India’s Digital Personal Data Protection Act is being read as a privacy law. Interpreted through the prism of privacy, it turns into red tape. However, if it is interpreted as a law about who controls personal data and who is answerable for it, it evolves into the missing layer of India’s InfoTech Stack.
Think of a retired soldier who has banked at the same branch for thirty years. The bank already holds his pension papers, his Aadhaar number, and his PAN Card. One day it freezes his account on grounds of re-KYC, and tells him to come in and prove, in person, that he really is himself.
This is not misguided or careless staff. It is how the system was built. Every customer needs to repeatedly keep proving his identity, which the bank already holds.
Now picture a whole nation like this. India has issued more than 1.4 billion Aadhaar numbers and runs the largest real-time payments network in the world. No other country has built anything like it. And yet it uses all of this to make people prove, over and over, facts it already knows.
The problem is not that India checks identity badly. It is that it checks the same identity endlessly. That is a design choice, and design choices can be changed.
This is the gap the Digital Personal Data Protection Act, 2023 (DPDP), was written to close. Read as a privacy law, DPDP means more of the same: more consent forms, more locked databases, more frozen accounts.
But the heart of the DPDP law is simpler. It puts the citizen in charge of what is done in his name.Instead of one more copy of your identity that every office must guard, you hold a single proof yourself. It is called a verifiable credential: proved once, carried everywhere.
India has spent a decade building the pieces. DPDP is the reason to finish the job.
Agency Is the Priority. Privacy Is the Side Effect
India’s DPDP does something unusual. It does not copy the best-known law of this kind, the European Union’s General Data Protection Regulation (GDPR). GDPR was the first big privacy law and it changed the world’s thinking.
But GDPR puts the company in charge of protecting you. DPDP puts you in charge, and that one change matters significantly.
Under the European model, a company follows rules for your benefit, but you do not set them. The company decides; you are protected.
DPDP flips this. It nominates you as the data principal, the person in charge. DPDP makes your consent the necessary condition for a company to use your data. And DPDP permits the data fiduciary, the company or office holding your data, to act only within the limits you set, and to be answerable for wherever that data travels.
So you are not just protected. You are giving permission, and privacy is what happens when the permission you give is respected.
This does not mean DPDP hands the citizen unlimited power. It gives the Statewide exemptions under Section 17, and leaves out a clear right to move your data from one provider to another.
The agency reading is about the private sector, where most personal data is handled. When a citizen deals with a bank, a broker, or an app, the law clearly shifts control toward the individual. That is where a credential layer earns its place.
So why is a GDPR-style approach the wrong fit for India? Three reasons.
First, GDPR guards an individual’s data when the law should really be asking who controls it. A controls mindset builds a stronger vault, when the real question should be who holds the key to the vault.
Second, GDPR was written before Artificial Intelligence AI agents existed. GDPR assumes that a human being reads a notice and clicks a button. But by May 2027, when DPDP takes effect, software agents will be doing much of the checking, form-filling, and consent-clicking. And a framework with no way to pass authority from person to agent to company buckles under that load.
Third, GDPR assumes no shared identity system underneath. Europe leaned on controls because it had nothing at all like Aadhaar.
India does have a billion Aadhaar cards issued. A credential tied to an Aadhaar-verified identity and held in your own wallet, an app on your phone, works, because the foundation of trust is already in the ground.
Reading India’s DPDP as a copy of Europe’s GDPR is a 2016 mindset.
Reading DPDP as a law about agency for the age of Artificial Intelligence AI addresses the realities of the international situation in 2026.
India deliberately drafted the DPDP Act on purpose, not by habit. It could have copied GDPR and swapped the names. It could have bolted a patchwork onto the rules of the Reserve Bank of India (RBI), the Securities and Exchange Board of India (SEBI), and the Insurance Regulatory and Development Authority of India (IRDAI). It did neither.
Section 9 reflects an Indian reality, that families often decide as a unit.
Section 8(1) of the DPDP Act makes a company answerable for the outside firms it hands data to, no matter what the contract may say,. So it can no longer sign the risk away. The Rules under the DPDP Act were published in November 2025. Most duties begin in May 2027.
Governance Drives Process. Process Drives Technology
Governance should shape the process, and the process should shape the technology, in that order.
In real life it runs backward: the organisation first purchases a software package, the business processes are adjusted to fit the software package, and corporate governance just approves what the software has already decided. That is how a compliance program ends up serving its software instead of its purpose.
India’s DPDP forces the right order. India’s law sets the governance: the citizen gives permission, consent comes first, and the company answers for every copy of the information it holds. That governance sets the process: collect only the data and information which is required, verify once, and be able to limit or cancel access. Only then do you choose the technology. And what governance asks for, as the next section shows, is a credential, not a vault

The Architecture DPDP Implies: Credentials, Not Vaults
Interpret DPDP as a privacy law and the first instinct is a privacy fix: encrypt the database, hide the identifiers, build a data vault. Each protects the data the company holds. None gives the citizen a way to grant, withhold, or cancel permission.
An agency-first design asks a different question. Not how to hold the data more safely, but how the citizen controls what is done with it.

The answer is a verifiable credential. It is a signed proof, issued by a trusted authority, held by you, and shown only when you choose. The signature makes it hard to fake and easy for a computer to check.
Identity tells the world who you are. A credential tells the world what you are allowed to do. Most everyday dealings need only the second.

This also answers a fair worry about any national ID: does it let the government track everyone? Done right, the opposite is true.
The proof is shown straight to the checker and verified on the spot. No central system records where you signed in, and no map of your movements is built. But this only holds true if it is specifically designed for: the validity check must not phone home to the issuer, and the credential must live in your own wallet, not a government app.
Built that way, the system collects less information about your life, not more. The tools for this, valid-status lists a checker can read without the issuer learning where the credential was used, are being standardised by bodies including the US National Institute of Standards and Technology.
The likely objection is that most companies will just buy a vault, hire a data protection officer, tick the box, and move on.
But ticking the box does not lower the risk the law creates. Section 8(1) liability does not shrink because someone was hired. Controls manage the data you keep. Agency lets you stop keeping it.
Picture it as arrows on a page. In the storage model of Europe’s GDPR, every arrow of data leaving the company is a new place it can be exposed under Section 8(1).
In the agency model of India’s DPDP, the company issues one credential, and the arrows that follow are proofs being shown, not data being copied.
Data a company never holds is data no breach can leak, no audit can find missing, and no notice need cover.
The checker verifies the signature offline, and only the valid-or-cancelled status needs a quick look at a published list.
Aadhaar Is Not a Birthdate. A Passport Is Not Citizenship.
Two recent official reminders make the point. The Unique Identification Authority of India (UIDAI) said again that Aadhaar proves who you are, not your date of birth. Soon after, the Ministry of External Affairs said an Indian passport is a travel document, not final proof of citizenship. Neither was a new law. Together they revealed an old problem.
We ask Aadhaar to prove an age it was never meant to. We ask the passport to prove a citizenship it does not settle. We ask the voter roll to prove where you live, when it only recorded where you registered.
When one document must prove everything, it proves each thing weakly. And to settle one small fact, you hand over your whole identity.
A verifiable credential works the other way around. It proves one specific fact, signed by the authority that can vouch for it, and you show that one fact and nothing else. This is called selective disclosure.
Proving you are over eighteen need not reveal your birth date. Proving you may draw a benefit, sit for an exam, or open an account need not expose the rest of your life.
The office that knows the fact issues the proof. You carry it. The checker sees only what the moment calls for.

This friction reaches everyone. A software engineer in Bengaluru re-submits the same papers at every new mutual fund and broker, because her earlier KYC (know your customer) check was only recorded, not reused.
A delivery rider in Mumbai proves himself again at each app he works for. Checking the same person at every counter is the wrong design for a country that could check once and let the proof travel.
The waste is not abstract: the RBI requires periodic re-KYC every two, eight, or ten years by risk category, so the same customers are pulled back through the same checks on a clock. Multiplied across a billion accounts, verifying the same people again and again is a national expense, not a formality.
The friction falls hardest on those least able to absorb it. A migrant worker who follows the harvest across states opens a new account, draws his wages, and proves who he is all over again in every town he passes through. He is owed a provident fund and an accident insurance he has heard of but has never once managed to claim, because each claim begins by proving his identity from scratch. For him, the proof he cannot carry is money he never sees.
India has already shown it can make identity portable and citizen-held. DigiLocker has put verified documents into hundreds of millions of hands.
The Account Aggregator framework lets a person share verified financial data with a lender without handing over raw bank statements. The open question is whether KYC finally joins them.
The agency-first answer is a KYC credential. The bank that first checked you issues it, tied to your Aadhaar-verified identity and signed. Any other bank that needs the same assurance reads the signature, trusts the check already done, and keeps only what it needs.
Under today’s rules, though, this counts as relying on someone else’s work, not being excused from your own. The second bank still owes its own customer-due-diligence and record-keeping duty.
So to make verify-once fully legal, the RBI would need to amend its Master Direction on KYC (2016) to let a credential’s proven history satisfy that duty.
India is meanwhile going the other way, rebuilding the Central KYC Records Registry (CKYCR) as CKYCRR 2.0, a real-time central store with duplicates removed, announced in the 2025 Budget.
The agency-first choice: let identity rest on credentials the citizen holds, not on ever-larger central copies, while the Account Aggregator framework carries the transaction data.

| Glossary: identity and credentials Agency The power to decide what is done in your name, and to grant, limit, or withdraw that power. It is the organising idea of this article: DPDP puts the citizen, not the institution, in that role. Data principal and data fiduciary DPDP’s terms for the two sides. The data principal is the individual the data is about; the data fiduciary is the organisation that holds it and answers for how it is used. Verifiable credential A digitally signed proof of a single fact, your age, your degree, your KYC status, that you keep on your own device and present when needed, without handing over the underlying documents. Selective disclosure Proving one fact while hiding the rest, such as showing you are over eighteen without revealing your date of birth. Self-sovereign identity An identity you hold and control yourself, rather than one that lives on, and is looked up from, a central government or company system. Device-bound key A secret stored inside your phone that never leaves it, used to prove a credential. Unlike an OTP, there is no code to read out and nothing a caller can extract. One-time password (OTP) The short code sent by text message to confirm a transaction. It is a shared secret, which is why it can be coaxed out of you or intercepted. SIM swap A fraud in which a criminal moves your mobile number onto their own SIM card, so the codes meant for you arrive on their phone. KYC (know your customer) The identity check a bank must run before serving you. Today every institution repeats it; a credential lets it be done once and reused. Principal-agent problem A classic idea in economics: once you let someone act for you, their interests can diverge from yours, so you need ways to set limits, check their work, and revoke their authority. |
The OTP Is the Attack Surface. A Held Credential Removes It
Safety is the second reason to let people hold their own credentials. India proves identity mostly with a shared secret, the one-time password, or OTP. That has become a national weakness.
Reported cyber-fraud losses reached about Rupees 22,845 crore in 2024, up about 200 percent on the year before, according to the Indian Cyber Crime Coordination Centre.
A shared secret is easy to steal. It can be talked out of you on a call, or grabbed after your mobile number is copied onto a new SIM.
It is often the migrant worker, far from home and trusting a polite caller who already knows his name, who pays first, a day’s wages gone before he understands what the code on his phone was protecting.
A verifiable credential works differently. It is proved by a key locked inside your phone. There is no code to read aloud and nothing for a caller to pull out of you. If the SIM is swapped or the phone changed, the credential breaks and must be set up again.
The RBI has now moved this way. Its Authentication Directions of September 2025, in force from April 2026, require a changing authentication factor and recognise device-locked keys and biometrics. So the door is not merely open. It is required.

This is the agency model’s second payoff. The same design that shrinks the compliance burden also shuts down shared-secret attacks, the SIM swaps and OTP phishing that a phone-locked key ends outright.
It does not stop every scam. Where a victim is talked into approving a payment herself, you need other defences: checking the payee’s name, watching transactions, a short cooling-off period, not a stronger login.
But proving who you are by holding a credential, instead of repeating a secret a stranger can coax out of you, is cheaper to run and safer for the citizen.
Are the Fifth Verifiable Credentials Layer of the India Stack
Here the argument reaches familiar ground for anyone who has worked on the India Stack. Verifiable credentials are the next layer, and the four below already exist.
This is not only an Indian idea. The Bank for International Settlements, in its 2024 ‘Finternet’ paper co-written by Nandan Nilekani, the architect of Aadhaar and the India Stack, puts user-held identity at the centre of the financial system’s next design.

Here the argument reaches familiar ground for anyone who has worked on the India Stack. Verifiable credentials are the next layer, and the four below already exist.
This is not only an Indian idea. The Bank for International Settlements, in its 2024 ‘Finternet’ paper co-written by Nandan Nilekani, the architect of Aadhaar and the India Stack, puts user-held identity at the centre of the financial system’s next design.
Look at the layers already built.
Identity, through Aadhaar and e-KYC, made paperless service possible.
Payments, through UPI, made cashless life possible.
Data exchange, through DigiLocker and schemes like the National Academic Depository (NAD), the Academic Bank of Credits (ABC), and the Ayushman Bharat Digital Mission (ABDM), made document-free checks possible.
Consent, through the Account Aggregator framework, made approved sharing possible.
Each layer made the next reachable. Verifiable credentials are the natural fifth, folding issuing, permission, and checking into one design where the individual holds and shows signed proofs.
The Government is already heading this way: ABDM has issued credential-like records, ABC is moving toward portable academic credit, and DigiLocker toward verifiable credentials.
One distinction is easy to miss. DigiLocker today is a government-run store of documents that apps can fetch with your permission. It is remarkable public infrastructure, but not yet self-sovereign identity in the strict sense.
The root of trust sits on government servers, and you can share a whole document, not just a single fact inside it. The recent pilots have started to close that gap.
The fair objection is that this has been promised before. India has heard that the wallet is coming for years, and a reasonable official will ask why a credential layer arrives now when it did not before.
The answer is that the missing pieces are now in place. The standard is finished: W3C Verifiable Credentials 2.0 became a formal recommendation in 2025.
The regulator has moved: the RBI now requires stronger, changing authentication and recognises device-bound keys. And the base layers already run at national scale.
What was aspiration a decade ago is now assembly. Finishing the job is what DPDP, read and interpreted as a law about agency, calls for.
The layer should be built on the World Wide Web Consortium (W3C) Verifiable Credentials 2.0 standard, which became an official recommendation in 2025. It works across systems, it can prove a single attribute at a time, and it places the credential in the wallet the citizen chooses, not a government app. Working systems built to this standard, including options such as Manatoko VC, show the approach is practical.
India would not be moving alone. The European Union’s eIDAS 2.0 rules require every member state to offer citizens a holder-held digital identity wallet by the end of 2026. Brazil is already issuing W3C verifiable credentials to farmers, starting with land records for up to seven million of them.
MOSIP, the open-source platform behind national ID systems in several countries, is extending into citizen-held credentials through its Inji wallet on the same W3C standard.
None has a foundation like India’s.
The policy question: does the Government grow DigiLocker into this, recognise parallel W3C efforts, or run both? Probably both. It still needs a decision.
| Glossary: the India Stack and systems abroad Aadhaar and e-KYC Aadhaar is India’s biometric identity number; e-KYC is the electronic identity check built on it. India Stack The layered set of digital public systems India has built: identity (Aadhaar), payments (UPI), data exchange (DigiLocker), and consent (the Account Aggregator framework). DigiLocker A government platform that stores citizens’ verified documents and lets approved apps fetch them with the citizen’s permission. Account Aggregator (DEPA) A consent system that lets a person share verified financial data with a lender without handing over raw bank statements. DEPA is the design principle behind it. CKYCR and CKYCRR 2.0 India’s Central KYC Records Registry, a central store of KYC records; version 2.0 rebuilds it as a real-time, duplicate-free central database. W3C Verifiable Credentials 2.0 The international standard, from the body that sets web standards, that makes credentials interoperable and able to prove one attribute at a time. SD-JWT-VC and BBS+ are formats used with it. eIDAS 2.0 The European Union rule requiring every member state to offer its citizens a digital identity wallet by the end of 2026. MOSIP and Inji MOSIP is an open-source platform used to run national ID systems in several countries; Inji is its citizen-held credential wallet. GOV.br Brazil’s national digital identity system. The country is now issuing W3C verifiable credentials, beginning with land records for farmers. Finternet A 2024 Bank for International Settlements paper, co-authored by Aadhaar’s architect Nandan Nilekani, proposing a financial system built around user-held identity. Indian regulators (RBI, SEBI, IRDAI) The Reserve Bank of India for banking, the Securities and Exchange Board of India for markets, and the Insurance Regulatory and Development Authority of India for insurance. UIDAI, NPCI, TRAI, DPIIT In order: the authority that runs Aadhaar, the body behind UPI payments, the telecom regulator, and the department that promotes industry and internal trade. NAD, ABC, ABDM Digital public schemes for academic records (National Academic Depository), transferable academic credit (Academic Bank of Credits), and health records (Ayushman Bharat Digital Mission). GDPR, W3C, FDIC, FinCEN The European Union’s data-protection law; the World Wide Web Consortium that sets web standards; and two US regulators, the Federal Deposit Insurance Corporation and the Financial Crimes Enforcement Network. |
Agency in the Age of AI: Does Authority Travel With the Agent?
The hardest test of this whole idea is the AI agent. By 2026 the artificial intelligence agent is a real part of the economy, and people are handing it real decisions.
So here is the question. When you let an artificial intelligence agent act for you, does your authority travel with it, or does handing off the task become handing over control?
Your authority cannot vanish the moment you delegate. An agent that acts for you without carrying your authority is not really your agent. It becomes one more party with its own interests, and the very imbalance the law was meant to fix creeps back in.
Economists call this the principal-agent problem. Stephen Ross described it in 1973, and Jensen and Meckling gave it its lasting form in 1976.
The moment you hand off a task, your interests and the agent’s can drift apart. So you must be able to set what the agent may do, check what it did, and cancel its authority. DPDP writes that structure into law.

The agency-first reading of the DPDP Act delivers this. An AI agent acting in your name carries your permission in a form the other side can check. It shows your credential, not its own say-so about you. And the trail of authority can be audited end to end. The agent becomes a carrier of your authority, not its owner. That is the difference between delegating a task and surrendering control.
This is already taking shape in payments. India’s UPI Circle lets one person give another limited, cancellable permission to spend.
Stripe’s Agentic Commerce Protocol brings the same idea to software: it gives an AI agent a one-time token good for a single merchant and amount, and it expires within minutes.
The natural next step is that the agent needs an identity of its own, one that can be issued, limited, and cancelled.
In other words, KYC has to cover not just the people a bank signs up, but the software agents acting in their name.
Quick answers: DPDP, KYC, and the credential layer
Is DPDP a privacy law or an agency law? The agency-first reading of the DPDP Act delivers this. An AI agent acting in your name carries your permission in a form the other side can check. It shows your credential, not its own say-so about you. And the trail of authority can be audited end to end. The agent becomes a carrier of your authority, not its owner. That is the difference between delegating a task and surrendering control.
This is already taking shape in payments. India’s UPI Circle lets one person give another limited, cancellable permission to spend.
It is a data-protection law whose core design choice is agency. It calls the individual a data principal, makes consent the main legal basis, and holds the data fiduciary responsible for its processors. Agency is the method; privacy is the result.
What are verifiable credentials, and why the fifth layer of the India Stack?
They are signed proofs a person holds and shows, built on the W3C Verifiable Credentials 2.0 standard. They sit above Aadhaar for identity, UPI for payments, DigiLocker for data exchange, and the Account Aggregator framework for consent, as the agency layer both the BIS Finternet paper and DPDP point toward.
What does verify-once look like for one citizen? The retired soldier from the opening proves who he is one time, into a wallet on his phone. After that he simply shows it, to the bank, the broker, the pension office, in seconds, with no renewal and no freeze.
After May 2027, What Might Go Wrong?

Here is the alternative, and it is not pretty. When DPDP takes effect, every bank must respond, and the safe instinct is to check more, not less.
A bank is now responsible for its outside processors under Section 8(1), and faces penalties of up to Rupees 250 crore for weak security. So it collects more: more frequent re-KYC, more documents on file, an account frozen at the first hint of doubt.
The retired soldier from the opening paragraph is the one who feels it first, handed another notice and another morning at the bank branch to prove he is the man the bank has paid for thirty years.
The bank fears the money-laundering penalty for checking too little more than the data-minimisation penalty for collecting too much, even though DPDP now carries both sets of penalties.
So a law written to give the citizen control over personal data, if it is built as just another set of controls, would hand that citizen more forms, more freezes, and more demands to prove himself, while the bank quietly collects more, not less.

There is one clean way out. A verifiable credential breaks the link between compliance and hassle.
The customer proves once and carries the proof. The bank meets its KYC and anti-money-laundering duty by checking a signature it can trust. Compliance goes up. Repeated verification comes down.
DPDP sets up a relationship: the Indian individual holding authority over what institutions do in his name. The Indian Government read that brief correctly.
Verifiable credentials are the layer that turns it into working infrastructure. Reading the law is the easy part. Building the layer is the work, and it belongs to the architects of Indian policy.
| The questions on the policy architect’s desk Who standardises the credential layer? It needs an authority like the one the National Payments Corporation of India (NPCI) became for payments. That could sit inside an existing body, a new one, or a public-private group. Who certifies wallets, and who may issue credentials? Every wallet must meet a basic bar for security and reliability, and trusted issuers must be named. UIDAI, the RBI, central and state boards, and ABDM-registered providers are obvious first issuers. Background-check firms, payroll providers, and platforms need clear rules too. How does it sit with the regulators already in the room? The RBI, SEBI, IRDAI, the Telecom Regulatory Authority of India (TRAI), and the Department for Promotion of Industry and Internal Trade (DPIIT) all have a stake. India can also help shape the still-evolving W3C standards, especially where its scale goes beyond anything those standards have been tested against. |
Assess Your DPDP Risk
It helps to see this in both theory and practice. First the theory. The chart below shows a sample organisation’s DPDP penalty risk across five areas: how much sensitive data it holds, how it is classified under the law, how mature its consent process is, how exposed children’s data is, and how ready it is for a breach.

The further a point sits from the centre, the higher the risk in that area. Few organisations are exposed evenly. The value is in seeing where the risk really piles up, so the work starts in the right place.
That is the theory. The practice is one click away. The Manatoko DPDP Exposure Index scores your own organisation in about two minutes at dpdpex.manatoko.ai. Fifteen questions return a single score, a risk band, an estimated penalty exposure, and the chart above drawn for your own numbers. There is no sign-up, and nothing you enter is stored, logged, or shared.
May 2027 is the deadline, not the decision. The decision is simpler, and it is already on the table: keep proving the same people over and over, or let them prove once and carry it.
Every layer but this one is already built. The retired soldier from the opening paragraph should not have had to walk into a branch to prove he is himself, and whether any citizen ever does again is no longer a question of law, or money, or effort. It is a question of will.
Sources
Digital Personal Data Protection Act 2023 and the DPDP Rules 2025, notified 13 November 2025, with main obligations from 13 May 2027 and penalties up to Rupees 250 crore, Ministry of Electronics and Information Technology.
Reserve Bank of India (Authentication mechanisms for digital payment transactions) Directions, 2025, issued 25 September 2025 and in force from 1 April 2026, Reserve Bank of India.
Cyber fraud losses of about Rupees 22,845 crore in 2024, reported by the Indian Cyber Crime Coordination Centre to the Lok Sabha, Ministry of Home Affairs.
Verifiable Credentials 2.0, a W3C Recommendation since 15 May 2025, World Wide Web Consortium.
Finternet: the financial system for the future, BIS Working Paper 1178, by Carstens and Nilekani, 2024, Bank for International Settlements.
The Central KYC Records Registry 2.0, announced in the Union Budget 2025, industry overview.
Shirish Netke
Shirish Netkehas driven the adoption of new technologies across finance, telecommunications, and manufacturing in 35 countries, and has held leadership roles at Sun Microsystems, Wipro, Aztecsoft, and Absolute Quality; at Sun, he was a key leader on the evangelist team that launched the Java programming language in developing countries. As CEO of Amberoon, he leads the application of AI and automation to compliance, performance, and risk management in banks, through products such as Statum, Manatoko, and Lucre that bring modern technology to regulatory compliance, KYC ("know your customer"), and identity proofing. He has worked with federal and state regulators in the United States, including the Federal Deposit Insurance Corporation (FDIC) and the Financial Crimes Enforcement Network (FinCEN), on applying technology to regulation, and has testified as a technical expert before the US Congress and the California State Legislature. He writes on Agile Compliance, the principle that governance should drive process and process should drive technology, in Amberoon's blog. He has been featured as a business thought leader in the New York Times, Investor's Business Daily, Chief Executive Magazine, and Asia Times, and was a contributing author to The RegTech Book (Wiley, 2019), with the chapter 'RegTech and the Science of Regulation.'
