India’s digital public infrastructure: In April 2026, Indians made 22.35 billion UPI transactions, the highest ever in a month—more than Visa processes globally in a day. Aadhaar has enrolled 1.4 billion people. The G20 has showcased India’s digital public infrastructure as a model. Yet the rules governing failure—data sharing, accountability, liability—remain incomplete, fragmented, and in some cases absent.
India’s digital public infrastructure (DPI) is a public backbone on which private services operate. The state built the base layers: UPI (payments), Aadhaar (identity), DigiLocker (documents), ONDC (commerce), and the Unified Health Interface (health data). Private firms—banks, payment apps, hospitals, startups—build services on top.
The design choices were deliberate. UPI was open: any bank, any app. No user fees. The RBI set rules; the NPCI operated the system. Aadhaar was constrained by the 2018 Supreme Court judgment, which limited private use and affirmed privacy as a fundamental right. These guardrails mattered.
READ I UPI MDR debate: Why free payments need a cost model
Adoption at scale
Adoption followed at scale. UPI now accounts for 84% of India’s retail digital payments and processed 228.3 billion transactions in 2025. It has brought hundreds of millions into the financial system. That achievement is real. The question is what happens as the same model expands into health records, farm credit, and urban services.
Consent exists in law but not in practice. Consider a user in Patna paying an electricity bill via UPI. Their Aadhaar is linked to welfare databases. They are enrolled in Ayushman Bharat. Their health data sits on the Unified Health Interface. Data moves across these systems. There is no single interface to track it, revoke permissions, or identify responsibility.
The architecture to fix this exists: DEPA (Data Empowerment and Protection Architecture). It enables granular, portable consent. The RBI has implemented it through the Account Aggregator framework for financial data. It has not been extended to health, agriculture, or commerce. Consent remains an abstraction.
READ I India’s CBDC strategy targets cross-border payments
Breach without accountability
The Digital Personal Data Protection Act, 2023 mandates breach disclosure to users and the Data Protection Board. The Board was constituted only in November 2025. Full enforcement begins in May 2027. Until then, breaches involving UPI or Aadhaar-linked systems fall back on rules framed in 2011. There is no compensation floor. No cross-stack incident authority. No system-level response mechanism.
UPI’s scale means a single breach could affect tens of millions under outdated rules.
India’s DPI debate also underplays operational risk. UPI runs on central infrastructure operated by National Payments Corporation of India, with transaction flows concentrated across a handful of banks and apps. Intermittent outages and transaction failures have already surfaced at peak volumes.
There is no publicly articulated cross-stack resilience framework covering uptime guarantees, redundancy standards, or coordinated incident response across payments, identity, and health systems. As digital public infrastructure expands into health records and credit delivery, system failure is no longer a transactional inconvenience. It can delay treatment, block welfare access, or disrupt livelihoods.
READ I UPI global expansion faces the real cross-border test
Market power on public rails
Two firms, PhonePe and Google Pay, account for over 80% of UPI transactions. One is majority-owned by Walmart, the other by Alphabet. Both operate on publicly built infrastructure.
The NPCI proposed a 30% market-share cap. It has not been enforced.
There is no requirement for algorithmic audits. No neutral mechanism for smaller apps to challenge API access. No periodic review of platform terms imposed on merchants. This is not abstract concern. It is about control over a system used by 300 million people.
Regulation of digital public infrastructure
Payments are regulated by the RBI and NPCI. Identity by UIDAI. Health data by the National Health Authority. Data protection law applies uniformly across sectors. What does not exist is a regulator for the interfaces between these systems—where data moves, risks accumulate, and accountability breaks.
Other countries built governance alongside infrastructure. Brazil’s Pix launched in 2020 with embedded rules: merchant fee caps, fraud alerts, real-time dispute resolution. It reached 140 million users in two years. Regulation enabled adoption.
Singapore mandates API consent logs and annual audits. The European Union’s open banking rules created enforceable data portability rights and drove usage within three years.
The pattern is consistent: early clarity strengthens trust.
Digital public infrastructure: The next phase
India’s first phase prioritised speed. That logic does not hold for health data or farm credit, where risks are higher and consequences harder to reverse. The gaps are specific.
A unified consent dashboard extending the Account Aggregator model across sectors would allow users to track and revoke data sharing. A breach compensation protocol, aligned with the DPDP Act, would set minimum guarantees—time-bound notification and defined compensation thresholds.
Annual audits tracking exclusion—rural adoption, health data access, algorithmic bias in credit scoring—would make system gaps visible. A small transaction cess on UPI could fund governance infrastructure. These are extensions, not redesigns.
The unfinished layer
India’s digital public infrastructure is an infrastructure success. It is not yet a governance one.
That distinction matters as the system moves into health records, land data, and credit scoring—domains where errors are not inconveniences but structural risks.
The Data Protection Board is newly constituted. Full enforcement is pending. Meanwhile, new DPI layers are onboarding users.
The rulebook is still being written. The road is already in use. The window to align the two remains open, but not for long.
Utkarsh Mishra is an independent journalist who has written extensively on law, labour, gender, and migration. is an independent journalist who has written extensively on law, labour, gender, and migration.