Skip to content
🚨 DPDP Rules 2025: Compliance Deadline 44 weeks awayRead handbook →

DigiLocker Just Stored the Identity Data of 37 Crore Indians — and the DPDP Act Barely Touches It

India expanded DigiLocker to cover 37 crore citizens' Family IDs in June 2026. The DPDP Act's government exemptions leave this massive data infrastructure largely unaccountable.

D
DPDPBot Research Team
🕐 11 min read

#DigiLocker Just Stored the Identity Data of 37 Crore Indians — and the DPDP Act Barely Touches It

India's most consequential privacy story of June 2026 is not a data breach. It is an expansion. On June 17, 2026, the Ministry of Electronics and Information Technology announced that DigiLocker — India's government-run digital document wallet — had onboarded Family ID credentials from four states: Rajasthan, Maharashtra, Madhya Pradesh, and Uttar Pradesh. In a single announcement, over 370 million citizens gained the ability to store, manage, and share their state-issued household identity documents through a centralized digital platform. By June 26, Uttar Pradesh alone had pushed this to over 60 million residents, with the Yogi government calling it a milestone in "paperless welfare delivery."

It is a milestone. It is also the clearest illustration of a structural gap in India's Digital Personal Data Protection Act — one that nobody in the corporate compliance conversation is talking about.


#What the DigiLocker Expansion Actually Means

DigiLocker is not a new concept. Launched in 2015 under the Digital India program, it allows citizens to store, access, and share government-issued documents — driving licenses, academic certificates, Aadhaar, PAN — digitally. As of 2026, the platform hosts more than 6 billion documents for over 300 million registered users.

The June 2026 integration goes further. State Family IDs are not simple identity documents. They are household-level welfare rosters — comprehensive records linking families to every government scheme they are eligible for. A Rajasthan Jan Aadhaar entry, for example, may encode a family's composition, income classification, health scheme enrollment, food security status, disability records, and beneficiary history across dozens of programs. Maharashtra's Mahasarathi and MP's Samagra carry equivalent depth. These are not isolated identity tokens. They are profiles.

Putting those profiles into DigiLocker — and enabling the platform to act as a "requestor" that connects to state Family ID systems for document fetching — creates, for the first time, a single national digital access point for household-level welfare data covering roughly 30% of India's population. Citizens consent to sharing within the DigiLocker interface. But the consent framework operates on the assumption that users understand what they are authorizing when they click "fetch."

Separately, Andhra Pradesh announced in April 2026 that it is evaluating DigiLocker-based "age tokens" — cryptographic credentials that social media platforms could use to verify whether a user is above 13, or between 13 and 16, without the platform seeing raw Aadhaar or identity data. This is an intelligent use of token-based privacy architecture. It is also, if it scales, a mechanism by which state governments directly intermediate the relationship between children and private platforms using a government-controlled credential system — with all the surveillance implications that implies.

Both developments are happening fast, with enormous reach, and with almost no public debate about accountability.


#The DPDP Act's Government Exemption: What It Says

India's Digital Personal Data Protection Act, 2023, applies to the "processing of digital personal data" in India. On paper, that should cover the government. In practice, the Act carves out substantial space for state actors.

Section 17 of the Act exempts the Central Government from the Act's application where processing is necessary for state functions, national security, public order, research, journalism, or the "prevention, detection, investigation, or prosecution of any offence." These are standard exclusions found in most global data protection frameworks — but India's formulation is notably broad. The phrase "prevention, detection, investigation, or prosecution of any offence" can stretch far, and the Act provides no proportionality test constraining how much personal data the government may collect or retain under this rationale.

Section 36 and Rule 23 go further. They authorize the Central Government to require any Data Fiduciary — meaning any private company processing personal data — to provide data to the government on grounds that include "public order," "national security," and "friendly relations with foreign states." There is no requirement for a court order, a narrow purpose specification, or an independent oversight mechanism before such a demand is made.

State governments and authorized entities receive additional latitude. The DPDP Rules define state-authorized bodies — including DigiLocker's operator — as entities that can "issue or verify identity and age details." This is the explicit hook enabling the DigiLocker age-token architecture. But it also means DigiLocker, operated by MeitY and linked to state welfare databases, processes personal data as a government-authorized entity — at a scale and with a scope of data linkage that no private company in India is permitted to operate without stringent consent, security, and notification obligations.

When Tata Electronics suffered a 630 GB ransomware breach in June 2026, the question immediately arose whether it had notified the Data Protection Board under Rule 7's 72-hour requirement. When a DigiLocker-integrated state welfare database suffers a breach, the notification obligation runs to CERT-In under the IT Act — but the DPDP Act's own breach notification framework applies in a far more attenuated way, because the processing entity is a government-authorized body operating under Section 17 exemptions.

The structural question is stark: India is creating one of the world's largest household-data repositories under a framework that is far more demanding of a fintech startup than it is of the government itself.


#The Privacy Paradox at the Heart of India Stack

This tension is not accidental. It reflects a deliberate policy choice that India has made — and that the original architects of the DPDP Act debated extensively.

India's Digital Public Infrastructure model — what policymakers call "India Stack" — is premised on the idea that state-built digital rails (Aadhaar for identity, UPI for payments, DigiLocker for documents, DEPA for data sharing) can enable financial inclusion, reduce leakage from welfare programs, and bring hundreds of millions of previously unserved citizens into the formal economy. The empirical record on those benefits is strong. UPI processed over 20 billion transactions monthly by 2025. Aadhaar-linked DBT (Direct Benefit Transfer) has cut subsidy leakage substantially.

But India Stack's architecture is also an architecture of data concentration. When Aadhaar authentication is required to access a ration card, apply for a pension, or enroll a child in school, consent becomes structurally compromised — a citizen who cannot access essential welfare services without biometric authentication has not freely consented to biometric data processing. When DigiLocker links Family IDs from four states and potentially becomes the platform for age tokens on social media, it transforms from a document wallet into an identity gateway through which government intermediates citizens' entire digital lives.

A 2026 analysis by the Centre for Strategic and International Studies on UPI's data implications noted that payment platforms embedded within Aadhaar and DEPA ecosystems "increase the potential of linking financial data with other forms of information about users' identities" in ways that create "large-scale extraction of behavioral data without commensurate safeguards." Family ID integration into DigiLocker compounds this effect at the household level.

The DPDP Act was designed, in part, to provide those commensurate safeguards. The government exemptions it contains mean that the safeguards apply most rigorously to the least powerful actors in this ecosystem — the apps and platforms that process data after it flows through the public infrastructure — and most leniently to the infrastructure itself.


#What the Supreme Court Has Flagged

India's Supreme Court is not unaware of this asymmetry. One of the four core constitutional challenges being adjudicated before a larger bench (referred on February 16, 2026) specifically targets Section 36 read with Rule 23 — the government's power to demand personal data from any Data Fiduciary on broad national-interest grounds.

The petitioners in The Reporters Collective Trust v. Union of India and related cases argue that this provision lacks proportionality: the government can compel data disclosures from any data processor without demonstrating necessity, without judicial oversight, and without an individual's knowledge. Combined with a DPDP Act that simultaneously exempts state processing from its own consent and security obligations, the framework gives government both a tool to extract data and an exemption from the rules designed to protect the data it holds.

The Court has not stayed the Act. But its referral to a larger bench — and the specific inclusion of Section 36/Rule 23 in the constitutional questions — signals that the judiciary recognizes the structural imbalance. How the Constitution Bench resolves this will shape not just the DPDP Act, but the entire regulatory posture of India Stack.


#The Children's Data Dimension

The Andhra Pradesh age-token proposal deserves particular attention because it sits at the intersection of two of the DPDP Act's most sensitive provisions.

The Act sets 18 as the age below which parental or guardian consent is required before personal data can be processed. It flatly prohibits behavioral tracking of children and the targeting of minors by platforms. These are strong provisions — stricter than GDPR's under-16 standard.

But the age-token architecture AP is exploring routes child age-verification through DigiLocker — a government-authorized entity. In this model, a social media platform would receive a token confirming that a user is above or below a threshold, without receiving the underlying Aadhaar or identity data. Privacy-by-design practitioners will recognize this as a Zero-Knowledge Proof pattern, and it is technically sound in isolation.

The problem is governance, not cryptography. The age-token system requires DigiLocker to:

  1. Know which DigiLocker account maps to which social media account request (even if it does not share this with the platform)
  2. Maintain logs of age-verification requests for auditing
  3. Become, in effect, an intermediary that state governments use to extend regulatory control over private platforms

If DigiLocker issues age tokens for social media, there is no architectural reason it cannot issue behavior tokens, residence tokens, or welfare-eligibility tokens for other purposes. The infrastructure, once built, expands to fill the use cases policymakers invent for it. And because DigiLocker operates under government authorization, none of this triggers the DPDP Act's private-sector consent and security obligations in the same way.

Parents who need to verify their child's age to enable social media access must go through a government-controlled system. Their child's identity data — even in token form — passes through a government intermediary. The DPDP Act's protections for children's data, written to constrain platforms, do not apply with equal force to the government mechanism being used to enforce them.


#What This Means for Businesses Processing Family ID Data

For companies in the welfare-adjacent ecosystem — insurers, hospitals, telecoms, ed-tech platforms, and financial services providers — the Family ID DigiLocker integration has direct compliance implications.

When a citizen shares their DigiLocker-stored Family ID with a private service provider to establish welfare eligibility for a subsidized loan or health insurance plan, that service provider becomes a Data Fiduciary under the DPDP Act. The personal data in the Family ID — household composition, income classification, beneficiary status — is personal data the fiduciary has received from the citizen. The full DPDP Act framework applies: consent records, purpose limitation, breach notification, data principal rights.

Companies integrating DigiLocker as a document-fetch mechanism in their onboarding flows need to ensure their consent architecture captures the purpose for which Family ID data is being processed — and that purpose must match what citizens are told. Using welfare eligibility data for marketing segmentation, credit scoring, or behavioral profiling would breach the DPDP Act's purpose-limitation principles and potentially constitute processing without valid consent.

The DPDP Act's /consent-manager framework — launching November 13, 2026 — is designed precisely for this kind of multi-source personal data flow. Businesses that are building DigiLocker integration into their platforms now should architect those integrations to be Consent Manager-compatible from the start, rather than retrofitting them at the November deadline. Our DPDP compliance resources include DigiLocker integration guidance for data fiduciaries.


#The Gap That Needs Filling

India's Digital Public Infrastructure works. It delivers welfare benefits, enables financial access, and reduces friction in everyday transactions at a scale no private sector alternative could achieve. The June 2026 DigiLocker expansion is, in those terms, a genuine governance success.

But success at scale creates privacy obligations at scale. The DPDP Act applies a demanding accountability framework to the private sector — consent records, security obligations, breach notification, data principal rights — while applying a much lighter touch to the government systems that collect household identity data for 370 million people, link it to welfare databases, and now serve as the technical infrastructure for children's age verification on social media platforms.

The Supreme Court's constitutional scrutiny of Section 36 and Rule 23 is the right instinct. The question the larger bench will need to answer — and that policymakers need to consider as DigiLocker continues to scale — is whether a data protection framework can be considered adequate when its most rigorous obligations apply to a fintech app and its lightest obligations apply to the platform that stores a family's welfare history, medical enrollment, and identity documents.

India's DPDP framework is currently being stress-tested by corporate breaches. The next stress test will come from within.


Sources: MeitY DigiLocker Family ID Integration · Organiser: UP Family ID on DigiLocker · Deccan Herald: AP DigiLocker Age Tokens · CSIS: UPI and Digital Public Infrastructure Privacy Implications · Internet Freedom Foundation: Supreme Court DPDP Challenge · Lightbeam: DPDP vs GDPR comparison · India Briefing: DPDP Compliance Timeline 2026-27

Automate your DPDP compliance

Capture consent, honour data principal rights, and stay audit-ready — all in one platform.

Start free trial