Under the Digital Personal Data Protection Act, 2023 (“DPDPA”), the lawful grounds for processing of personal data are (a) consent, and (b) certain legitimate uses (a broad concept that includes other grounds for processing personal data).

This article aims to provide an overview of the grounds of processing and provides practical recommendations for businesses to identify the appropriate legal basis.

1.ESSENTIAL ELEMENTS OF CONSENT

Consent must be:

(a) Free: Based on global consent standards, consent ought to be “freely given”. Consent must not be caused by undue influence, coercion, fraud, or misrepresentation. Data principals should have a real and actual choice unencumbered by any external influence or pressure.

(b) Specific: Consent for different purposes cannot be bundled together. Data fiduciaries are required to offer granular choices and obtain separate consent for each purpose of processing.

(c) Informed: Every consent request must (a) be clear and plain, (b) be made available in English and 22 other Indian languages, and (c) contain the details of the data protection officer or representative (as applicable) of the data fiduciary.

(d) Limited: Data fiduciaries must only collect personal data that is necessary for accomplishing the specified purposes of processing. Businesses must refrain from bundling multiple purposes together within a single consent request as it would no longer be compatible with the DPDPA.