Ten Years of UPI: Implications of India’s Digital Public Infrastructure for Data Protection

Ten years after its launch, India’s Unified Payments Interface (UPI) has evolved from a convenience tool into a defining example of how digital public infrastructure (DPI) can reshape the relationship between data and economic activity. Designed to enable instant fund transfers at a national scale, UPI now processes billions of transactions every month, with 16.6 billion transactions in February 2026 alone. This system quietly transforms day-to-day transactions into a continuously expanding behavioral dataset, tempered by a data protection regime with significant gaps. As UPI marks its ten-year anniversary, it highlights a core risk of DPI: systems that are built to rapidly expand economic participation can also enable the large-scale extraction of behavioral data, without commensurate safeguards. 

UPI and the push toward DPI have been transformative for India. As a government-led faster payment system (FPS) able to interface with private systems, UPI has been able to make overall financial transaction networks in India more efficient while still retaining consumer choice. The key has been the broader DPI infrastructure IndiaStack, which positions UPI in a system between Aadhaar, India’s identity verification system of over 1.4 billion cards, and DigiLocker, a secure platform for storing and sharing personal data. UPI itself has remained an open payment system without added transaction costs, ensuring its usability at all levels. Meanwhile, regulations ensure sensitive data is stored on domestic servers and not on commercial clouds, affording a sense of ‘data sovereignty,’ an alternative to ‘data colonialism’ allowing India to domestically safeguard and assert national protections over the data of its people. 

UPI has also set a global benchmark for payments infrastructure. The use of UPI has expanded to eight countries, with Delhi aiming for twenty by 2029. The full list of partnerships now includes Singapore, UAE, France, Mauritius, Nepal, Sri Lanka, Bhutan, Qatar, Malaysia, and most recently Israel. As India has become the global leader in developing DPI, UPI has become a key driver of India’s ‘digital diplomacy,’ a push to leverage digital platforms to project and advance a rising India’s global image and strategic objectives. This was especially true for UPI around India’s G20 presidency in 2023. 

On the individual level, UPI generates substantial economic and social benefits. Transaction histories offered by the application can expand access to credit for individuals without traditional banking records, enabling alternative approaches to credit scoring that support financial inclusion. Payments can improve fraud detection, strengthen anti-money laundering compliance, and enable more efficient delivery of subsidies and public benefits. These benefits are especially significant for populations who have historically faced barriers to accessing formal financial services due to geographic location, limited banking infrastructure, or lack of credit history.  

However, despite overall successes, the UPI story also comes with ten years of concerns, not least of which are persistent social and economic inequality among adoptees, opportunistic scams, regulatory hurdles, and infrastructure gaps. For example, wealthier users have still been more able to realize the benefits of UPI than poorer users, even as the average UPI transaction has fallen to Rs. 1,314 (about $15) and the average merchant transaction to Rs. 592 (about $7). Especially in areas of lower cell phone usage, where families may have only one phone, a cashless economy may mean more men and less women participate. UPI users also navigate widespread fraud; a May 2024 survey found that as many as 57% of Indians believed their friends or family had fallen victim to a payments-related scam online. Moreover, capacity and interoperability issues have kept expansion abroad slow at best.  

The Data Sensitivity of Payment Infrastructure 

As UPI adoption continues to grow domestically and internationally, the growing repository of payment data raises important questions about the longer-term strategic implications of DPI. Traditional financial records have long revealed aspects of user behavior, but the high-frequency, low-value digital transactions that UPI provides makes that information more continuous and granular. Over time, these records form granular behavioral profiles that can approximate sensitive identity characteristics even when explicit demographic information is not collected. 

In practice, payment data can function as a proxy for categories often considered highly sensitive, including religion, health information, political affiliation, and social network ties. Recurring donations to religious organizations, purchases from medical providers, political contributions, and peer-to-peer transfers collectively produce a detailed picture of individual preference, associations, and routines. Thus, the sensitivity of this data lies not just in each individual transaction, but the broader picture it paints cumulatively.  

UPI exacerbates these concerns by embedding payment functionality within a broader public infrastructure ecosystem that includes identity verification through Aadhaar and data-sharing frameworks such as the Data Empowerment and Protection Architecture (DEPA). While these systems do not automatically feed into a single database, their interoperability increases the potential of linking financial data with other forms of information about users’ identities.  

UPI data collection also creates risks related to profiling, bias, and surveillance expansion. Researchers have demonstrated that behavioral data can produce discriminatory decision-making outcomes when used in algorithmic decision-making systems, particularly when proxies for protected characteristics are embedded in seemingly neutral datasets. Payment transaction histories may therefore introduce risks of exclusion in lending, insurance, or service provision contexts, even as they offer advantages in credit establishment for underserved users.  

Security vulnerabilities further complicate the governance of payment data infrastructure. Users face immediate security threats from social engineering, such as “reverse-phishing” scams, where hackers exploit user misconceptions to drain accounts. This risk is further complicated by “advice gaps,” where users bypass security protocols in favor of informal guidance and trust in bank-integrated platforms. Consequently, the security of the UPI ecosystem requires addressing threats of automated financial decision-making.  

To address these risk-based threats, India has shifted towards a risk-based authentication system as of April 2026. The new mandate allows platforms to determine their security checks based on individual transactions’ risk profiles, rather than applying a uniform process. While this reduces friction for individual transactions, it creates a system of algorithmic governance, where background risk assessments become the arbiter of financial access. Another significant change is the shifted burden of responsibility. The new rules have shifted the burden from individual consumers to the payment service providers and banks, effectively institutionalizing security as a financial imperative and forcing providers to treat UPI similarly to national critical infrastructure.  

As payment data grows more sensitive and interconnected, UPI increasingly functions not only as a financial infrastructure but also as strategic infrastructure. 

Payment Infrastructure as a Strategic Technology 

Especially as UPI now spans individuals’ sensitive data and broad national and international applications, payment infrastructure increasingly functions as a strategic technology. While UPI helps India move towards its goals of reducing transaction costs, standardizing information, and improving transparency and traceability within economic activity, it also holds broader strategic implications. 

First, the IndiaStack’s emphasis on interoperability allows India to offer a tangible tool for countries’ own digital transformations, not just set an example. Interoperability, whether at home or abroad, significantly increases adoption. Using its Modular Open-Source Identity Platform (MOSIP), India has helped accelerate digitalization in lower-income countries, raising its profile as a leader of the Global South. 

Second, by allowing countries to decrease their reliance on foreign networks, UPI allows India to carve a niche for itself through its ability to shape global infrastructure while balancing inclusivity with sovereignty. 

Third, UPI serves as an important vehicle of India’s soft power projection, including and especially as a means of helping New Delhi lead a return to greater regional cooperation. 

Shared use of India’s DPI infrastructure carries both strategic benefit for India and a magnified responsibility to ensure the system is safe and effective and that its surrounding data protection framework is robust and scalable. Yet the strategic value of payments infrastructure ultimately depends on whether legal and institutional safeguards can keep up with expanding technical capabilities.  

Regulatory Risk as UPI Expands Further 

However, despite recent developments, the legal framework governing UPI still contains gaps and potential risks for users’ data privacy. Although the data UPI collects can be highly sensitive, legal and institutional protections have yet to evolve to ensure it is secured and used as advertised. 

The basic framework for UPI is built on the Information Technology Act of 2000 (IT Act), which provides legitimacy for all digital payments in India and ensures digital fraud is punishable by law. It also ensures contractual enforcement, helps determine liability in disputed or failed transactions, legally obligates providers to adopt robust cybersecurity frameworks, establishes a duty of care for those handling sensitive data, and polices data intermediaries. However, over the last few decades, implementation has seen mixed results. Among other capacity issues, IT Act language struggles to keep pace with emerging technologies and leaves users with a sorely fragmented dispute resolution mechanism. 

After seven years of UPI, the Digital Personal Data Protection Act of 2023 (DPDP Act) became India’s first truly comprehensive data protection regime. The DPDP Act requires personal data to be erased after its specified purpose is fulfilled or after consent is withdrawn, limits secondary use of personal data, and allows individuals the rights to notice, access, and erasure. The Act also establishes the Data Protection Board of India to investigate complaints and issue fines when necessary. However, the DPDP Act also provides significant exemptions to the central government and government bodies and has been criticized for allowing them to both directly access data through data intermediaries without consent and unilaterally suspend the public’s access to certain data. While the examples often given are for law enforcement and official statistics, broader exemptions for government activity carry broader implications for Indian users. The DPDP Act also does not provide any exemptions for journalists, raising questions about who constitutes a protected party. 

Meanwhile, institutional gaps are being incrementally filled to ensure compliance with the law’s provisions. For example, the Reserve Bank of India (RBI), tasked with regulating all payment systems, only recently released an advisory about establishing a standardized process of data erasure. Without one, the theoretical right to erasure can be inconsistent in practice. 

Additionally, tension between the RBI’s push for data localization and the DPDP Act’s more permissive stance on cross-border exchange may limit the ability for regulation to keep pace with expanding UPI usage abroad. RBI mandates that data from transactions originating in India be stored only on Indian servers, including when trying to secure partnerships to assess the security risk of new and advanced AI programs like Anthropic’s Mythos. As a result, there are fewer opportunities available to effectively scale fraud prevention efforts. Since partner countries can have similar data localization rules, even a hybrid approach abroad—partnering with in-country institutions to ensure regulatory compliance, while managing authorization and settlement of transactions securely in India—would keep the expansion of UPI riskier and less efficient. 

Conclusion 

Ten years in, UPI represents a major success in digital public infrastructure, expanding financial inclusion while positioning India as a global leader in DPI development. At the same time, the system illustrates how financial infrastructure doubles as data infrastructure, requiring regulatory frameworks capable of governing sensitive behavioral data at scale. 

While DPDP was an important step toward strengthening data protections, institutional fragmentation and government exemptions raise questions about whether current safeguards adequately reflect the deep sensitivity inherent in payments data. The regulatory model underpinning the system will become even more consequential for both users and partner countries as UPI expands internationally. 

Ultimately, sustaining trust in DPI will require India to synergize the regulatory environment around UPI when expanding abroad, especially for the balance between data sovereignty and interoperability. To do so, India will likely have to strengthen and clarify its own framework before building a scalable approach to the frameworks of other countries. As UPI enters its second decade, these and other developments can help ensure that India’s DPI infrastructure stays true to its value proposition and continues to lead the world.