I. Introduction
Over the last ten years, digital identity verification has transitioned from a specialized technical issue to one of the areas of law and policy that have the deepest impact on people’s lives. Determining your identity online, the means of confirming that identity, and the question of who is allowed to keep the data related to that identity are at the heart of discussions on privacy, state power, access to finance, and personal freedom.
India offers a very interesting perspective for this study. It has the largest biometric identity system in the world, Aadhaar. It is also, with the Digital Personal Data Protection Act, 2023, grappling with the rollout of its first comprehensive data protection law. The constitutional challenges around Aadhaar led to the nine-judge bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India recognising privacy as a fundamental right, before the Aadhaar Act itself was examined by a five-judge bench in 2018. Also, the regulators like the Reserve Bank of India and the Securities and Exchange Board of India (SEBI) continuously widen the range of digital identity requirements in the financial sector. This paper charts the development of digital identity verification, the regulatory setups that have been set up in response, and the points where the major issues still persist.
II. Digital Identity Verification
Identity verification involves confirming if a person is who they say they are when they are doing things online or handling money transactions. The information of the individual is checked against reliable outside sources, like government identification documents, databases, also biometric data. Some common ways people do this include checking documents, using face recognition, one-time passwords, and more recently, verifying identity through videos.
The expansion of this industry was driven by several different factors coming together. Digital banking and e-commerce grew a lot, so millions of transactions took place without any direct, inspersion contact. At the same time, cybercrime and identity fraud increased significantly. Regulators, especially those in the financial services, responded by making Know Your Customer and Anti-Money Laundering rules more strict. In India, the convergence of the Digital India program, the widespread use of UPI, and significant activity in the fintech sector has pushed a huge need for scalable, dependable identity verification systems that also meet regulatory requirements.
Artificial intellige͏nce, has played a major part in moving towards using digital identities for things like e-commerce and for e-government services. AI-driven systems made biometrics, like facial recognition, fingerprint match͏ing, voice recognition, and even behavior analysis, much more effective. In fact, these often now work better than the older ways of doing manual authentication. However with these advancements come increased opportunities for surveillance.
III. Aadhaar and the Constitutional Framework in India
No conversation about digital identity in India can start anywhere but with Aadhaar. The system started in 2009 and later became offi͏cial with the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act of 2016. It collects biometric and demographic details for over a billion people living there, giving each a special twelve-digit ID number. Initially, the goal was to stop corruption in welfare distribution delivery, but the scope quickly grew and now includes banking, providing access to mobile connections, filing income tax, and many other avenues.
The constitutional challenge came in two waves. The first led to what is arguably the most important privacy judgment in Indian legal history. In Justice K.S. Puttaswamy (Retd.) v Union of India, a nine-judge bench of the Supreme Court had unanimously held in 2017 that the right to privacy is a fundamental right protected under Articles 14, 19 and 21 of the Constitution. Overruling the earlier decisions in M.P. Sharma and Kharak Singh, the court held that the right to privacy is inherent in the liberties guaranteed by Part III of the Constitution and is intrinsic to the concept of human dignity.
The second wave fought back against the Aadhaar Act. In the 2018 Aadhaar judgment, the five-judge bench upheld the constitutionality of the Act by a 4:1 majority but struck down the portion of Section 57 enabling private entities and body corporates to seek Aadhaar authentication on a purely contractual basis. Justice Chandrachud in dissent described the entire project as an architecture of surveillance that violated the informational privacy and autonomy of citizens. The majority’s acceptance of the data minimisation principle was, however, important: the court reaffirmed that the state cannot collect data that goes beyond the scope of a legitimate purpose. The constraint has now made its way into Indian regulatory thinking on digital identity.
IV. The Digital Personal Data Protection Act, 2023
For years after the Puttaswamy privacy judgment, there was no comprehensive data protection statute in India. Under the IT Act and its rules of 2011, only a restricted class of sensitive personal data was protected. This changed with the Digital Personal Data Protection Act, 2023 (DPDPA), passed by Parliament in August 2023 and largely brought into force through the Digital Personal Data Protection Rules, 2025.[1]
The DPDPA establishes a consent-based approach to processing digital personal data. Personal data means any data about an individual who is identifiable from or in relation to such data. Before collecting personal data, a data fiduciary shall provide to the individual a clear notice describing the data to be collected and the purpose for which it shall be collected. The individual has the right to withdraw consent at any time. The Act also establishes the Data Protection Board of India as the adjudicatory authority, with the authority to determine non-compliance and impose financial penalties.
The Act has direct implications on digital identity verification. Banks and fintechs using video KYC or Aadhaar based e-KYC are data fiduciaries under the Act. These notice and consent requirements are applicable to all onboarding. There is a lack of stronger protection for sensitive types of data, such as biometric data. The DPDPA does not differentiate between different types of personal data like the GDPR does. This becomes a problem when the personal data is something that can’t be changed if misused, such as fingerprints or iris scans.
V. The Global Regulatory Picture
To properly understand India’s approach, one must look at what is happening internationally. For instance, the European Union passed eIDAS 2.0, officially Regulation (EU) 2024/1183, which became active on May 20, 2024. By the end of 2026, every EU member state must offer at least one European Digital Identity Wallet to its citizens and businesses. These wallets allow people to keep their verified credentials in one place. These can then be used across all member states, which means you verify once and can use that information many times. This drastically reduces the need for repeated identity checks, a very useful feature.
In the UK, the Data (Use and Access) Act 2025, created a trust framework for Digital Verification Services, and created the Office for Digital Identities and Attributes as the statutory body to oversee a trusted and secure digital identity market. This is part of a global trend, with regulators moving beyond just responding to the technology of identity verification, and instead constructing legal frameworks that will dictate how it can be offered commercially.
VI. Conclusion
Digital ID verification is now a pretty well-established industry, and there is a lot of regulation starting to build around it. In India, for inst͏ance, the DPDPA and then what has come out of the Aadhaar constitutional cases, these together create the basic legal structure. But this structure really needs more substance; we are talking about clearer rules when it comes to biometric data sensitivity, and also direct supervision of those commercial companies acting as KYC intermediaries. Also there should be stronger ways for people to complain and get things fixed if they get excluded because of problems with authentication.
We LEGALLANDS LLP, a Legal500 ISO certified law firm provide services related to drafting Data Processing Agreements, Service-Level Agreements, Share-Purchase Agreements, Service Level Agreements, Terms and Conditions, Website Policies, Company Incorporation, Joint Ventures, Merger and Acquisitions, Intellectual Property Rights (Trademark, Copyright, Patents), Technology Transfer, Contract Conveyancing and Corporate Services, International Disputes (DGFT), Internation Trade (CEPA/FTA), Sports Law, Gaming Law, and Immigration Matters.
[1] Digital Personal Data Protection Act 2023 (Act No. 22 of 2023); Digital Personal Data Protection Rules 2025 (notified 13 November 2025, MeitY Gazette Notification). The Act came partially into force on 13 November 2025 with remaining provisions on a phased schedule through 2027.
Hritvik Gupta is a legal writer and researcher associated with LEGALLANDS LLP, where he contributes analytical and research-driven articles on corporate governance, international trade laws, and policy reforms. His writing reflects a deep understanding of evolving legal frameworks and their impact on cross-border commerce and regulatory compliance.
Hritvik’s work bridges practical legal insight with emerging global regulatory trends, offering readers a balanced perspective that combines academic depth with real-world application. He takes a keen interest in the intersection of law, technology, and international policy, contributing to the discourse on how businesses and governments can adapt to dynamic legal environments.
Through his contributions to Legallands.com, Hritvik aims to make complex legal developments more accessible, insightful, and relevant to businesses, professionals, and policymakers operating in an increasingly interconnected world.
