Part I: Consent and Legitimate Use

Part I: Consent and Legitimate Use

PART I: CONSENT AND LEGITIMATE USE

Under Section 4 of the DPDPA, two legitimate grounds form the basis for any data processing – (a) purposes for which the data principal has given consent (outlined under Section 6), and; (b) certain legitimate uses as outlined under Section 7.

On Consent (Sections 6-7)

Academics suggest that the legislature has intended that data collection and processing be seen as a contractual arrangement between the fiduciary and the principal (and the processor where applicable). In this light, the DPDP Act provides for a consent notice to be issued by the data fiduciary to the data principal outlining the nature and purposes for which data is being collected. This ensures that the consent collected (as mandated under Section 4) meets similar standards, specifically:
  1. Free and informed: The principal should know what the implications of their consent are, how much data is being collected and what the data is being used for. Further, the principal should have an actual choice – i.e., denying to share data does not have any significant detrimental impact outside of non-processing.
  1. Competent: In case of a minor or a person with disability, consent is to be collected from the parent/lawful guardian or the owner of the data.
  1. Specific, unconditional and unambiguous: The principal should (in no unclear terms) consent to the data collection for the specific purpose of processing that is to be performed by the fiduciary. With respect to such processing, there can be no additional preconditions set by the fiduciary with respect to the processing to be carried out.
  1. The principal cannot consent to anything that violates existing laws. For instance, if the principal consents to data being collected for ordinary processing, and also consents to waiving their right to seek redressal under the Act, the consent to waiver would not be recognized as valid.
  1. If consent is the basis for processing of data, the principal shall have the right to withdraw their consent at any point of time. Withdrawal of consent should be as easy as granting consent – this is known as the principle of revocable consent.
The above maybe simply understood to refer to the "quality" of the consent provided. In addition to this, fiduciaries are also expected to adhere to certain set standards as to how the data is collected, specifically that data is to be collected only after the data principal consents through clear, affirmative action. There is no set definition as to what constitutes "clear, affirmative action" but recognition of implied consent under Section 8 of the Indian Contract Act can set some boundaries of what actions apart from explicit content can be deemed to be "clear, affirmative action," until judicial interpretation of Section 6(1) of the DPDPA expands.

On Legitimate Use (Section 7)

While consent is the default basis for processing under the DPDPA, Section 7 recognises that there are certain situations where requiring consent may be impractical or unnecessary. These are termed "legitimate uses" and allow processing without prior consent, provided the conditions set out in the Act are met. Broadly, these cover:
  1. Voluntary provision – Where the data principal on their own initiative provides personal data for a specific purpose and does not indicate refusal. This provision appears to apply only where data is given without prompting from the fiduciary, allowing the principal to determine the processing purpose without formal notice or consent requirements.
  1. State functions – Where the State or its instrumentalities process data to provide or issue subsidies, benefits, services, certificates, licences, or permits, subject to prescribed standards. This applies ONLY if:
      2. a. The principal has previously consented to such processing, or
      b. The data is already available in government records and is digitised or notified for digitisation.
  1. Performance of legal or sovereign functions – For carrying out any function of the State under law, or in the interest of sovereignty, integrity, or security of India.
  1. Compliance with legal obligations – Where a law requires disclosure of personal data to the State or its instrumentalities, in line with that law's disclosure provisions.
  1. Execution of judicial or quasi-judicial orders – For compliance with judgments, decrees, or orders of Indian courts, or foreign orders relating to contractual or civil claims.
  1. Medical emergencies – To respond to an immediate threat to the life or health of the principal or another person.
  1. Public health measures – To provide medical treatment or services during epidemics, outbreaks, or other public health threats.
  1. Disaster response – To ensure safety or provide assistance during disasters or breakdowns of public order (as defined under the Disaster Management Act, 2005).
  1. Employment-related purposes – For purposes linked to employment, including preventing corporate espionage, protecting confidentiality and IP, safeguarding classified information, or providing any employment-related service or benefit requested by the principal.
It appears that the consent model, while central, cannot operate in a vacuum. In situations where urgency, public interest, or existing legal obligations make consent impractical, Section 7 offers a structured set of exceptions, but each is still bounded by the overarching requirement of lawful, proportionate, and purpose-specific processing.
Further, the concept of "legitimate use" is present in the GDPR as well—albeit referred to as "legitimate interest" under Article 6(1)(f). Legitimate interest is envisioned as a flexible ground of processing, which will be applicable where the other grounds of processing will not strictly apply. The "test" for the applicability of legitimate interest is in three parts:
  1. Purpose test: Whether there is a legitimate interest behind processing? The principle of "legitimate interest" under Recital 47 applies here, essentially stating that in case the nature of processing is not something that the data subject can reasonably expect to happen, the subject's rights would override legitimate interest.
  1. Necessity test: Whether processing is necessary for fulfilment of the legitimate interest? Generally, this test involves comparison with alternative methods to achieve the same purpose, and evaluating whether processing is the least intrusive and effective method of achieving such purpose.
  1. Balancing test: Does the legitimate interest trade-off the data subject's (principal's) own rights or interests? Recital 75 provides some relevant guidance here. It makes clear that a risk to individuals' rights and freedoms is about the potential for any type of impact. This includes physical, financial or any other impact, such as:
      2. a. inability to exercise rights (including data protection rights);
      b. loss of control over the use of personal data; or
      c. any social or economic disadvantage.
This test is derived from the provision itself, and was supported by the CJEU in the Rigas case (C-13/16, 4 May 2017) with respect to the predecessor of the current GDPR. The following have been recognized as appropriate bases for processing on the basis of legitimate interest:
  • The processing is not required by law but is of a clear benefit to processor/controller or others;
  • There is a limited privacy impact on the individual;
  • The individual should reasonably expect you to use their data in that way; and
  • Processor/controller cannot, or does not want to, give the subject full upfront control (i.e., consent) or bother them with disruptive consent requests when they are unlikely to object to the processing.
Interestingly, the CJEU in the Koninklijke Nederlandse Lawn Tennisbond case (C-621/22) also confirmed that purely commercial interests would be covered under "legitimate interest," overruling set precedents where legitimate interests as per the GDPR are expected to be enshrined in the law.
While the DPDPA does not explicitly set out a multi-part "legitimate interest" test like the GDPR, a similar framework could guide interpretation and application of Section 7. Borrowing from GDPR principles and aligning them with Indian statutory context, fiduciaries could apply the aforementioned standards keeping in mind Indian society's specific requirements to determine valid legitimate use. Issues such as data illiteracy, poverty, etc., in India make personal data the average person's last concern. The presence of a "legitimate use" clause in this context should be interpreted in a stricter and more limited manner than it is in the EU.