A payments architecture that is ubiquitous, costless to the user, reliable and used by millions, UPI is one of India’s defining contributions to the 21st century. It has allowed India to bypass the dominance of card networks and moved digital payments ahead by decades.
Here, we argue that the policy discourse on problems created by the duopoly-like-structure in the third-party app providers (TPAPs), such as GooglePay and PhonePe, and the attempts to reduce market share below 30 per cent, is misplaced. The imposition of arbitrary market-share cap to mimic a competitive outcome is counterproductive. These markets tend to become concentrated due to positive network externalities. There are other issues around UPI that need to be addressed — the biggest is personal data protection.
UPI shares significantly more data on the digital spending habits of consumers than traditional forms of transactions such as credit cards. Also, UPI does not have any data storage standards unlike traditional payment systems which have strict standards such as Payment Card Industry Data Security Standard. Finally, the data-sharing policies of TPAPs are not publicly available, limiting awareness of the data implications of the UPI ecosystem. This situation of maximal data collection and minimal standards is exacerbated by the number of parties involved in a UPI transaction, increasing the possibility of data leaks.
Privacy experts argue that the UPI ecosystem is able to sustain without fees simply by virtue of being premised on data-collection and data-sharing. This means that if you are not paying, you are the product. While data collection in UPI is not as Orwellian as the behavioural data collection and monetisation by social-media firms, there are parallels. And perhaps, lessons to be learned. The true cost of the UPI duopoly is that the extracted data is entrenching the market position of data rich TPAPs. Data leveraging by TPAPs into adjacent markets may limit contestability in the broader financial products market, including insurance and micro loans. While business models based on data extraction are clearly a cause for concern, artificial market-share caps would not address this problem.
This discussion becomes crucial in the context of the recent Digital Personal Data Protection (DPDP) Rules, 2025. TPAPs could fall within the ambit of significant data fiduciaries defined in the draft. The draft regulations emphasise the principle of data minimisation which specifies that only the data necessary for fulfilling the purpose, for which consent has been obtained, must be collected. When applied to the UPI ecosystem, this would entail determining the least amount of information using which UPI services can be rendered efficiently, safely and reliably. While the minimal data required can be freely shared among ecosystem participants, any further collection of user information should be based on informed, unambiguous and specific consent. These pro-competitive principles of data minimisation and purpose limitation can mitigate harms of data accumulation by large firms.
It is important to note that Rule 5(1) of the Draft DPDP Rules 2025 permits the state and its instrumentalities to process personal data of a data principal for the provision or issuance of subsidies, benefits, services, etc. UPI would likely fall within the scope of the exemption to state instrumentalities. However, such exemption should be limited to the core infrastructure operated by NPCI. TPAPs, who are private operators riding on the rails of the DPI, need not be given such exemptions. If the Draft DPDP Rules 2025 are enacted and applied in a considered manner to the UPI ecosystem, it has the potential to create a high degree of transparency and protection of personal data, which can maintain and grow public trust in UPI and address the competition issue.
The joint communiqué by the G20 Troika (India, Brazil and South Africa) on DPI, AI and data for governance also calls for reducing asymmetries in digital economy, emphasises establishment of equitable principles for data governance to ensure privacy and security. Perhaps it is time for India to blaze the trail further in financial DPI and consolidate its position at the vanguard of innovation in financial inclusion by implementing these data governance principles.
Malik is visiting professor, ICRIER Prosus Centre and Jagadeesh is fellow (consultant), ICRIER
