Beyond Consent: Understanding When You Can Process Data Under DPDPA's 'Legitimate Uses'

While explicit consent forms the primary cornerstone for lawful data processing under India’s Digital Personal Data Protection Act, 2023 (DPDPA), it is not the sole pathway. The Act outlines specific, narrowly defined situations, termed “Certain Legitimate Uses,” where Data Fiduciaries can process personal data without obtaining explicit consent from the Data Principal.

However, it is crucial for businesses to understand that this list is exhaustive and significantly narrower than grounds like ‘Legitimate Interests’ found in frameworks such as the GDPR. Relying on a ‘Legitimate Use’ under DPDPA necessitates careful justification and precise alignment with the defined scenarios.

What are the Key ‘Legitimate Uses’ under DPDPA?

The DPDPA provides a closed list of circumstances qualifying as Legitimate Uses. For most businesses, the most relevant ones include:

1. Voluntary Provision by User

   • What it means: You can process personal data if an individual voluntarily provides it to you for a specific purpose AND they have not indicated they object to its use for that particular purpose.
   • Example: A customer provides their phone number at a pharmacy counter specifically to receive their digital receipt. The pharmacy can process the number for that purpose without separate, explicit consent for this transaction. Similarly, if someone emails their details to a real estate broker asking for help finding accommodation, the broker can process those details for that specific request.
   • Key Limitation: This is a very specific ground. Processing must cease if the user later objects or withdraws their implicit permission. Crucially, you cannot repurpose this data for unrelated activities, such as marketing, without obtaining separate consent.

2. For Employment Purposes

   • What it means: Processing personal data necessary for employment or purposes related to safeguarding the employer (such as preventing corporate espionage, protecting intellectual property/trade secrets, or maintaining confidentiality) or for providing benefits sought by an employee.
   • Example: Collecting bank details for salary processing, using biometric data for employee attendance (if necessary and proportionate to the need), or investigating potential misconduct using company system logs.
   • Significance: This is a vital ground for internal HR, administrative, and security functions. It removes the need for constant, explicit employee consent for routine, necessary employment-related data processing.

3. Compliance with Law / Judgments

   • What it means: Processing personal data when it is required to comply with any Indian law, or any judgment or order issued under Indian law. This also extends to judgments or orders from outside India related to contractual or civil claims.
   • Example: Providing employee salary data to tax authorities as mandated by law, or disclosing user data based on a valid court order.

4. Responding to Emergencies / Public Health / Disasters

   • What it means: Processing personal data necessary for medical emergencies (threat to life/health of the Data Principal or another individual), for providing medical treatment or health services during epidemics or public health threats, or for ensuring safety and providing assistance during disasters or public order breakdowns.
   • Example: A hospital sharing patient data with public health authorities during a declared epidemic to manage the outbreak.

5. Performance of State Functions / Benefits

   • What it means: Processing by the State or its instrumentalities for performing functions under any law, providing benefits/subsidies/licenses, or in the interest of sovereignty, security, etc. This is primarily relevant for government entities.

What’s Missing Compared to GDPR? A Critical Distinction

It’s vital for businesses familiar with GDPR to note what is absent from DPDPA’s ‘Legitimate Uses’:

• No Broad ‘Legitimate Interests’ Ground: Unlike GDPR’s corresponding provision, the DPDPA does not have a general-purpose ground allowing processing based on balancing the Fiduciary’s legitimate interests against the individual’s rights and freedoms. This is a fundamental divergence, meaning many processing activities that might rely on ’legitimate interests’ under GDPR will likely require explicit consent under DPDPA.
• No Standalone ‘Performance of Contract’ Ground (for general contracts): While processing for employment (a contractual relationship) is covered, general processing necessary to perform other types of contracts (e.g., fulfilling a customer order beyond what is covered by ‘voluntary provision’) is not explicitly listed as a Legitimate Use. Such processing will likely require consent, unless it squarely fits under ‘Voluntary Provision by User’ for the specific data provided for that transaction.

Key Considerations for Businesses Relying on ‘Legitimate Uses’

If your organisation intends to process personal data based on a ‘Legitimate Use’ without explicit consent, consider the following:

• Document Your Basis: Clearly document which specific sub-clause under the Act applies to your processing activity and meticulously justify why the processing is necessary for that purpose. This documentation is crucial for demonstrating compliance.
• Interpret Narrowly: These grounds are exceptions and must be interpreted narrowly. ‘Voluntary Provision’ especially should not be stretched to cover processing that goes beyond the data principal’s direct, voluntary, and specific provision.
• Other DPDPA Obligations Still Apply: Relying on a Legitimate Use does not negate other duties under the DPDPA. For instance, you must still:
  • Implement “Reasonable Security Safeguards”.
  • Ensure data accuracy when it’s used for decisions affecting the Data Principal.
  • Erase data when the purpose for which it was processed under a Legitimate Use ends, unless retention is required by law.
• Impact on Data Principal Rights: Be aware that some Data Principal rights, such as the Right to Access Information and the Right to Correction and Erasure, are explicitly linked to processing based on consent or the ‘Voluntary Provision by User’. The applicability and scope of these rights may be limited when data is processed under other Legitimate Uses.

Conclusion: Consent Remains the Default

DPDPA’s ‘Legitimate Uses’ provide important, but specific and limited, exceptions to the general rule of consent-based processing. Businesses cannot assume that processing is permissible simply because it seems reasonable, contractually necessary for a broad contract, or aligns with general business interests. Each instance of processing personal data without explicit consent must clearly and defensibly map to one of the defined categories in the Act.

Given the narrow scope of these ‘Legitimate Uses’ and the absence of a broad ’legitimate interests’ provision, relying on explicit, informed consent remains the default and often the safest, most compliant path for most data processing activities under the DPDPA. Careful assessment and robust documentation are essential when deviating from this default.

Disclaimer: The information provided in this article is for general informational purposes only and does not constitute legal advice. The content is based on the Digital Personal Data Protection Act, 2023, and the Draft DPDP Rules, which are subject to change. For advice on specific legal issues, please consult a qualified legal professional.