Digital Public Infrastructure (DPI) in India: Privacy Implications of UPI, DigiLocker, and CoWIN

POSTED ON OCTOBER 13, 2025 BY DATA SECURE

Related Blogs

Deep Fake Technology in India: Legal Framework for Misinformation and Image Rights
EU Data Act in Force: Essential Gudie for Privacy Professionals
Cybersecurity in Indian Banking: RBI Guidelines and the Evolving Threat Landscape
fine

Introduction

India’s ambitious push towards a digital economy has given rise to a robust framework of Digital Public Infrastructure (DPI), designed to streamline governance, promote financial inclusion, and enhance citizen access to essential services. At the heart of this transformative effort are platforms like the Unified Payments Interface (UPI), DigiLocker, and CoWIN, which have revolutionised payments, digital identity, and public health management, respectively. These systems exemplify how technology can bridge gaps in accessibility and efficiency, especially in a diverse and populous country like India. However, as these digital platforms increasingly collect, store, and process sensitive personal data, serious questions emerge regarding user privacy, data security, and individual autonomy.

Understanding Digital Public Infrastructure (DPI) in India:

fine

Digital Public Infrastructure (DPI) refers to the essential digital platforms and systems that enable the efficient delivery of public services such as identification, payments, health services, education, and governance. It can be understood as an intermediary layer within the broader digital ecosystem. Structurally, DPI sits atop a physical layer, including connectivity infrastructure, devices, servers, data centres, and routers, and supports an applications layer that delivers diverse solutions such as e-commerce, cash transfers, remote education, telehealth, and information services. At its core, DPI aims to improve the efficiency, transparency, inclusion, and innovation of public service delivery. By providing foundational building blocks, DPI plays a critical role in addressing global challenges such as poverty reduction, climate resilience, and digital transformation, while empowering citizens through digital inclusion.

Three Pillars of Digital Public Infrastructure:

India’s approach to DPI is pioneering. Through the India Stack Platform, India became the first country in the world to develop the three foundational pillars of DPI:

  • Digital Identity: Implemented through Aadhaar, India’s unique identity system provides citizens with a digital identity that enables seamless authentication for a wide range of services.
  • Real-Time Payment System: Unified Payments Interface (UPI) enables fast, interoperable, and cost-effective digital financial transactions, contributing significantly to financial inclusion.
  • Consent-Based Data Sharing: DigiLocker and similar platforms empower citizens to store and share personal documents securely, giving them control over their data without compromising privacy.

These foundational Digital Public Infrastructures (DPIs) facilitate three crucial flows that are central to their functioning. First, they enable the flow of people through digital identification systems, allowing individuals to establish and verify their identity seamlessly across various services. Second, they manage the flow of money via real-time fast payment systems such as UPI, enabling instant and secure financial transactions. Third, they regulate the flow of personal information through consent-based data-sharing systems, empowering citizens to control how their personal data is collected, stored, and shared across different platforms while maintaining privacy and security.

India’s Digital Economy - Highlights:

fine

India’s digital economy has rapidly expanded, contributing ₹31.64 lakh crore (approximately 11.74% of GDP) in 2022–23, with projections to reach 13.42% by 2024–25. The digital sector employs approximately 14.67 million workers, and the gig economy is expected to grow to 235 million workers by 2029–30. Remarkably, digital sector productivity is reported to be five times higher than traditional sectors.

India also stands out globally as a hub for Global Capability Centres (GCCs), housing over 2,975 GCCs, which account for more than 50% of the world’s GCCs. UPI’s role in digital payments has been transformative, with its market share reaching approximately 90% of all mobile payment transactions and 80–85% of retail digital payments by mid-2025. In August 2025 alone, UPI processed more than 20 billion transactions in a single month, valued around ₹24.85 lakh crore, with annual volumes surpassing previous projections.

India’s model has inspired global initiatives such as the World Bank’s ID4D Initiative, which supports foundational ID systems in at least 132 countries, and the G2Px programs that improve government-to-person digital payments in 35 countries. The Modular Open Source Identity Platform (MOSIP) has been adopted by 11 countries, including Morocco, the Philippines, and Sri Lanka, further extending the vision of DPI globally.

Challenges in Digital Public Infrastructure:

fine

While Digital Public Infrastructure (DPI) holds immense promise in transforming governance, improving service delivery, and enabling financial and digital inclusion, its implementation in India faces multiple challenges. These challenges not only impact the effectiveness of DPI but also raise serious concerns about privacy, equity, and sustainability.

  • Digital Divide and Access Issues: A significant barrier to the success of DPI in India is the digital divide, particularly between urban and rural areas. Despite rapid digitalization, only 39% of rural households have internet access, limiting their ability to benefit from services such as UPI, DigiLocker, and CoWIN. Additionally, 38% of the population is digitally illiterate, lacking even basic digital skills, which severely restricts the use of e-governance services. Marginalized groups such as women, the elderly, and persons with disabilities face even more significant barriers to digital inclusion. This digital exclusion prevents the most vulnerable from fully participating in the benefits of digital public services.
  • Cybersecurity Concerns: As DPI expands, so does its exposure to cybersecurity threats. India witnessed a sharp 175% surge in phishing attacks in 2024, according to the Digital Threat Report. Furthermore, between June 2018 and March 2022, Indian banks recorded 248 successful data breaches due to hackers and criminals exploiting system vulnerabilities. Such attacks put sensitive personal data and financial transactions at risk, undermining public trust in digital systems.
  • Data Privacy and Protection: Data Privacy and Protection: India now has a comprehensive data protection framework in the form of the Digital Personal Data Protection Act, 2023 (DPDP Act), which was enacted in August 2023. The DPDP Act, together with Draft Digital Personal Data Protection Rules published for consultation in 2025, establishes strong consent requirements, individual rights, and data fiduciary obligations. While the Act is in force, most operational rules are pending notification by the Ministry of Electronics and Information Technology. This marks a major step forward in privacy regulation, although challenges remain regarding effective implementation and enforcement. The Aadhaar system itself continues to face periodic concerns about data misuse and consent mechanisms, underlining the need for robust oversight.
  • Infrastructure Challenges: India’s digital infrastructure remains inadequate in many areas. Inconsistent electricity supply, slow broadband rollout, and limited access to affordable devices hinder the ability of DPI systems to function effectively, especially in rural and remote regions. Without reliable infrastructure, large segments of the population are excluded from accessing digital services, worsening existing inequalities.
  • Market Concentration and Privatisation Risks: Another significant challenge is the growing market concentration within the UPI payment ecosystem. While UPI has democratized access to digital payments, in practice, a large share of transactions is dominated by a few major private players, with PhonePe and Google Pay together accounting for over 80% of all UPI transactions, and PhonePe alone processing nearly 9 billion monthly transactions in mid-2025. This concentration limits competition and creates high entry barriers for smaller players and new innovators, raising concerns about monopolistic practices. Such dominance can stifle innovation and lead to an uneven playing field, where a handful of firms control critical infrastructure without sufficient regulatory oversight, potentially exploiting their position to expand into other sectors using the vast troves of user data collected.
  • Data Exploitation and Innovation Concerns: The vast troves of data collected by DPI systems can be exploited by private players to build unfair competitive advantages, undermining the principle of citizen empowerment. Without strong regulatory frameworks, data collected for public service delivery may be repurposed for private commercial gain, eroding trust in the system. Government-supported DPIs might also unintentionally entrench private players, without fostering a competitive or innovation-driven market. The lack of clear regulations further widens the gap between private incentives and public good, allowing firms to dominate without sufficient accountability.

The Way Forward:

To ensure Digital Public Infrastructure (DPI) continues to drive innovation while protecting public interest, clear roles and responsibilities must be defined for public and private players, promoting accountability and transparency. A structured governance framework, similar to those used in infrastructure projects, can provide effective oversight of public-private partnerships. A balanced approach combining statutory regulation for sensitive areas with soft law guidelines for industry best practices will help protect data privacy without stifling innovation. Strengthening cybersecurity measures is essential to prevent data breaches, while improving digital literacy will empower citizens to access and use digital services effectively. These steps are crucial to making DPI inclusive, secure, and sustainable.

Conclusion:

Digital Public Infrastructure (DPI) has revolutionized service delivery in India by providing scalable, efficient, and inclusive solutions through platforms such as Aadhaar, UPI, DigiLocker, and CoWIN. These systems have significantly improved access to identification, financial services, and health management, empowering millions of citizens and driving the country’s digital transformation. However, the rapid expansion of DPI also brings serious challenges. Issues such as the digital divide, cybersecurity threats, data privacy concerns, market concentration, and inadequate regulatory frameworks highlight the risks of unregulated growth. Digital colonization, exploitation of personal data, and the privatisation of public services remain pressing concerns that require urgent attention. A balanced approach that clearly defines the roles of government and private players, coupled with flexible yet robust regulation, is essential. Such an approach can help ensure that DPIs continue to foster innovation, enhance service delivery, and promote financial and digital inclusion, while safeguarding citizen privacy and public interest in the long run.

We at Data Secure (Data Privacy Automation Solution) DATA SECURE - Data Privacy Automation Solution  can help you to understand EU GDPR and its ramificationsand design a solution to meet compliance and the regulatoryframework of EU GDPR and avoid potentially costly fines.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to GDPR, UK DPA 2018, CCPA, India Digital Personal Data Protection Act 2023. For more details, kindly visit DPO India – Your outsourced DPO Partner in 2025 (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or India DPDP Act 2023 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or dpo@dpo-india.com.

For downloading the various Global Privacy Laws kindly visit the Resources page of DPO India - Your Outsourced DPO Partner in 2025

We serve as a comprehensive resource on the Digital Personal Data Protection Act, 2023 (Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025), India's landmark legislation on digital personal data protection. It provides access to the full text of the Act, the Draft DPDP Rules 2025, and detailed breakdowns of each chapter, covering topics such as data fiduciary obligations, rights of data principals, and the establishment of the Data Protection Board of India. For more details, kindly visit DPDP Act 2023 – Digital Personal Data Protection Act 2023 & Draft DPDP Rules 2025

We provide in-depth solutions and content on AI Risk Assessment and compliance, privacy regulations, and emerging industry trends. Our goal is to establish a credible platform that keeps businesses and professionals informed while also paving the way for future services in AI and privacy assessments. To Know More, Kindly Visit – AI Nexus Your Trusted Partner in AI Risk Assessment and Privacy Compliance|AI-Nexus