Introduction
India’s Digital Public Infrastructure (DPI) stack, popularly referred to as “India Stack,” represents one of the most ambitious and consequential experiments in state-led digital infrastructure in the world. Comprising Aadhaar for identity, UPI for payments, DigiLocker for document storage, the Account Aggregator framework for consented data sharing, and the Open Network for Digital Commerce (ONDC) for e-commerce, India Stack has transformed the delivery of government services, the architecture of financial inclusion, and the structure of consumer markets at a scale and speed that has drawn both admiration and concern from policymakers and scholars internationally.
Yet the legal architecture underpinning these systems is uneven, sometimes overlapping, and in critical respects inadequately developed. The governance frameworks for each layer of India Stack were designed largely in isolation, with different regulatory anchors, different accountability mechanisms, and different approaches to user rights. The result is a set of interlocking infrastructure systems whose combined social and economic significance vastly exceeds what any individual regulatory instrument contemplated at the time of its creation. This article examines the legal basis for each component of India Stack, the constitutional adjudication of Aadhaar, the governance concerns arising from the concentration of digital identity infrastructure, and the accountability gap that exists when these systems fail.
Legal Framework
The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 provides the statutory basis for India’s unique biometric identity system, administered by the Unique Identification Authority of India (UIDAI). The Act authorises UIDAI to collect demographic and biometric data and to issue a twelve-digit Aadhaar number to every resident of India. It also defines the permissible uses of Aadhaar, the obligations of entities that use Aadhaar for authentication, and the data protection standards applicable to the Aadhaar ecosystem.
Crucially, the Aadhaar Act was passed as a Money Bill under Article 110 of the Constitution, which exempts it from scrutiny by the Rajya Sabha. This classification was challenged in the Puttaswamy litigation as a constitutional impropriety, and a minority of judges on the five-judge bench agreed that the Money Bill classification was incorrect. The majority upheld the classification, but the question remains contested in academic commentary and in pending review proceedings.
UPI (Unified Payments Interface) is governed not by a dedicated statute but through a layered regulatory framework. The Reserve Bank of India exercises oversight over the payments ecosystem under the Payment and Settlement Systems Act, 2007. The National Payments Corporation of India (NPCI), a not-for-profit organisation promoted by public and private sector banks with RBI support, operates UPI as a retail payment system. The legal relationship between NPCI, member banks, payment service providers (PSPs), and end users is governed by NPCI’s operational circulars, interoperability guidelines, and the terms and conditions of individual PSPs. This framework has no single statutory instrument governing UPI specifically, creating a regulatory architecture that relies heavily on NPCI’s quasi-regulatory authority rather than parliamentary legislation.
DigiLocker, the government’s digital document wallet service, operates under the IT Act 2000, which provides the general framework for electronic records and digital signatures. Rule 9A of the IT (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016 provides specific guidance for digital locker operators. Documents stored in DigiLocker that are issued directly by government agencies are deemed to be original documents for all purposes, a provision that has significant implications for the legal status of e-documents in court proceedings and administrative processes.
The Account Aggregator (AA) framework, established through a series of RBI Master Directions in 2016 and subsequently extended through inter-regulatory collaboration to cover data from SEBI, IRDAI, and PFRDA-regulated entities, is built on the concept of consent-based data sharing. An Account Aggregator is an RBI-licensed NBFC that acts as a pure data relay, enabling individuals to share their financial data from one regulated entity to another without the AA itself being able to read the data. The framework is technically elegant and privacy-preserving by design, but its legal basis, RBI Master Directions rather than a statute, limits its enforceability and creates jurisdictional ambiguity for non-RBI-regulated data sources.
ONDC (Open Network for Digital Commerce) is a DPIIT initiative that seeks to democratise e-commerce by creating an open protocol layer (based on the Beckn Protocol) over which any buyer application and seller application can interoperate. ONDC itself is incorporated as a Section 8 company (non-profit) and operates as a network orchestrator rather than a direct participant. The regulatory basis for ONDC is not a dedicated statute; it operates within the existing legal frameworks for e-commerce, consumer protection, and competition law. The Consumer Protection (E-Commerce) Rules, 2020 apply to sellers on ONDC as they would to any e-commerce entity.
Judicial Developments
The Supreme Court’s nine-judge Constitution Bench judgment in Justice K.S. Puttaswamy v. Union of India (2018), the Aadhaar case, is the foundational judicial pronouncement on India Stack’s constitutional legitimacy. By a 4:1 majority (with Justice D.Y. Chandrachud dissenting in full), the Court upheld the Aadhaar Act as constitutionally valid but imposed important limitations. The Court struck down Section 57, which had permitted private entities to use Aadhaar for authentication, holding that private use created privacy risks that the Aadhaar Act’s framework was not designed to address. It also struck down the requirement that bank accounts be mandatorily linked to Aadhaar and limited the mandatory Aadhaar requirement for welfare benefit delivery to programs funded from the Consolidated Fund of India.
Justice Chandrachud’s dissent, often characterised as the most significant dissent in the Supreme Court’s history on a technology law question, argued that Aadhaar created the infrastructure for a surveillance state and that the majority’s safeguards were insufficient to prevent the system from being repurposed for pervasive tracking of citizens. He also argued that the Money Bill classification was unconstitutional and that the Act suffered from fundamental privacy deficiencies.
The restriction on private entity use of Aadhaar was partially addressed by the Aadhaar and Other Laws (Amendment) Act, 2019, which introduced a voluntary use framework allowing individuals to consent to using Aadhaar for private entity authentication. The constitutionality of this amendment has been challenged and remains pending.
Contemporary Issues and Analysis
The concentration of critical digital identity infrastructure in government-controlled entities raises governance concerns that have not been adequately addressed in the legal framework. UIDAI is both the operator of the Aadhaar database, the standard-setter for Aadhaar authentication, and the primary enforcement authority for Aadhaar data protection. This concentration of functions in a single agency creates conflicts of interest and limits independent oversight.
The accountability gap becomes most acute when DPI systems fail. Authentication failures on the Aadhaar platform have denied beneficiaries access to MGNREGA wages, ration entitlements, and pension payments, as documented in multiple studies and by parliamentary committees. The legal remedy available to an individual denied their entitlement because of an Aadhaar authentication failure is unclear. The DPDP Act’s Data Protection Board focuses on data protection violations rather than service delivery failures. The IT Act’s adjudicatory mechanism under Section 46 applies to compensation for data breaches and not to service denial. The consumer protection framework may apply but faces jurisdictional complexity when the service failure involves a government system.
The national security concentration risk in India Stack also deserves more analytical attention than it has received. A single point of failure in the Aadhaar authentication system could disrupt welfare delivery, financial access, and digital services simultaneously across hundreds of millions of users. The AIIMS ransomware attack demonstrated that even well-resourced government institutions are vulnerable to sophisticated cyberattacks. The resilience architecture of UIDAI’s systems, while subject to internal audit, is not subject to the kind of transparent public security review that the scale of dependence on these systems would warrant.
Comparative and International Perspective
India has actively promoted its DPI model as a global public good, particularly in the context of the G20 under India’s presidency in 2023. The G20 adopted the Digital Public Infrastructure Framework, which drew heavily on Indian experience. Multiple developing countries have expressed interest in adopting UPI-like payment systems or Aadhaar-like identity systems with Indian technical assistance.
The European Union’s approach to digital identity, reflected in the revised eIDAS Regulation (eIDAS2) adopted in 2024, takes a fundamentally different governance approach. The EU Digital Identity Wallet is envisaged as a citizen-controlled credential store in which the citizen decides what identity attributes to share with which service providers, with no central government database of transactions. This stands in contrast to Aadhaar’s centralised authentication architecture, in which every authentication is logged by UIDAI. The EU model prioritises user sovereignty over system efficiency; the Indian model has prioritised scalability and state-managed service delivery over user control.
Estonia’s X-Road data exchange layer provides another comparative model, operating as an interoperability infrastructure for government and private sector data exchange with strong cryptographic guarantees and a distributed architecture that avoids the single-point-of-failure risk of centralised databases.
Practical and Policy Implications
For individuals and businesses interacting with India Stack, the practical implications of the governance gap are significant. Individuals who experience authentication failures affecting their entitlements have no clearly designated grievance redressal authority with the power to provide effective and timely remedy. Businesses integrating with ONDC or the Account Aggregator framework must navigate a complex web of NPCI, RBI, DPIIT, and SEBI guidance that lacks the clarity of a unified statutory framework.
For foreign governments and development finance institutions considering adopting or funding India-Stack-style systems, the governance concerns identified here have direct relevance to the conditionalities and safeguards that should be negotiated. A DPI model exported without its governance weaknesses being rectified would replicate the accountability gaps as well as the functional achievements.
Suggestions and Reforms
India needs a consolidated DPI Governance Act that brings all layers of India Stack under a unified legal framework with clear rules on accountability, user rights, and interoperability standards. Such legislation should establish an independent DPI Oversight Board with representatives from civil society, technical experts, and representatives of state governments, given the primary role of state governments in welfare delivery through DPI systems.
The Act should codify the right of any individual denied a service or entitlement because of a DPI system failure to receive a remedy including alternate authentication options, manual override mechanisms, and compensation for delay or denial. It should impose mandatory transparency reporting on the availability, failure rates, and authentication success rates of each DPI layer. And it should establish regular independent security audits of the critical infrastructure layers, with public summaries of audit findings.
Conclusion
India Stack’s achievements in financial inclusion, identity verification, and digital service delivery are genuine and significant. The legal architecture that underpins it, however, reflects the circumstances of its creation: ad hoc, sector-specific, and developed at a pace that left governance framework-building behind. As India promotes its DPI model globally and as the dependence of Indian citizens on these systems deepens, the urgency of building a robust, rights-centred, and accountable governance architecture grows correspondingly. The question is not whether India Stack is valuable, it clearly is, but whether its governance is worthy of the trust that hundreds of millions of people have been asked to place in it.