Font size:
Print
UPI and Data Privacy
Context:
Unified Payments Interface (UPI) has emerged as one of India’s most groundbreaking innovations of the 21st century, offering a seamless, cost-free, and reliable payments architecture used by millions.
More on News
- By enabling India to bypass traditional card networks, UPI has propelled digital payments forward by decades.
- However, while much of the policy discourse has focused on concerns surrounding the duopoly of third-party app providers (TPAPs) like Google Pay and PhonePe, efforts to impose artificial market-share caps may be misguided.
- Instead, the most pressing challenge within the UPI ecosystem lies in ensuring robust personal data protection.
Issue of Data Privacy in UPI
- Spending Data: Unlike conventional payment methods such as credit cards, UPI transactions generate and share a vast amount of consumer spending data.
- Storage of Data: However, unlike traditional payment networks that adhere to stringent data storage standards like the Payment Card Industry Data Security Standard (PCI DSS), UPI lacks comprehensive data storage regulations.
- Limited Awareness: Additionally, TPAPs do not publicly disclose their data-sharing policies, leaving users with limited awareness of how their information is collected, stored, and shared.
- Multiple Entities: The issue is further exacerbated by the number of entities involved in a single UPI transaction, increasing the risk of data leaks.
Market Concentration and the Role of Data
- The real concern surrounding the dominance of leading TPAPs is not their market share itself but the role that extensive data collection plays in reinforcing their market position.
- Data accumulation allows these platforms to expand into adjacent financial services, including microloans and insurance, potentially limiting competition in these sectors.
- However, imposing an arbitrary cap on market share would not resolve these concerns.
- Instead, the solution lies in better regulation of data practices.
Digital Personal Data Protection (DPDP) Rules, 2025
- Data Fiduciaries: Under the draft rules, TPAPs could be classified as “significant data fiduciaries,” requiring them to adhere to strict data minimisation principles.
- Exemption: One important provision within the draft DPDP Rules is Rule 5(1), which allows state entities to process personal data for providing subsidies, benefits, and public services.
- Since UPI functions as part of India’s digital public infrastructure, its core framework, managed by the National Payments Corporation of India (NPCI), may fall within this exemption.
- However, private TPAPs operating on UPI rails should not be granted the same exemptions.
India’s Leadership in Global Data Governance
- The recent G20 Troika joint communiqué (led by India, Brazil, and South Africa) highlights the need for reducing asymmetries in the digital economy and establishing equitable principles for data governance, privacy, and security.
- By applying these principles to its financial digital public infrastructure, India has an opportunity to further consolidate its position as a global leader in fintech and financial inclusion.
By enforcing the principles of data minimisation, transparency, and consent-based data sharing, India can address concerns surrounding privacy, competition, and market dominance while ensuring that UPI continues to thrive as an inclusive, secure, and innovative digital payments system.
