NEW DELHI, April 10: The Indian government is set to amend the Aadhaar Act, 2016, to harmonise it with the Digital Personal Data Protection (DPDP) Act, 2023. Electronics and Information Technology Minister Ashwini Vaishnaw has directed the Unique Identification Authority of India (UIDAI), which manages the Aadhaar ecosystem, to address existing legal loopholes and bring the law in line with the DPDP Act once its rules are finalised and notified.
“When the Aadhaar Act was framed, there were gaps in the legal structure which have now been filled with the DPDP Act. So, I will request the UIDAI to look into the gaps and harmonise it with the DPDP Act,” Vaishnaw stated.
He emphasised that when the Aadhaar Act was initially created in 2016, India lacked a horizontal legal framework for data privacy. Now that such a framework exists through the DPDP Act, it is essential for the Aadhaar law to be restructured to align with its provisions. The minister further said that the objective of this modernised law should be user-centric, aiming to enhance convenience for citizens and reduce the need for repeated consent and Aadhaar authentication.
“The user should be the focus of the new, modern law which makes life convenient for citizens, so that repeated consent, authentication of Aadhaar is not required. This should be the objective of the new, modern law and I request the UIDAI to bring about the required harmonisation,” he added.
While the minister did not elaborate on specific areas of conflict between the two laws, analysts have frequently highlighted multiple points of tension, particularly around issues such as consent, purpose limitation, and data usage.
For instance, although the Aadhaar Act requires consent for enrolment and authentication, in practice, Aadhaar is often mandatory for accessing services such as opening bank accounts, school admissions, or obtaining SIM cards—even in cases where it is supposed to be optional. In contrast, the DPDP Act mandates that consent must be “free, specific, informed, and unambiguous,” granting individuals greater control over how their data is used. This raises legal concerns if Aadhaar is forcibly used for identification, potentially breaching the DPDP Act’s standards on consent.
Further friction emerges around data usage policies. While the Aadhaar Act permits the use of collected data strictly for authentication or government-notified purposes, the DPDP Act stipulates that personal data can only be used for the precise reason consent was provided. If Aadhaar data is reused—such as for profiling or surveillance—without renewed consent, it may constitute a violation of the DPDP Act.
Another point of divergence involves data minimisation. The DPDP Act encourages the collection of only essential data required for a specific service. However, Aadhaar collects sensitive biometric data by default, which might not always be necessary, potentially conflicting with the data minimisation principle.
A significant disparity also exists in the context of data correction and erasure. The DPDP Act gives individuals the right to correct or erase their personal data, while the Aadhaar Act allows only limited updates—such as changes to address or phone number—and does not support full deletion of core biometric data. This inconsistency clashes with the DPDP Act’s provision of comprehensive data control rights to individuals.
