The Privacy Impact of India Stack and Digital Public Infrastructure

I disagree with the people who say India Stack is a surveillance project. I also disagree with the people who say it's purely a force for good and any privacy concern is just fear-mongering. The truth, as it tends to, sits in an uncomfortable middle ground where you have to hold two contradictory ideas at once: India Stack is genuinely one of the most impressive pieces of public digital infrastructure ever built, and it creates privacy risks at a scale that no democracy has dealt with before. Dismissing either half of that sentence makes the conversation worse.

Let me tell you what I mean, because I've spent a lot of time thinking about this, and I think the way we talk about India Stack in privacy circles — always critical, always alarmist — misses something real about what it's achieved. And the way it gets talked about in government circles — always triumphant, always defensive about criticism — misses something equally real about what it risks.

What India Stack Actually Is

If you're not familiar with the specifics, India Stack is a set of interconnected digital public infrastructure layers built on open APIs. The bottom layer is Aadhaar — biometric identity for 1.4 billion people, linking fingerprints and iris scans to a unique 12-digit number. Above that sits UPI, the real-time payments system that processes over 14 billion transactions a month. Then there's DigiLocker for document storage and verification, Account Aggregator for consent-based financial data sharing, ABHA for digital health records, and ONDC for decentralised e-commerce. Each layer builds on the ones below it. Together, they form the backbone of India's digital economy.

The scale of what India has done here is hard to overstate. UPI alone has transformed how 300+ million Indians transact — from street vendors to multinational corporations, everyone uses it. DigiLocker has reduced the need for physical documents in ways that save real time and hassle for ordinary citizens. The Account Aggregator framework, when it works properly, lets people share their financial data with lenders in a structured way rather than handing over stacks of paper bank statements. This is infrastructure that other countries are actively studying and, in some cases, trying to replicate. That's a genuine achievement, and pretending it isn't doesn't strengthen the privacy argument — it weakens it by making critics seem like they're arguing in bad faith.

But — and this "but" is where my agreement with the enthusiasts ends — every one of these layers generates, stores, and processes massive quantities of personal data. And the layers are interconnected. Your Aadhaar number links to your bank accounts via UPI, to your tax records, to your mobile number, to your health records via ABHA, to your educational documents via DigiLocker. When one identifier connects to this many systems, it creates what privacy researchers call a correlation risk — the ability to build a detailed, full-spectrum profile of any citizen by pulling threads from different databases. That capability exists regardless of whether anyone intends to misuse it. The risk is structural, not intentional, and structural risks are the hardest to fix because they're built into the architecture.

Aadhaar: The Foundation and the Fault Line

Aadhaar is where the privacy tension is sharpest. Collecting biometric data — fingerprints and iris scans — from 1.4 billion people and storing it in a centralised database is, by definition, one of the largest collections of biometric data in human history. The Aadhaar Act includes restrictions on how this data can be accessed and used. UIDAI (the Unique Identification Authority of India) has technical safeguards, including encryption of biometric data and restrictions on who can request authentication.

The problem isn't the existence of safeguards. It's the scope of linkage. Aadhaar was originally designed for welfare delivery — ensuring that government benefits reached the right people. Over the years, it's become mandatory or quasi-mandatory for filing income taxes, opening bank accounts, getting a mobile connection, registering for government schemes, and dozens of other purposes. Each new linkage adds another system that connects to the same identifier. The more systems that link to Aadhaar, the more complete the potential profile becomes, and the more damage a breach or misuse could cause.

The Supreme Court's 2018 judgement in the Aadhaar case upheld the scheme's constitutionality but struck down some linkages (particularly to bank accounts and mobile numbers for private entities) and emphasised that collection must be proportionate to the purpose. In practice, the linkages have continued to expand. The government frames each new linkage as a step toward efficiency and transparency. Privacy advocates see each one as another thread in a web that, once fully woven, becomes very difficult to unweave.

UIDAI introduced the Virtual ID system in 2018, which lets you generate a temporary 16-digit number linked to your Aadhaar that can be used for authentication without revealing your actual Aadhaar number. This is a good idea. Adoption has been modest, partly because many services still ask for the actual Aadhaar number rather than accepting the Virtual ID, and partly because most citizens don't know it exists. If you have an Aadhaar number — and statistically, you almost certainly do — go to uidai.gov.in and generate a Virtual ID. Use it wherever it's accepted. Lock your biometrics when you're not actively authenticating. These are small measures, but they're the ones within your control.

UPI: Convenience and the Data Trail

UPI is, by any reasonable measure, a triumph of payment infrastructure. It's fast, it's free (for most transactions), it works across banks, and it's been adopted at a rate that shocked even its creators. The vegetable vendor outside my apartment in Hyderabad has a QR code taped to his pushcart. My 68-year-old mother uses UPI to pay her building's maintenance fee. That's remarkable adoption.

What UPI also creates is a complete record of financial behaviour. Every transaction — who paid whom, how much, when, where, for what — flows through the system. NPCI (National Payments Corporation of India) sits at the centre of this data flow, though individual transactions are processed between banks. The privacy policy governing UPI transaction data is... let's say permissive. NPCI's terms allow data to be shared with "regulators, government agencies, and partner institutions" in fairly broad terms. The specific conditions under which this sharing happens aren't as clearly bounded as privacy advocates would like.

Think about what a complete UPI transaction history reveals about a person. Where they eat, how often they order food, what their monthly grocery bill is, whether they drink alcohol (and how much they spend on it), which doctors they visit, which tutoring service they pay for their children, how much rent they pay, which political party they've donated to, which religious institution they support. That's not a payment history — that's a biography. And it's sitting in databases with access policies that most people have never read and couldn't influence even if they had.

I don't think there's a conspiracy here. I think the data collection is a byproduct of the system's design rather than its purpose. But byproducts don't stay unused forever. Data that exists gets used — by regulators, by law enforcement, by analytics teams looking for insights, by whoever can make a case for access. The question isn't whether UPI data will be used beyond its original purpose. The question is how and by whom, and whether meaningful oversight exists when it happens.

Account Aggregator: Consent as a Speed Bump

The Account Aggregator (AA) framework is probably the most thoughtfully designed piece of India Stack from a privacy perspective, and even it has problems. The idea is elegant: your financial data (bank statements, insurance records, investment portfolios) sits with various Financial Information Providers (FIPs). When a lender or service needs your data, they request it through an Account Aggregator, and you, the customer, approve or deny the request through a consent artefact that specifies what data is being shared, with whom, for how long, and for what purpose.

In theory, this is informed consent done right. In practice, the consent artefact is a technical document that most users don't read. A fintech app asks you to share your bank statements for a loan application. A screen appears with details about the data being requested. Most people tap "Approve" the way they tap "Accept All" on a cookie banner — quickly, without reading, because they want the loan and this is the thing standing between them and the loan. The consent framework becomes a speed bump rather than a meaningful decision point.

There's also the question of data retention. When you consent to share six months of bank statements with a lender, how long does the lender keep that data? The consent artefact specifies a retention period, but enforcement of retention limits is another matter entirely. Once data leaves the AA system and lands in a lender's database, the practical ability to ensure it's deleted after the specified period depends entirely on the lender's compliance, and compliance in the Indian fintech sector is, to put it mildly, uneven.

ABHA and Health Data

The Ayushman Bharat Health Account (ABHA) is newer and less widely adopted than Aadhaar or UPI, but it's the piece of India Stack I worry about most. Health data is among the most sensitive categories of personal information. Your health records contain information about chronic conditions, mental health treatment, reproductive health, substance use, genetic predispositions, and other deeply private matters that can affect your insurance premiums, your employment prospects, your social relationships, and your sense of self.

ABHA aims to create a unified digital health ID that links your medical records across hospitals, clinics, pharmacies, and labs. The benefits are real — no more carrying files between doctors, no more repeating your medical history at every new clinic, uninterrupted access to your records anywhere in the country. For a healthcare system as fragmented as India's, the coordination benefits are substantial.

The concerns are equally real. Who can access your health records? Under what conditions? Can your employer see them? Can an insurance company use them to deny coverage? What about the small clinic in a tier-3 town that joins the system — does it have the cybersecurity infrastructure to protect the data it now has access to? A large corporate hospital might have a dedicated IT security team. A two-doctor clinic in a small town probably doesn't. Yet both would be part of the same interconnected system.

The DPDPA 2023 applies to health data processing, but the Act includes broad exemptions for government processing in the interest of public health. How broadly those exemptions will be interpreted is an open question. A narrow interpretation protects patients. A broad interpretation could, hypothetically, allow government agencies to access health records for purposes well beyond individual care — population surveillance, insurance risk assessment, or law enforcement investigations.

The DPDPA and Government Exemptions

I want to be fair about the DPDPA. It's India's first full-scope data protection law, and getting it passed was itself an achievement after years of debate and multiple draft versions. It establishes principles like purpose limitation, consent requirements, data minimisation, and the right to erasure. These are sound principles, and their existence in Indian law matters.

The exemption for government agencies is the elephant in the room, though. Section 17 allows the Central Government to exempt any government instrumentality from provisions of the Act on grounds of sovereignty, security of the state, public order, and several other broadly defined categories. This means that the same government that operates India Stack can also exempt its own agencies from the data protection requirements that apply to private companies. The scope of these exemptions will depend on how they're notified and interpreted, and as of early 2026, the full picture isn't clear yet.

The Puttaswamy judgement provides a constitutional floor — privacy is a fundamental right, and any interference must meet the tests of legality, necessity, and proportionality. This is meaningful. It means that overly broad exemptions can be challenged in court. But litigation is slow, expensive, and available mainly to those with resources. The street vendor using UPI and the farmer enrolling in ABHA don't have access to the Supreme Court as a practical remedy.

There's also the question of what "national security" means in practice when applied to data access. The phrase covers a lot of ground — legitimate counterterrorism needs, certainly, but also potentially political surveillance, profiling of dissidents, or monitoring of journalists. History, in India and elsewhere, shows that broad surveillance powers granted for one purpose tend to expand to others over time. The DPDPA's exemption doesn't define "national security" narrowly, and the checks on how the exemption is invoked are procedural rather than substantive. A government agency invoking the exemption doesn't need judicial approval — it just needs to notify the Board, which raises questions about whether the Board will ever have the political independence to push back on an overreaching exemption claim.

What You Can Actually Do

Use your Aadhaar Virtual ID instead of your actual number whenever a service accepts it. Lock your biometrics at uidai.gov.in when you don't need them — this prevents anyone from authenticating as you using your fingerprint or iris scan until you unlock them. Check your Aadhaar authentication history periodically; it shows you every entity that authenticated your identity, which can reveal unauthorised usage.

For Account Aggregator flows, actually read the consent artefact before approving. I know that sounds tedious, and it is, but it takes thirty seconds to check what data is being shared and for how long. If the retention period seems excessive (some request indefinite retention), deny the consent and ask the lender why they need your data forever.

Advocate for stronger enforcement. This one's harder to action, but it matters. Respond to public consultations when the government publishes draft rules (these are posted on meity.gov.in). Support civil society organisations working on digital rights in India — IFF (Internet Freedom Foundation), SFLC.in, and others. Follow the Data Protection Board's decisions once it becomes operational. An informed citizenry is the only real check on institutional overreach in a system this large.

I keep thinking about an analogy that's probably imperfect but feels directionally right. India Stack is like a brilliantly designed highway system. It moves people faster, connects places that were isolated, and creates economic opportunities that didn't exist before. It's also a system where every vehicle is tracked, every journey is logged, and the operator of the highway has, in principle, access to every trip ever taken. Nobody built the highway for surveillance. They built it for transportation. But the surveillance capability is a byproduct of the design, and byproducts have a way of finding uses. Whether those uses remain benign depends on institutions, oversight, and political will — things that are harder to engineer than software and less reliable than cryptography. And I find myself wondering, sometimes, whether we've built the infrastructure faster than we've built the institutions that need to govern it. Which brings me to a whole separate question about the pace of digital transformation versus the pace of democratic accountability, but that's probably a different essay, and I've gone on long enough here.