India is finally joining the digital identity race with its nationwide rollout of chip-enabled e-passports. Over 20,000 have already been issued in Tamil Nadu, and 13 cities are set to go live. The government promises faster immigration, better data security, and a smoother travel experience. But behind the glossy pitch of digital convenience lies a bigger concern: privacy without protection and innovation without oversight. The e-passport may be India’s flashiest tech reform since Aadhaar, but it risks repeating the same mistakes unless consumer rights are built into its core. Once stored, biometric data is hard to contain. A chip that holds your fingerprints, iris scan, and facial recognition data might get you through immigration faster.
However, it could also open the door to government surveillance, misuse, and even exclusion. Let’s not forget what happened with the government programme Aadhaar. Introduced in 2009 as a voluntary biometric ID system to improve welfare delivery and eliminate duplicate beneficiaries, it quickly morphed into a de facto requirement for everything from bank accounts to rations. While the intention was inclusion, the reality was far messier. In 2018, a major investigation revealed that Aadhaar details of over 1 billion citizens were allegedly being sold online for as little as Rs 500.
Worse, biometric mismatches, especially among the poor, elderly, and disabled — led to millions being denied critical services like pensions and food subsidies. What began as a digital bridge became a barrier for many. With e-passports, we risk going down a similar path unless strong legal safeguards are introduced from the start. What is missing is clarity on how this biometric data will be stored, who will have access to it, and under what circumstances. Will there be independent oversight? Can consumers see when and why their data is accessed?
What happens if the chip malfunctions or, worse, gets cloned? Germany’s Chaos Computer Club hacking conference demonstrated how RFID chips in biometric passports could be copied and spoofed, a serious warning sign for any country looking to scale up without caution. India’s track record on data protection doesn’t inspire confidence. The newly enacted Digital Personal Data Protection Act falls short where it matters most, independent oversight, transparency, and consumer control. It centralizes too much power with the government, lacks a strong enforcement body, and fails to guarantee that citizens can track or contest how their data is accessed. It is a framework that asks for trust, but does not offer accountability in return.
This is especially concerning as India aims to lead the digital economy. Digital trust is not built through legislation alone, it is earned through systems that put users in control. Estonia offers a powerful example: its digital ID ecosystem is built on decentralized data storage, real-time access logs, and user-managed consent. When people can see who accessed their data and revoke that access if needed, confidence follows. That’s the standard India should strive for – not just convenience, but real control in the hands of consumers. India must follow that lead. That should include encrypted biometric data, decentralized or offline storage options to reduce cyber-security risks, real-time audit logs, consumer opt outs, and swift redress mechanisms in case of errors. Anything less risks turning a promising reform into a privacy liability.
There is also a competition angle. If India wants to attract world-class tech talent and investment, it must ensure its digital infrastructure respects individual rights. Otherwise, innovators will think twice before plugging into a system that offers surveillance as much as it does service. The EU’s digital single market and the U.S. cloud ecosystem thrive not just on scale but on user trust. A chip in a passport may seem like a small thing, but the precedent it sets will shape India’s approach to digital identity for decades to come. Modernization should empower, not monitor. A truly digital India must place consumers at the centre with privacy not as a trade-off, but as a starting point. Because convenience without consent is not progress. It is paternalism, packaged in a chip.
Originally published here
