDP) Act becomes operational, Aadhaar would be fully within its boundaries in protecting consumer data and its usage, Bhuvnesh Kumar, CEO of the Unique Identification Authority of India (UIDAI), told Fe in an interaction. He said that in some areas, Aadhaar even goes beyond what the DPDP Act requires.
“Aadhaar cannot be stored or retained without explicit permission. If it is shared, that too requires consent, and purpose limitations apply,” Kumar said. “We are more than compliant. Aadhaar would operate within the scope of DPDP,” he added.
Kumar said that Aadhaar imposes tighter controls on how data is stored and shared, compared to many other systems. For instance, the Aadhaar Act allows the use of collected data only for authentication or for purposes that have been specifically notified by the government.
On concerns about the possibility of data being re-used for profiling or surveillance, Kumar said the system prevents this through design. “Transaction logs are stored for just six months and then deleted. Nobody would even know for what purpose the data was used beyond that window”.
He pointed out that the automation of Aadhaar’s processes act as a core safeguard. “Everything flows through secure channels, gets authenticated, and goes back to the channel. It’s completely automated,” Kumar said.
Earlier this year, the government permitted private entities to use Aadhaar authentication under strict conditions tied to the DPDP framework. Kumar said this move is supported by adequate safeguards and governed by specific use cases. He added that UIDAI is working closely with the ministry of electronics and IT, which has asked the agency to examine the final DPDP rules and close any gaps.
On the question of deleting core data, Kumar said that biometric and demographic data such as fingerprints, iris scans, and facial records are retained to avoid duplication. “This is intended to prevent duplication and strengthen the system’s integrity,” he said.
UIDAI is also working with agencies like the Registrar General of India to identify and de-activate Aadhaar numbers of deceased individuals to reduce fraud. Alongside that, the authority is investing in AI and machine learning tools to improve fraud detection across the system.
Kumar reiterated that Aadhaar is not mandatory in most contexts. “No service mandates Aadhaar. It has substitutes. You don’t need it mandatorily to vote or buy a SIM card,” he said. “Aadhaar is not a functional ID. To be a voter, there are other qualifications which must be met apart from identity,” he said.
“Anyone who has spent 182 days in India in the preceding 12 months is eligible for Aadhaar, so that it is not a proof of citizenship,” Kumar said.
