Over the past decade, India has built one of the world’s most ambitious digital infrastructures. Aadhaar authenticates millions of transactions daily. UPI has transformed payments. DigiLocker, ONDC and Digi Yatra are extending digital systems into new domains of economic and public life.
Yet an uncomfortable question sits beneath this success. The institutions responsible for governing digital systems are evolving far more slowly than the systems themselves.
This gap is important because digital infrastructures are unlike most public projects. Once they become embedded across markets, public services and administrative systems, reform becomes progressively more difficult. The challenge therefore extends beyond building digital infrastructure to establishing governance frameworks before digital systems become deeply embedded in economic and administrative life.
From Transactions to Decisions
The implications of this gap become clearer as digital systems move beyond facilitating transactions and begin shaping decisions. Biometric authentication influences access, algorithmic systems affect hiring and credit outcomes, and digital platforms now mediate interactions between citizens and institutions.
As these systems expand, the consequences of design choices become more significant. Biometric identifiers cannot be replaced in the way passwords can. Algorithmic decisions can be replicated across thousands or millions of interactions. Administrative processes, commercial ecosystems and user behaviour gradually adapt around the infrastructure itself.
The result is that institutions are no longer overseeing discrete technologies. They are required to govern systems that shape the operating logic of markets, public services and government administration.
The Window Between Adoption and Oversight
India’s digital governance challenge is not emerging in an institutional vacuum. The Digital Personal Data Protection (DPDP) Act, enacted in 2023, represents the country’s principal legislative framework for governing personal data within an expanding digital ecosystem. Yet by the time the legislation was enacted, Aadhaar had become one of the world’s largest digital identity systems, UPI had transformed digital payments, and a wider ecosystem of digital public infrastructure was already embedded across economic and administrative life.
The Data Protection Board, established under the DPDP Act to investigate breaches and enforce compliance obligations, has yet to become a fully established part of the regulatory landscape. Implementation rules continue to develop, while questions surrounding algorithmic accountability, biometric surveillance and independent oversight remain unsettled.
As a result, regulators are often managing the consequences of systems that have already acquired users, institutional dependencies and political constituencies, rather than shaping their foundational design choices.
Designing Governance for Scale
The experience highlights the importance of scrutiny before deployment, particularly for systems built around biometric identifiers, large public databases or algorithmic decision-making. Mechanisms for independent review, proportionality assessment and public justification are often most effective at the point of adoption rather than after large-scale dependencies have formed.
As digital systems begin influencing employment, credit, welfare and public services, governance must extend beyond questions of compliance. Citizens need meaningful ways to understand, challenge and seek redress for consequential automated decisions.
This, in turn, requires institutions with technical as well as legal capacity. The Data Protection Board, when fully operationalised, will need to function as more than a complaints forum. Effective oversight of complex digital systems demands investigative capabilities, technical expertise and the ability to evaluate how technologies operate in practice.
Governance must also recognise that digital infrastructure should not be treated as a permanent policy settlement. Biometric databases, surveillance architectures and large-scale decision systems can outlive the circumstances that justified their creation. Periodic review, reauthorisation mechanisms, and independent scrutiny from academia, civil society and technical experts can help ensure that such systems remain necessary, proportionate and aligned with evolving public expectations.
A Shift in Policy Priorities
For much of the past decade, the central policy question was how digital infrastructure could be built and scaled. Today, the question is how such infrastructure should be governed once it becomes integral to everyday economic and civic life. The answer will shape not only the effectiveness of digital systems, but also the public trust on which their long-term legitimacy depends.