Digital Personal Data Protection Act, 2023: A Guide to Grounds of Processing

I. Introduction

Under the Digital Personal Data Protection Act, 2023 (“DPDPA”), the lawful grounds for processing of personal data are (a) consent, and (b) certain legitimate uses (a broad concept that includes other grounds for processing personal data).

This article aims to provide an overview of the grounds of processing and provides practical recommendations for businesses to identify the appropriate legal basis in compliance with the Indian data protection law.

II. Essential Elements of Consent

As per the DPDP Act 2023, consent must be:

1. Free: Based on global consent standards, this element can be understood as ‘freely given’.  Consent must not be caused by undue influence, coercion, fraud, or misrepresentation. Data principals should have a real and actual choice unencumbered by any external influence or pressure.
   
2. Specific: Consent for different purposes cannot be bundled together. Data fiduciaries are required to offer granular choices and obtain separate consent for each purpose of processing.
   
3. Informed: Every consent request must (a) be clear and plain, (b) be made available in English and 22 other languages specified in the Eighth Schedule to the Indian Constitution, and (c) contain the details of the data protection officer or representative (as applicable) of the data fiduciary.
   
4. Limited: Data fiduciaries must only collect personal data that is necessary for accomplishing the specified purposes of processing. Businesses must refrain from bundling multiple purposes together within a single consent request as it would no longer be compatible with the DPDPA 2023.
   
5. Capable of being Withdrawn: Consent should be capable of being withdrawn at any time, and the ease of withdrawal must be comparable to the ease of giving consent.
   
6. Unconditional: The provision of services cannot be conditional on consent if the processing of personal data is not necessary for such provision of services.
   
7. Unambiguous and provided through a clear affirmative action: Data principals must signify consent through some clear affirmative action, such as by opting in or through an active declaration. Opt-out provisions, pre-ticked checkboxes, continuation of use, and other such passive methods of consent will likely no longer qualify as valid under the DPDPA.

III. Notice Requirement as per DPDPA

The data protection law in India requires every consent request to be accompanied or preceded by a notice. The notice must (a) be made available in English and all other languages specified in the Eighth Schedule to the Indian Constitution, (b) describe the categories of personal data sought to be processed and the purposes of processing, (c) state the manner in which data principals may exercise the right to withdraw consent and the right of grievance redressal; and (d) specify the manner in which data principals may file complaints with the Data Protection Board of India.

If a data principal has provided consent to the processing of their personal data before the date of commencement of the law, a notice must be provided by the data fiduciary as soon as reasonably practicable.

Lastly, where the data fiduciary is relying on the data principal’s voluntary provision of personal data (which falls within the ambit of the legitimate use ground provided below), the data fiduciary may be required to provide the “specified purposes” for which the data will be processed. Under the DPDPA, the specified purposes may be indicated in a notice provided to the data principal.

IV. Legitimate Uses

Apart from consent, businesses may rely on certain legitimate uses to process personal data. Legitimate uses should not be confused with ‘legitimate interests’ as a basis of processing under the General Data Protection Regulation (“GDPR”), which allows processing for a data fiduciary’s own legitimate business interests.

Under the privacy laws in India, data fiduciaries are not required to obtain consent from data principals if they process data for the following ‘legitimate uses’:

1. The “specified purposes” for which a data principal has voluntarily provided their personal data without indicating that they do not consent to processing. In order to rely on this ground, businesses must inform data principals about the specific purposes of processing in a notice.
   
2. Employment-related purposes or for safeguarding the employer from loss or liability (such as for the prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, or classified information) or provision of any service or benefit sought by an employee. However, the DPDPA 2023 does not explicitly include recruitment purposes under this ground. If information is not voluntarily provided, recruiters will need to rely on the candidates’ consent for processing their personal data (for instance: in the case of pre-employment background checks).Businesses should undertake a data mapping exercise to determine the categories and purposes of processing past, present, and potential employees’ data. These datasets must be categorised to identify which purposes are related to employment, and which purposes require consent for processing.
   
3. Fulfilling any legal obligation to disclose information to a government authority.
   
4. Compliance with any legal order or judgment.
   
5. Responding to a medical emergency involving a threat to life or immediate threat to health.
   
6. Providing medical treatment or health services during a threat to public health.
   
7. Ensuring safety or providing assistance during a disorder or breakdown of public order.

V. Exemptions

The DPDPA provides for certain processing activities that are exempted from most obligations, including the requirement of relying on a legal basis for processing. Such exempted processing activities include:

1. processing necessary for enforcing any legal right or claim;
   
2. processing in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any Indian law;
   
3. processing of personal data of data principals outside India, pursuant to any contract entered into with any person outside India, by any person based in India;
   
4. processing when necessary for a merger, amalgamation, scheme of compromise or arrangement, reconstruction, transfer of undertaking, or division of companies, approved by a court or other competent authority; and
   
5. processing for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution, subject to such processing being in accordance with other laws regarding disclosure of information or data.

Additionally, the DPDPA entirely exempts processing (a) of personal data made publicly available by the data principal or by someone under a legal obligation, and (b) that is necessary for research, archiving or statistical purposes if the personal data is not to be used to take any decision specific to a data principal.
 

VI. The Way Forward

Businesses will have to overhaul their processes to ensure that they comply with the consent requirements prescribed under the DPDPA. Practically, businesses should (a) modify consent collection journeys across products and services to ensure compliance with requirements under the DPDPA, (b) undertake a data mapping exercise to evaluate processing activities that require consent, (c) explore and implement consent management tools that enable users to manage consent preferences,  (d) maintain  records and consent logs (for example: name of the individual who consented, timestamp of consent, how the consent was collected, version of the app journey that the user would have interacted with, and device ID) to demonstrate compliance, and (e) engage translators to ensure that notices and consent requests are provided to data principals in all the languages specified in the Eighth Schedule to the Indian Constitution.