The Aadhaar judgment of 2018, Justice D.Y. Chandrachud's dissent in particular, identified several structural features of the biometric identification system that were constitutionally problematic: the absence of a data protection law at the time of enrolment, the near-mandatory character of a nominally voluntary system, the breadth of UIDAI's data sharing arrangements, and the absence of a consent architecture that was meaningful rather than formal. Six years on, with the DPDP Act in force and the DPDP Rules 2025 notified, the question is whether those structural deficiencies have been cured or merely papered over.
Aadhaar enrolment is, on its face, voluntary for most purposes. The Supreme Court's majority in the 2018 judgment held that mandatory Aadhaar linkage for income tax returns and for government benefits was constitutionally permissible, but struck down mandatory linkage for bank accounts and mobile phones as disproportionate. In practice, the distinction between voluntary and mandatory is narrower than the legal framework suggests. Aadhaar is operationally required for so many government services, PAN linkage, EPFO access, direct benefit transfer, passport applications, that non-enrolment involves a significant sacrifice of government-provided entitlements. A legal framework that calls this voluntary while making the cost of non-enrolment prohibitive is not describing the experience of most Indian residents accurately.
The DPDP Act, 2023 defines consent as free, specific, informed, unconditional, and unambiguous. The Act creates a framework of data principal rights: the right to access information about processing, the right to correction, the right to erasure, and the right to grievance redress. Applied to Aadhaar's existing consent architecture, these requirements create significant friction. Aadhaar enrolment was conducted across a decade under consent terms that predate the Act. The data already collected, biometric and demographic, was collected under a different legal regime. Whether the DPDP Act's requirements apply to historical collections is unresolved.
The DPDP Rules 2025 fill in significant implementation detail. They specify the form and content of consent notices, the procedure for exercising data principal rights, the obligations of consent managers, and the security standards for processing sensitive personal data. An overview of the regulatory context appears in this original Aadhaar litigation analysis, while the Rules' implications for data principal rights are examined in detail in the EY analysis of the DPDP Rules.
The most significant gap in the DPDP Rules, from an Aadhaar perspective, is the treatment of state actors. The Act's exemptions for government processing, particularly for purposes of sovereignty, security, and law enforcement, are broad and not subject to the general consent requirements. UIDAI's processing of Aadhaar data for authentication purposes may fall within these exemptions, depending on how the exemptions are construed. If the exemptions are interpreted generously, the DPDP framework provides limited additional protection to Aadhaar subjects beyond what the Aadhaar Act and its regulations already provide. The outcome of this interpretive question will determine whether the DPDP Act represents a genuine constitutional upgrade for Aadhaar or a parallel framework that operates around it.
The design question the DPDP Rules do not resolve is whether a centralised biometric database of the scale and sensitivity of Aadhaar can be operated consistently with the Puttaswamy proportionality test regardless of what consent architecture surrounds it. The concern is not only about misuse of the database; it is about the structural risk created by its existence. A database containing the biometrics of over a billion people, linked to their financial, health, and government service history, is a high-value target for state and non-state actors alike. Privacy by design, building privacy protections into the system's architecture rather than layering consent processes over a centralised design, is the approach endorsed by the Puttaswamy framework but not consistently reflected in Aadhaar's architecture.
The practical advice for individuals and institutions navigating this landscape is necessarily cautious. Organisations that use Aadhaar for authentication, banks, telecom operators, insurance companies, must now align their consent notices and data handling practices with the DPDP Rules. The Rules specify the format and content of consent requests with more precision than the Act alone, and non-compliance creates liability. For UIDAI as the data fiduciary for Aadhaar data, the DPDP Rules' requirement for a published privacy notice, a functional grievance officer, and a mechanism for data principal rights requests represents a floor of accountability that the current framework does not fully meet.
The Aadhaar system is not going to be dismantled. It is operationally embedded in the delivery of government services to an extent that makes unwinding practically impossible. The realistic question is whether it can be operated in a manner that is genuinely compliant with the Puttaswamy framework and the DPDP architecture. That requires resolving the exemption question in a rights-respecting direction, designing consent mechanisms that are meaningful rather than formal, building independent oversight of UIDAI's data sharing practices, and addressing the architectural risks of centralised biometric storage. None of these is a small task. Together, they constitute the Aadhaar reform agenda that the DPDP Rules have made both more urgent and more tractable.