Data governance: The clash of models for governing the digital economy has never been sharper. Europe’s prescriptive regulatory style, epitomised by the General Data Protection Regulation (GDPR), has raised compliance costs and invited accusations of stifling innovation. The United States continues to rely largely on laissez-faire traditions, leaving rules to be written by private platforms and markets. In between these extremes lies an emerging Indian experiment: embedding regulatory principles into the very architecture of digital systems. This “regulation by design” is neither a call for the absence of rules nor an embrace of overregulation. It represents a “third way” that seeks to align innovation, sovereignty, and accountability.
India’s digital public infrastructure—constructed over the past decade—offers a vantage point to examine what it means to regulate through infrastructure rather than through lengthy codes enforced after the fact. The stakes are high. At issue is how nations can secure data sovereignty, protect privacy, and foster economic opportunity without throttling innovation.
READ | AI revolutionising fight against cancer and diabetes
Infrastructure as regulator
In Europe, regulators rely on detailed, ex-post enforcement. Companies must comply with legal provisions under GDPR, and violations attract heavy penalties. Enforcement, however, is slow and contested, creating legal uncertainty. In the United States, the absence of a comprehensive federal data law has meant that platforms determine standards. This has allowed innovation to flourish, but often at the expense of user rights and sovereign oversight.
India, by contrast, has experimented with building rules into the plumbing of digital infrastructure itself. The Aadhaar system, the Unified Payments Interface (UPI), and the broader India Stack illustrate this model. Authentication, consent layers, and data-sharing protocols are not merely aspirations; they are coded into the system. Every participant is bound by design. Compliance does not depend on after-the-fact penalties but on access protocols that make non-compliance nearly impossible.
This model is regulatory architecture in action. It ensures that principles of privacy, inclusion, and transparency are not optional add-ons but inherent features of digital transactions. Yet it must be acknowledged that not all domains are covered, and private actors still face prescriptive regulatory obligations in areas not served by digital infrastructure.
Sovereignty through system design
The debate over digital sovereignty has moved to the centre of geopolitics. Europe worries about being outpaced by American and Chinese platforms. India, wary of digital colonialism, has sought to build indigenous capacity. Embedding sovereignty into infrastructure has been central to this effort.
Take the example of the Data Empowerment and Protection Architecture (DEPA). The framework empowers individuals to share their data securely and selectively across banks, insurers, and fintech firms through consent managers. This shifts the balance of power towards the citizen while ensuring that domestic players operate on a level playing field. By embedding compliance in protocols, India makes it harder for foreign platforms to exploit regulatory gaps or forum shop.
Sovereignty, in this conception, is not simply about declaring jurisdiction over data stored within borders. It is about ensuring that the architecture of data flows respects national policy goals and empowers citizens.
The innovation trade-off
The central critique of Europe’s model is that it burdens start-ups with compliance costs that only large incumbents can bear. The GDPR has created an uneven playing field where smaller firms often struggle with complexity. The American model, while fostering innovation, has left citizens vulnerable to misuse of personal data and algorithmic harms.
India’s regulatory-by-design model claims to offer a middle path. By embedding compliance within infrastructure, it reduces the burden on innovators to individually build privacy or consent protocols. Start-ups can focus on product design rather than reinventing regulatory wheels. Citizens, in turn, are assured that basic protections are enforced automatically.
The trade-off lies in rigidity. Once protocols are hard-coded, they are difficult to modify as technology evolves. What begins as an innovation enabler could become an innovation constraint if governance mechanisms are not sufficiently flexible. Infrastructure presupposes reliable internet, digital literacy, and robust underlying civil registries—conditions that remain uneven across India.
Privacy and public trust
Public trust is the currency of the digital economy. Europe has sought to build it through rights-based frameworks. The United States has relied on market forces, with mixed results. India’s approach raises a fundamental question: does regulation by design adequately protect privacy?
Critics argue that embedding regulation into architecture risks creating centralised systems that may themselves become instruments of surveillance. Aadhaar, for instance, has faced scrutiny for potential misuse, biometric mismatches, and wrongful deactivations. Fraudulent tampering of identity data has also been reported. These episodes reveal that architecture alone cannot guarantee privacy or fairness. Independent oversight, transparency, and liability mechanisms remain essential safeguards.
At the same time, India’s model has shown that large-scale systems can incorporate consent as a default rather than an afterthought. The DEPA’s consent managers demonstrate how individual choice can be operationalised at scale, offering a measure of empowerment rarely seen in other jurisdictions.
Lessons for global standards
The global contest over standards is intensifying. Europe is exporting GDPR-style rules through trade agreements. The United States seeks to preserve the dominance of its platforms by resisting intrusive regulation. China promotes its own authoritarian model of state-controlled data ecosystems.
India’s experiment presents a credible alternative, especially for emerging economies. By embedding rules into infrastructure, it demonstrates how digital sovereignty and citizen protection can be achieved without paralysing innovation. The approach has already sparked conversations around a potential “Euro Stack” in Brussels, reflecting the influence of India’s model.
Yet India must guard against complacency. Regulatory-by-design cannot substitute vigilant law-making. Nor can it excuse opacity in how protocols are shaped. For India to be a rule-shaper rather than a rule-taker, its systems must remain transparent, interoperable, and globally credible.
Data governance: A forward-looking prescription
The future of digital governance will not be determined by legislative texts alone. It will be shaped by the architecture of systems through which billions transact, communicate, and innovate. For India, the path forward requires balancing innovation, sovereignty, and citizen protection with foresight.
Flexibility must be retained in the design of digital infrastructure so that governance can adapt to technological change rather than be trapped by outdated protocols. Independent oversight institutions need strengthening to prevent regulatory-by-design from degenerating into regulatory capture or state surveillance. Interoperability with global frameworks must remain a priority, allowing India to preserve economic opportunity while asserting sovereign rights. And policymakers must build technological literacy. They need not be coders, but they must understand how architecture can embody democratic principles and advance national interest.
India’s “third way” is still an experiment, but one watched closely by both Europe and the United States. By embedding principles into infrastructure, India has created a model that promises both sovereignty and innovation. Whether it can sustain this balance will determine not only the trajectory of India’s digital economy but also the contours of global standards in the decades ahead.