Is Your Privacy at Risk? Aadhaar Authentication Expansion Amid Controversy

India has relaxed its restrictions on the Aadhaar authentication service, a digital identity verification system linked to the biometrics of over 1.4 billion citizens.

This change allows businesses in sectors like e-commerce, travel, hospitality, and healthcare to use this system for customer verification. However, concerns about privacy have emerged as New Delhi has not yet defined measures to prevent misuse of biometric IDs.

Amendment to Aadhaar Rules

The Indian IT ministry introduced the Aadhaar Authentication for Good Governance (Social Welfare, Innovation, Knowledge) Amendment Rules, 2025. This amendment modifies legislation from 2020 that followed a Supreme Court ruling limiting private entities' access to Aadhaar data. The amendment comes nearly two years after public consultations began, though responses remain undisclosed.

The updated rules aim to "enhance scope and utility of Aadhaar authentication" by allowing its use for improving service delivery. Both government and non-government entities can now use Aadhaar authentication services for various public interest services, according to the IT ministry's statement.

Expansion of Authentication Services

Previously, banking and telecom operators were the primary users of Aadhaar authentication for onboarding new customers and verifying existing ones. The amended rules now exclude a sub-rule that allowed Aadhaar authentication to prevent "leaking of public funds." This change broadens the scope of ID-based verification provided by the Unique Identification Authority of India (UIDAI), expanding its use across public and private sectors.

In January, Aadhaar authentication transactions reached 129.93 billion, up from 109.13 billion in February last year, according to UIDAI's website. Major entities using Aadhaar-based authentication include National Informatics Center, National Health Agency, State Bank of India, Bank of Baroda, and Punjab National Bank.

Under the new rules, entities wishing to enable Aadhaar authentication must apply with their intended requirements to the relevant ministry or department of the Central or State government. These applications will be reviewed by UIDAI and MeitY (the IT ministry) based on UIDAI's recommendations.

Concerns Over Privacy and Exclusion

"What criteria the MeitY and UIDAI would be taking into consideration for evaluating such applications have to be made clearer and more transparent to weed out misuse," said Kamesh Shekar from The Dialogue think-tank. This concern was highlighted by the Supreme Court while discussing Section 57 of the Aadhaar Act.

Section 57 of the Aadhaar Act 2016 allowed private entities to use Aadhaar numbers for identity verification but was struck down by the Supreme Court in 2018. The Indian government amended the Act in 2019 for voluntary authentication based on Aadhaar; however, this amendment is currently under challenge in the Supreme Court.

Challenging the Aadhaar Act

Prasanna S., an advocate involved in challenging the Aadhaar Act on privacy grounds, stated that this amendment attempts to "re-legislate" Section 57 which had been struck down earlier. He noted that although a licensing regime existed under previous rules, expanding access reinforces concerns about such a regime.

Sidharth Deb from The Quantum Hub consultancy firm expressed concerns about potential exclusion risks with expanded Aadhaar authentication. "Once you start linking ID documentation or ID instruments to accessing digital services," he said, "there is always risk of exclusion." He emphasised defining 'voluntary' clearly so citizens can access digital services smoothly.