Akshansh Pandey | December 5, 2025
On the 7th of October 2025, India embarked on a new digital milestone when the National Payments Corporation of India (NPCI) introduced biometric authentication for UPI transactions. UPI is India’s real-time digital payment system that enables instant bank-to-bank money transfers via mobile devices. The public perceived this move as a triumph of fin-tech innovation, as it would allow everyday users to make instant payments using biometric means linked directly to Aadhar–India’s national biometric identification system–verified biometric data, instead of numeric PINs. However, upon closer examination, a significant legal concern arises. The move seeks to transform sensitive and private biometric data into an instrument of everyday commerce, blurring the fragile line between identification and surveillance.
The Biometric Economy and Social Exclusion
This issue has constitutional importance. The Supreme Court of India, upheld Aadhar’s validity in 2021, in K.S. Puttaswamy v. Union of India. However, the Court did so only under narrow confines of welfare-delivery, and consciously warned against “function-creep,” which translates to the re-use of biometric data beyond the purpose that it was intended for. The biometric UPI rollout precisely resurrects this concern. Biometric data, which was previously used as a welfare-delivery identifier, is now being re-purposed as a tool for private payments. A shift is occurring as infrastructure originally intended for public welfare is being repurposed in ways which have the potential to serve as a means of surveillance after being injected into the bloodstream of everyday commercial life. This shift is occurring without any new legislation, privacy audits, or meaningful consent.
The Supreme Court of India. Subhashish Panigrahi • CC BY-SA 4.0
In a digital economy such as India, commercial entities like merchants, fin-tech giants, and banks will rapidly evolve to make biometrics modes of login the default. The digital economy creates an environment wherein voluntariness becomes illusory as structural compulsion replaces consent. Recently, the Supreme Court held digital access constitutes a fundamental right, which further amplifies the same concern. If any mandate requires digital participation on such a large scale, it risks exclusion of vulnerable groups such as acid-attack survivors, the elderly, or manual-labourers with worn fingerprints who may be unable to use biometric authorization. Therefore, any systemic authentication must be tested against Articles 14 and 21 of the Constitution, enshrining rights to equality and liberty.
Studies document recurring failures in the Aadhaar-enabled Payment Systems (AePS), and research indicates that rejection rates were disproportionately higher among rural and marginalised users. Furthermore, the Indian School of Business’s field research connects the dots between authentication mismatches and service denials which have led to economic loss. Therefore, the potential exclusionary consequences are not merely speculative but backed by empirical evidence. A mandate to extend the same infrastructure to commercial payments, would explicitly risk the creation of a system where systematic exclusion is a feature that would go hand-in-hand with use.
The Biometric Economy and the Right to Privacy
The governing law when it comes to data protection in India is the Digital Personal Data Protection Act (2023). Yet, it does little to inspire confidence. To draw a parallel, the EU GDPR (General Data Protection Regulation) explicitly places biometric data in a “special category” that demands higher protection standards and prior data protection impact assessments under Article 35. However, the Indian statute makes no distinction between categories of personal data and sets no higher standard of scrutiny for biometric identifiers, nor mandates independent oversight. The companies that serve as private intermediaries involved in biometric authentication, such as PhonePe, Google Pay, and Paytm, therefore rise to a position where they could be called “custodians” of sensitive biometric data. But these “custodians” are not subject to any statutory limits on storage, cross-use, or third-party transfer. Therefore, a legal vacuum in the absence of legislation by either the Reserve Bank of India or UIDAI (the government agency responsible for issuing and regulating Aadhaar).
The introduction of biometric identification raises questions of grave concerns especially considering the standards established by international treaties ratified by India. For example, Article 17 of the International Covenant on Civil and Political Rights (ICCPR) guarantees protection from the “arbitrary or unlawful interference” of a person’s privacy. The Human Rights Committee’s General Comment No. 16, the authoritative text on Article 17, clarifies that member States must not only refrain from violating privacy but actively prevent intrusions by private actors. India’s biometric economy model clearly contradicts this obligation by seeking to diffuse state-collected and authorised data across private entities without statutory oversight. Moreover, OHCHR’s digital rights guidance and the UN Human Rights Council 2025 resolution on emerging technologies recommend moratoriums on high-risk biometric systems until their impact on human rights is evaluated.
The state’s argument revolves around curbing fraud and streamlining access. The fundamental fallacy of the argument is that it mistakes efficiency for legitimacy. Convenience cannot, and should not, be the metric of constitutionality. The correct question is whether the proportionality doctrine allows the state to compel its citizens to use their body as a tool for authentication when less intrusive means exist. However, the third prong of the proportionality doctrine, the least-restrictive-means test, is failed when the government promotes biometric means without transparent necessity assessments. Thus, the government fails to meet its constitutional burden of justification.
The philosophical issue at hand is that the use of the human body as a biometric identifier collapses the line between body and data. As the human body transitions to a password it becomes its own instrument of surveillance, an early sign of a dystopia. Recent scholarship concludes that “the rights to privacy and data protection under conditions such as a collection of nationwide or regionwide biometrics must be supplemented by a broader and more dynamic account of privacy.” This requires us to treat biometric identifiers as something deeply tied to individual dignity and autonomy instead of as mere data points, and protecting these identifiers through privacy rights that are robust, inalienable, and protected by strict legal regimes. A rights-by-design framework must recognise this ontological distinction and re-engineer authentication systems accordingly.
Recommendations
The path forward is clear. National lawmakers must introduce legislation that prohibits any mandated biometric requirements, especially for essential services. A further step would introduce public data-protection impact assessments, accompanied with independent oversight for every intermediary offering biometric authentication, and statutory retention periods, after which the data must be deleted, for every intermediary must be set in law. Anything less risks transforming something presented as a step towards financial inclusion into a step of biometric exclusion.
This reform would operate on three fronts following suit from the aforementioned international treaties to operationalize this design. Legislatively, by amending the Digital Personal Data Protection Act to classify biometric identifiers as high-sensitivity data. Regulatorily, by mandating fallback authentication and DPIAs for all payment operators through the Reserve Bank of India and NPCI. And judicially, via constitutional challenges under Articles 14, 19 and 21 to any policy that renders biometric authentication compulsory since it would be exclusionary.Today, the people of India, lie at a standstill which is eerily reminiscent of the status quo before the Aadhar litigation. Warnings were made on similar lines arguing that when technological convenience outpaces constitutional vigilance, state infrastructure intended for public welfare can mutate into an infrastructure for surveillance. The same country which once constitutionalised privacy is at the risk of commodifying it. Therefore, framing the dilemma as a choice between progress and inertia would actually be an over-simplification that takes the wrong perspective. It is actually a choice between a fin-tech future that is built on consent and autonomy or a biometric economy laid on the grounds of compulsion and asymmetry. The future for the country if we choose the latter is grave. In doing so, the state will have re-engineered its constitutional machinery into a body of its own making—efficient, perhaps, but fundamentally unfree.