DIGITAL PERSONAL DATA PROTECTION ACT (DPDPA), 2023: A GUIDE TO CERTAIN LEGITIMATE USES

In a much-awaited move, the Indian parliament, after multiple iterations of the Data Protection Bill, has recently passed the Digital Personal Data Protection Act, 2023 (“DPDPA”) . It is expected to come into effect in a phased manner over the next few months. Under the DPDPA, the lawful grounds for processing personal data are (a) consent, and (b) certain legitimate uses (a broad concept that includes other grounds for processing personal data).

This article aims to provide an overview of legitimate uses and practical recommendations for businesses that wish to rely on this ground for processing personal data.

LEGITIMATE USES

Apart from consent, businesses may rely on certain legitimate uses to process personal data. Legitimate uses should not be confused with ‘legitimate interests’ as a basis of processing under the General Data Protection Regulation (“GDPR”), as there are no grounds under the DPDPA that allow processing for a data fiduciary’s own legitimate business interests. 

Under the Digital Personal Data Protection Act, data fiduciaries are not required to obtain consent from data principals if they process data for: 

  • The “specified purposes” for which a data principal has voluntarily provided their personal data without indicating that they do not consent to processing: To rely on this ground, businesses must inform data principals about the specific purposes of processing in a notice.
  • Employment-related purposes or for safeguarding the employer from loss or liability: These purposes include prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property or classified information, or provision concerning any service or benefit sought by an employee. However, recruitment purposes do not qualify under this ground. If information is not voluntarily provided, recruiters will need to rely on the candidates’ consent for processing their personal data (for instance: in the case of pre-employment background checks).

    Businesses should undertake a data mapping exercise to determine the categories and purposes of processing past, present, and potential employees’ data. Organisations ought to circumscribe the purposes linked to employment and distinguish those that require explicit consent for processing. 
  • Fulfilling any legal obligation to disclose information to a government authority. 
  • Compliance with any legal order or judgement.
  • When they are done in response to a medical emergency that involves a threat to life or an immediate threat to health.
  • Providing medical treatment or health services during a threat to public health.
  • Ensuring safety or providing assistance during a disorder or breakdown of public order.
APPLICABLE AND INAPPLICABLE DATA PRINCIPAL RIGHTS

When relying on legitimate uses for processing, businesses are not obliged to grant certain rights to data principals.

a). Applicable Rights: Where a data fiduciary relies on the ground of legitimate uses, such data fiduciary is still required to enable the data principals’ right of grievance redressal and right to nominate a representative in the event of their death or incapacity. We recommend that businesses reorganise internal processes and provide a readily available grievance redressal mechanism and portal allowing data principals to nominate their representatives.

b). Inapplicable Rights: The right to access information about personal data and the right to correction and erasure are available to data principals solely where the data principal relies on the ground of the consent (including deemed consent through the data principal’s voluntary provision of personal data).

Further, global data protection laws such as the GDPR provide data principals with the right to object to processing not based on consent. However, the DPDPA provides no such comparable right. Businesses ought to perform a global data review of best practices in enabling data principal rights to inform their approach to enabling the rights under the Digital Personal Data Protection Act.

THE WAY FORWARD

The DPDPA provides consent and certain legitimate uses as grounds for processing personal data. Consent is a core element of any data protection legislation and is central to the DPDPA. However, due to the numerous shortcomings of a consent-heavy data protection architecture, it is pertinent and reasonable to rely on other grounds for processing data.

The most common grounds used by global companies to process personal data are contractual necessity and legitimate interests. However, under the DPDPA, data fiduciaries cannot rely on these two grounds to process personal data. Consent is a tricky ground for processing personal data since it can be withdrawn at any time by the data principal. Accordingly, businesses should rely on “legitimate uses” as a ground for processing personal data wherever practicable.