I. Introduction
Under the Digital Personal Data Protection Act, 2023 (“DPDPA”), the lawful grounds for processing of personal data are (a) consent, and (b) certain legitimate uses (a broad concept that includes other grounds for processing personal data).
This article aims to provide an overview of the grounds of processing and provides practical recommendations for businesses to identify the appropriate legal basis in compliance with the Indian data protection law.
II. Essential Elements of Consent
As per the DPDP Act 2023, consent must be:
III. Notice Requirement as per DPDPA
The data protection law in India requires every consent request to be accompanied or preceded by a notice. The notice must (a) be made available in English and all other languages specified in the Eighth Schedule to the Indian Constitution, (b) describe the categories of personal data sought to be processed and the purposes of processing, (c) state the manner in which data principals may exercise the right to withdraw consent and the right of grievance redressal; and (d) specify the manner in which data principals may file complaints with the Data Protection Board of India.
If a data principal has provided consent to the processing of their personal data before the date of commencement of the law, a notice must be provided by the data fiduciary as soon as reasonably practicable.
Lastly, where the data fiduciary is relying on the data principal’s voluntary provision of personal data (which falls within the ambit of the legitimate use ground provided below), the data fiduciary may be required to provide the “specified purposes” for which the data will be processed. Under the DPDPA, the specified purposes may be indicated in a notice provided to the data principal.
IV. Legitimate Uses
Apart from consent, businesses may rely on certain legitimate uses to process personal data. Legitimate uses should not be confused with ‘legitimate interests’ as a basis of processing under the General Data Protection Regulation (“GDPR”), which allows processing for a data fiduciary’s own legitimate business interests.
Under the privacy laws in India, data fiduciaries are not required to obtain consent from data principals if they process data for the following ‘legitimate uses’:
V. Exemptions
The DPDPA provides for certain processing activities that are exempted from most obligations, including the requirement of relying on a legal basis for processing. Such exempted processing activities include:
Additionally, the DPDPA entirely exempts processing (a) of personal data made publicly available by the data principal or by someone under a legal obligation, and (b) that is necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal.
VI. The Way Forward
Businesses will have to overhaul their processes to ensure that they comply with the consent requirements prescribed under the DPDPA. Practically, businesses should (a) modify consent collection journeys across products and services to ensure compliance with requirements under the DPDPA, (b) undertake a data mapping exercise to evaluate processing activities that require consent, (c) explore and implement consent management tools that enable users to manage consent preferences, (d) maintain records and consent logs (for example: name of the individual who consented, timestamp of consent, how the consent was collected, version of the app journey that the user would have interacted with, and device ID) to demonstrate compliance, and (e) engage translators to ensure that notices and consent requests are provided to data principals in all the languages specified in the Eighth Schedule to the Indian Constitution.
This website is owned and operated by Spice Route Legal, and is exclusively meant to be a source of information on the firm, it’s practice areas, and its members.
It is not intended and should not be construed as any form of advertisement, solicitation, invitation or inducement of any sort from the firm or its members.
Spice Route Legal does not warrant that any information provided on the website is accurate, complete or updated, and further denies liability for any and all loss or damage caused to the user as a result of their reliance on the content provided.
The information made available on this site must in no way be relied upon, or construed, as legal advice. If you need legal assistance, we recommend you seek help from competent counsel licensed to practice and advise in the relevant jurisdiction.