The DPI-DPDP Paradox: How the Act Under-Protects Public Infrastructure

[Vighnesh is a student at National Law University Odisha.]

Digital public infrastructure (DPI), a relatively new term that has gained prominence after the awakening of digital awareness in individuals, describes a comprehensive network of digital building blocks that are needed to deliver public services across sectors. Similar to roads and highways, the DPI creates a digital highway to ensure a free and smooth flow of services across sectors. By 2030, it is expected that the value driven from DPI would increase threefold, which would be driven by an evolution of existing entities. India’s DPI rests on three core pillars, i.e., identity, payments, and data; identity, which manages the flow of people, is also known as Aadhaar; payment, which manages the flow of money, is known as unified payment interface (UPI); and data, which manages the flow of information, is known as the account aggregator framework.  

DPI is no longer limited to identity but includes foundational building blocks that form the digital backbone, which enables faster and efficient service. Against this backdrop of expansion, the governance of DPI becomes central. In this context, the recently implemented Digital Personal Data Protection Act 2023 (DPDP Act) emerges as India’s only data governance legislation. The effectiveness of any infrastructure requires a strong, robust governance framework, and this is precisely where the DPDP Act struggles. While DPI promises efficient governance, the DPDP systematically under-protects such a crucial infrastructure by normalizing processing and weakening the purpose limitation.

DPI as a High-Risk Infrastructure

The operability of DPI is enabled by an open standard design supported by both public and private entities, which are allowed to create value services on the platform. This design makes the infrastructure accessible to all. These utilities are managed by an appropriately structured entity and governed by the regulator through rules and regulations. These qualities make the asset a high-risk utility; DPI differs from private data processing on several counts. Unlike private data, the interconnectivity of utilities and services makes DPI mandatory and unavoidable. For instance, Aadhar-based biometric authentication for public distribution system ration, withdrawals, and direct benefit transfer schemes, and e-Know Your customer schemes, where no functional practical alternative exists despite theoretical voluntariness. 

For such an essential public utility function, security cannot be an afterthought; it must be embedded in the core of the DPI. One breach can affect the essential information of millions, just like what happened in the CoWIN breach. DPI can be on the verge of collapse due to its structural vulnerabilities. Such an interconnected system magnifies vulnerability. Technological shortcomings can be detrimental to the whole structure, and a weak institution diminishes the value of safeguards.

While DPI was focused on certain specific sectors in the initial period, with the development of technology, nations have made a move towards tapping this crucial resource, along with ensuring protection. For instance, the EU Digital Identity wallet (EUDI). The EUDI is based on the principle of data minimization, i.e. focuses on sharing only what is essential. It will protect privacy and ensure that individuals get to decide what is to be shared. For the governance of the EUDI, a separate regulation has been passed. Similarly, the DPI must be governed separately from data processing, but the DPDP does not acknowledge this.

Purpose Limitation under Strain

Data minimization and proportionality doctrine are the foundation principles of any data privacy law; they ensure that there is minimal expansion and the data collected should only be used for specific purposes as mentioned. Global standards such as the General Data Protection Regulation (GDPR). GDPR requires that data be collected for specific, explicit, and legitimate purposes only. However, the DPI is multi-purpose and an ever-expanding ecosystem. Aadhaar, which has been recognized only for welfare delivery, is ever-expanding into sectors such as telecom, verification, and digital payments. 

The law's legitimate use and government function category provides a broad base to repurpose personal data whenever it aligns with a public-utility objective, without requiring a fresh purpose statement or explicit consent under the DPDP Act. The DPDP Act also does not provide any division on the basis of sensitive data, personal, or public data; it defines only personal data, so the security is further diluted. 

The DPI stands further at a collapse from the legitimate purpose clause, Section 7(b) allows the state to use data from previous records, when the person earlier consented to. The act imposes no duty on the state to limit purpose, and the retention clause also does not provide any specific timelines, which in turn increases the chances of re-use in large depositories. This directly breaches the legality, necessity, aim, and narrow proportionality, and DPI becomes a blanket purpose.

Accountability Deficits in Governance

Section 17 of the DPDP Act provides for exemptions, these exemptions range from legal right, investigation, public interest, national security, etc. But it leaves the interpretation as expansive. DPI is mostly government-mandated- thus, exemptions remove most of DPI from the DPDP Act. The very architecture of DPI, which requires a strict framework, is opposed by Section 17 of the DPDP Act, which provides sweeping powers to instrumentalities and creates a parallel and opposing framework, where rights, notice, limitation, and retention can be changed at will.

Under the DPDP Act, the authorities are purely adjudicatory, with no or minimal investigative, corrective, or advisory power, unlike the GDPR. The functioning is also backed by the government, which controls the appointment, removal, and rule-making power. The rules do not provide any proactive approach like audits or continuous supervision, and the bodies only exist as an executive arm, rather than an actual regulator of the sector. Along with minimal powers to the bodies, the act also does not provide a special focus on sensitive or crucial data like DPI. The regulators under the act have been provided with no special power to monitor DPI operators. 

The procedural safeguard principle, which ensures that the right to privacy of an individual is not compromised by an arbitrary state action, is being infringed by a lack of accountability, no risk assessment, and no DPI-specific audits.

Structural Vulnerabilities: Lack of Safeguards

Every layer of DPI collects metadata such as location, devices, and many more. Even Aadhaar trails collect logs, timestamps, and requesting entities. The law's model becomes mismatched to this environment. Consent presumes choice and voluntariness, yet most DPI are mandatory. Further, the chain link of DPI, Aadhaar linked to Digi Locker, UPI, DigiYatra, FASTag creates a unified and multi-sector identity, without structural limitation. 

The Act further attempts to manage such entities by designating them as significant data fiduciaries, based on factors like data volume, sensitivity, etc. But DPI exceeds every one of these factors by several magnitudes, thus requiring a separate threshold. It is not merely a processor of data; it is the foundational framework of privacy and identity. Treating DPI as a corporation that can be managed through the safeguards of the act will lead to a total collapse of the privacy of individuals. The DPDP Act provides tools to regulate entities and not infrastructures. Comparative jurisdiction recognizes this, be it the EUDI or Singpass; these frameworks create dedicated, architecture-specific rules.

Normative Model of Governance

Every administration desires efficiency, but it cannot serve as a license for unchecked data consolidation. DPI does improve efficiency and makes the environment a more inclusive space, but this administrative efficiency cannot be a reason to dilute constitutional safeguards, as held in Justice KS Puttaswamy v. Union of India judgement. When the core identity of health payments is routed through a national infrastructure, the result breach will be catastrophic. A single breach can result in a large data theft crucial to individuals, which is why safeguards are required. While some exemptions provided under the act can be legitimate, the problem exists with opacity and a lack of safeguards.

The need of the hour exists in a normative framework, which requires a DPI-specific data protection assessment. Along with that, a dedicated and separate regulator from the DPDP board. The core DPI modules, such as Aadhaar, UPI, DigiYatra, etc., should require a mandatory assessment, which shall include a risk modelling. The separate enforcement body should be functionally independent and have powers of investigation and enforcement. Transparency should be the guiding principle of DPI regulators. Users must have stronger rights to object to automated and algorithmic decisions. Mandatory firewall protection between identity domains and purpose-specific identifiers should be introduced.

Conclusion

India is focused on building one of the largest and ambitious digital public infrastructures, but the legal guardrails remain weak, which exposes the system to a number of risks. India’s dedicated privacy law is focused mainly on private sector processing, and fails to deliver for the complexities and risks of DPI. The state, as the largest data fiduciary, is exempt from safeguards, and without DPI-specific mandates, India is at risk of creating a structure without accountability. The path forward would be to recognize DPI as a separate category with independent oversight and ensure controls and limits on state power.