In a much-awaited move, the Indian parliament, after multiple iterations of the Data Protection Bill, has recently passed the Digital Personal Data Protection Act, 2023 (“DPDPA”) . It is expected to come into effect in a phased manner over the next few months. Under the DPDPA, the lawful grounds for processing personal data are (a) consent, and (b) certain legitimate uses (a broad concept that includes other grounds for processing personal data).
This article aims to provide an overview of legitimate uses and practical recommendations for businesses that wish to rely on this ground for processing personal data.
Apart from consent, businesses may rely on certain legitimate uses to process personal data. Legitimate uses should not be confused with ‘legitimate interests’ as a basis of processing under the General Data Protection Regulation (“GDPR”), as there are no grounds under the DPDPA that allow processing for a data fiduciary’s own legitimate business interests.
Under the Digital Personal Data Protection Act, data fiduciaries are not required to obtain consent from data principals if they process data for:
When relying on legitimate uses for processing, businesses are not obliged to grant certain rights to data principals.
a). Applicable Rights: Where a data fiduciary relies on the ground of legitimate uses, such data fiduciary is still required to enable the data principals’ right of grievance redressal and right to nominate a representative in the event of their death or incapacity. We recommend that businesses reorganise internal processes and provide a readily available grievance redressal mechanism and portal allowing data principals to nominate their representatives.
b). Inapplicable Rights: The right to access information about personal data and the right to correction and erasure are available to data principals solely where the data principal relies on the ground of the consent (including deemed consent through the data principal’s voluntary provision of personal data).
Further, global data protection laws such as the GDPR provide data principals with the right to object to processing not based on consent. However, the DPDPA provides no such comparable right. Businesses ought to perform a global data review of best practices in enabling data principal rights to inform their approach to enabling the rights under the Digital Personal Data Protection Act.
The DPDPA provides consent and certain legitimate uses as grounds for processing personal data. Consent is a core element of any data protection legislation and is central to the DPDPA. However, due to the numerous shortcomings of a consent-heavy data protection architecture, it is pertinent and reasonable to rely on other grounds for processing data.
The most common grounds used by global companies to process personal data are contractual necessity and legitimate interests. However, under the DPDPA, data fiduciaries cannot rely on these two grounds to process personal data. Consent is a tricky ground for processing personal data since it can be withdrawn at any time by the data principal. Accordingly, businesses should rely on “legitimate uses” as a ground for processing personal data wherever practicable.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.