India drops proposal to mandate national ID app Aadhaar on smartphones after pushback

What Happened

India's Ministry of Electronics and Information Technology (MeitY) and the Unique Identification Authority of India (UIDAI) have decided not to mandate the pre-installation of the Aadhaar application on smartphones sold in India.
UIDAI had proposed the pre-installation requirement to MeitY in January 2026, following the launch of a revamped Aadhaar app on January 28, 2026, featuring selective sharing, consent controls, face authentication, biometric lock/unlock, QR-based sharing, and support for up to five Aadhaar profiles per device.
The proposal was withdrawn following strong pushback from major smartphone manufacturers, particularly Apple and Samsung, who raised concerns about security vulnerabilities and increased production costs.
This was the sixth time in two years the government sought pre-installation of state-owned apps on mobile phones; all previous attempts faced similar industry resistance.
UIDAI issued a statement confirming the reversal, citing the IT ministry's position that it "is not in favour of mandating the pre-installation of the Aadhaar App on smartphones."

Static Topic Bridges

Aadhaar — Legal Framework and UIDAI's Mandate

The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 is the primary statutory basis for India's biometric identity infrastructure. UIDAI is a statutory authority established under this Act.

Act enacted: September 12, 2016 (passed as a Money Bill in Lok Sabha — itself controversial); amended by Aadhaar and Other Laws (Amendment) Act, 2019.
UIDAI established: July 12, 2016; under MeitY.
Aadhaar: 12-digit unique number linked to biometric data (10 fingerprints, 2 iris scans, photograph) stored in the Central Identities Data Repository (CIDR).
Section 23(2): UIDAI has power to specify demographic and biometric information to be collected for registration.
Section 8(4): UIDAI may share identity information but NOT biometric information; requesting entities must obtain individual consent before authentication.
Penalties: Clause 34 — false information/impersonation: up to 3 years imprisonment and/or ₹10,000 fine; Clause 38 — unauthorised CIDR access: up to 3 years imprisonment and minimum ₹1 lakh fine.
Aadhaar coverage: over 1.4 billion Aadhaar numbers issued (as of 2025).

Connection to this news: The Aadhaar Act grants UIDAI authority over enrolment and authentication, but does not give it power to mandate app installation on private devices. The proposal would have required either a new statutory mandate or leveraging existing IT regulations — both of which faced legal and policy obstacles.

Puttaswamy Judgments — Right to Privacy and Aadhaar's Constitutional Limits

Two Supreme Court nine-bench judgments in the Justice K.S. Puttaswamy v. Union of India cases established the constitutional parameters for Aadhaar and digital identity systems in India.

Puttaswamy I (2017): Nine-judge bench unanimously declared the Right to Privacy a Fundamental Right under Article 21 (Right to Life and Personal Liberty) and Part III. Overruled earlier judgments (M.P. Sharma, 1954; Kharak Singh, 1963) that had denied privacy as a fundamental right.
Puttaswamy II (2018): Five-judge bench upheld the constitutional validity of the Aadhaar Act, but with significant restrictions:
Aadhaar mandatory for government subsidies/benefits (Section 7) — upheld.
Aadhaar mandatory for private entities (banks, mobile SIMs, school admissions) — struck down.
Authentication by private entities without an enabling law — prohibited.
Aadhaar for children's school admissions — struck down.
The 2018 judgment established that mandatory Aadhaar use requires proportionality — the infringement of privacy must be proportionate to the government's legitimate aim.

Connection to this news: The proposal to mandate Aadhaar app pre-installation on all smartphones would face the proportionality test from Puttaswamy II — requiring the government to demonstrate that universal pre-installation is the least invasive means of achieving its digital identity goals. The withdrawal suggests an implicit recognition that this test could not be met.

The Digital Personal Data Protection (DPDP) Act, 2023 establishes the data governance framework that now applies to Aadhaar-related data processing, supplementing the Aadhaar Act.

Enacted: August 2023; creates a new data protection regime with Data Fiduciaries (entities processing data) and Data Principals (individuals).
Key principles: notice before collection, consent for voluntary processing, purpose limitation, data minimisation, accuracy, storage limitation.
Data Principals' rights: right to access information, right to correction, right to erasure, right to grievance redress, right to nominate.
Significant Fiduciary status: Social media platforms and certain entities with large datasets can be designated "Significant Data Fiduciaries" with additional obligations.
Carve-out for State processing: the Act exempts certain government processing for subsidies and benefits — directly relevant to Aadhaar's welfare delivery function.
Data Protection Board of India: adjudicatory body; penalties up to ₹250 crore per violation.

Connection to this news: Mandatory pre-installation of the Aadhaar app would place smartphone manufacturers in the position of Data Fiduciaries processing users' Aadhaar-linked data without explicit consent — potentially creating DPDP Act compliance issues that contributed to industry resistance.

India's App Pre-Installation Policy — Repeated Reversals

The Aadhaar pre-installation proposal fits a pattern of Indian government attempts to mandate pre-installation of state-owned apps, all of which have faced industry resistance.

The proposal was the sixth such attempt in two years; previous efforts also targeted DigiLocker, the government's digital document wallet, and other MeitY-backed applications.
Industry concerns consistently centre on: (a) security risks from mandatory pre-loaded apps that cannot be removed, (b) cost implications for device manufacturers, (c) interference with app store policies of major platforms (Google, Apple).
Apple's App Store guidelines and Google's Android policies restrict mandatory pre-installation of apps not certified by the platform — adding a technical compliance dimension.
The IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 do not currently mandate pre-installation of apps; any such requirement would require new regulatory action.
India's smartphone market: over 600 million smartphone users; 3rd-largest globally; pre-installation mandates in this market would have significant global OEM implications.

Connection to this news: The repeated pattern of proposals and withdrawals reflects a tension between the government's ambition to deepen digital public infrastructure penetration and the practical, legal, and commercial constraints on compelling private technology companies to carry state applications.

Key Facts & Data

UIDAI established: July 12, 2016; under MeitY; statutory under Aadhaar Act, 2016
Aadhaar numbers issued: 1.4 billion+ (as of 2025)
New Aadhaar app launched: January 28, 2026; features: selective sharing, consent controls, face auth, QR sharing, 5 profiles/device
Proposal to mandate pre-installation: submitted by UIDAI to MeitY, January 2026
Proposal withdrawn: April 2026 (sixth such failed attempt in two years)
Puttaswamy I (2017): Privacy = Fundamental Right under Article 21 (9-judge bench)
Puttaswamy II (2018): Aadhaar upheld for welfare benefits; struck down for private use
DPDP Act, 2023: Data Protection Board; penalties up to ₹250 crore per violation
India smartphone users: 600 million+ (3rd-largest market globally)
Aadhaar Act, 2016 (amended 2019): Section 7 (subsidies), Section 8(4) (no biometric sharing), Section 57 struck down (private use prohibited)