COMPLIANCE ROUTE FROM GDPR TO DPDPA: MANAGING THE SHIFT IN REGULATORY EXPECTATIONS

PART II

Continuing from the previous part, this segment examines the lawful bases for processing personal data under the Digital Personal Data Protection Act, 2023 (“DPDPA”), with particular emphasis on the framework of consent, the scope of “legitimate use” under the Indian regime, and its departure from the concept of “legitimate interest” recognised under the General Data Protection Regulation, 2016 (“GDPR”). It further analyses the treatment of voluntarily provided personal data and the resulting compliance implications for data fiduciaries.

Through practical illustrations and comparative analysis, this discussion demonstrates why several assumptions traditionally associated with GDPR compliance cannot be seamlessly imported into the Indian data protection framework, thereby underscoring the distinct legislative philosophy underpinning the DPDPA.

I. GROUNDS FOR PROCESSING PERSONAL DATA

1. The DPDPA provides that data fiduciaries may process the personal data of a Data principal for a lawful purpose where the Data principal has given her consent or for certain legitimate uses. This is a materially narrower framework than the GDPR, which permits processing on multiple legal bases, including contractual necessity and legitimate interests. A. Consent
   

2. The standards for valid consent under the DPDPA and the GDPR are aligned, requiring the consent to be free, specific, informed, unambiguous, and capable of being withdrawn [1]. The divergence lies not in the quality of consent, but in the mechanics through which consent must be obtained.
   

3. The DPDPA and the DPDP Rules require that a consent notice be presented to the data principal each time consent is sought [2]. This notice must set out the categories of personal data being collected, the specific purpose of processing, and the communication link through which the data principal may withdraw consent, exercise rights, and lodge a complaint with the Data Protection Board of India. The GDPR also mandates disclosure of information to be provided where personal data are collected from the data subject, which is way more detailed than DPDPA [3]. However, the GDPR does not require that such disclosures be shown every time personal data is collected or consent is obtained.
   

4. Therefore, it is inferred that DPDPA draws a difference between a consent notice and a privacy policy. While the statute refers only to a consent notice, this does not eliminate the need for a comprehensive privacy policy to fulfil the broader transparency obligation. For organisations migrating from a GDPR based framework, this requires a recalibration of consent architecture. Existing privacy policies cannot simply be repurposed as consent notices.  B. Certain legitimate uses v. Legitimate Interests
   

5. It is essential to not conflate legitimate use under DPDPA with legitimate interests as a lawful basis for processing under the GDPR. Under GDPR, legitimate interests permit processing where it is necessary for the purposes pursued by the controller, provided those interests are not overridden by the fundamental rights and freedoms of the data subject. This flexible, interest-balancing framework allows organisations to justify a wide range of processing activities without consent.
   

6. The DPDPA sets out an exhaustive list of “certain legitimate uses” for which personal data may be processed without consent. These uses are narrowly defined and do not include category that would permit processing based on legitimate business interests. If a processing activity does not fall squarely within one of the enumerated legitimate uses, consent is mandatory.
   

7. For instance, consent may not be required for collecting contact details for emailing or calling for sales (direct marketing) under GDPR, however, under DPDPA, specific consent will be required. Therefore, organisations operating in India must re-examine processing activities that, in a European context, are justified on the basis of legitimate interests.
   

8. This will also affect artificial intelligence companies as they often rely on legitimate interests under the GDPR to justify certain processing activities and now may face challenges under the DPDPA with the limited the legal grounds available for processing in India [4]. C. Lack of “performance of contract” as a ground
   

9. In addition to the absence of a legitimate interests as a ground, DPDPA also departs from the GDPR by not recognizing “performance of contract” as a lawful basis for processing personal data. Under GDPR, contractual necessity is frequently relied upon to justify processing that is integral to the delivery of products or services. Under the DPDPA, organisations must instead determine whether such processing can be anchored in a recognized legitimate use or, failing that, support the same by valid consent.
   

10. One practical issue faced by organisations in India relates to the collection and further processing of personal data through cookies. The DPDPA does not distinguish between necessary and non-necessary processing, and organisations commonly deploy bundled cookie consent mechanisms covering analytics, marketing, and third-party cookies as soon as a user accesses a website. Under the DPDPA, such bundling is not permissible, and separate consent would be required for each category of cookies. The DPDPA does not clarify whether services may be denied where consent is refused, nor does it recognize a ground such as contractual necessity that would permit processing without consent. Consequently, unless a cookie is so essential that the service cannot be provided without it, consent would be required for other categories of cookies. This will be a matter of debate and will require clarification from the Data Protection Board of India. D. Voluntary provision of personal data
    

11. The DPDPA does, however, permit processing without consent where the data principal voluntarily provides personal data for a specified purpose and does not object to its use [5]. This provision is narrowly worded. The scope of processing must remain closely tied to the stated specified purpose, and the underlying principle of data minimization continues to apply. Therefore, over-collection of data, secondary uses, or extended retention beyond what is reasonably necessary may fall outside the certain legitimate use and trigger a requirement to obtain consent.
    

12. For instance, where a data principal provides their name and email address to create a login and access a platform’s services, the email address may be used as a username for that purpose. However, this does not extend to using the same email address for unrelated purposes, such as sending marketing communications, which would require separate consent.
    

13. For instance, A orders furniture from a retailer through an e-commerce platform and provides her personal data (e.g. credit card details, contact number and residential address) for the purchase and delivery of goods. She also selects the option to have her furniture delivered to her home by a delivery company.
    

    A has voluntarily provided the personal data for the limited purpose of delivery. The retailer can rely on this voluntary provision of data to disclose A’s personal data to the delivery company as the disclosure is necessary to fulfil the transaction between A and the retailer. The delivery company and all other parties involved in A’s transaction with the retailer would also be able to rely on voluntary provision to collect, use or further disclose personal data where necessary to fulfil the transaction between A and the retailer. These parties include, for instance, the e-commerce company, the online payment gateway in which payment for the transaction is processed, the relevant banks and logistics service partners (e.g. sub-contractors in the entire delivery chain, including the last mile delivery to A’s home). But beyond the fulfilment of this transaction A’s personal data cannot be used. E. Processing for the purposes of employment
    

14. The GDPR does not provide a standalone legal basis for employment data processing (except the limited processing of special categories of personal data in exercise of obligations and rights in the field of employment [6]. The DPDPA permits processing without consent where personal data is required for employment-related purposes or for safeguarding the employer from loss or liability, including the prevention of corporate espionage, protection of trade secrets and intellectual property, maintenance of confidentiality, or the provision of services or benefits sought by an employee [7].
    

15. The organizations in India are advantaged by inclusion of such employment-related legitimate, however, the same should remain purpose-bound. Processing that extends beyond these defined purposes will require a separate lawful basis, most often consent, reinforcing the need for purpose mapping and maintenance of records as mitigation measures.
    

16. While the statute expressly refers to safeguarding the employer from loss or liability and certain illustrative examples, the scope of the phrase “for the purposes of employment” remains undefined and has not yet been clarified through subordinate legislation, or regulatory guidance. There is lack of clarity whether processing personal data of employees for granular behavioral evaluation, audio/video recordings, monitoring, training, development, etc. will fall under such legitimate use.
    

17. Accordingly, until the Data Protection Board of India provides interpretive guidance or enforcement precedents that clarify the scope of “purposes of employment” under the DPDPA, the safer and defensible position is to treat consent as the sole clearly permissible lawful basis for such processing.
    

18. This position is different from General Data Protection Regulations, 2016 where the data protection authorities have taken a stance that consent of employees in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties [8]. Consequently, organisations operating under the GDPR are encouraged to rely instead on lawful bases such as performance of the employment contract or legitimate interests. However, it appears unlikely that this approach under GDPR will be transplanted into the Indian legal framework as previously as well under the earlier Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, Rule 5 body corporates were required to obtain consent from providers of sensitive personal data, including employees.
    

19. While obtaining consent in an employment context may be operationally complex and carries the risk of withdrawal, in the absence of clearer statutory or regulatory guidance, consent presently remains the most defensible lawful basis for the proposed processing. It must also be acknowledged that certain employees may choose not to provide consent. In such cases the organization will have to demonstrate that participation in such processing is so essential that employment cannot continue in its absence.
    

20. It should be noted that use of Certain Legitimate Use as a lawful basis only waives the requirement to obtain consent, other obligations such as data retention, reasonable security safeguards, etc. and certain rights of the data principal still stand and will have to be fulfilled by data fiduciary.
    

21. These divergences make clear that while GDPR compliance offers a useful starting point but it does not address the operational realities of the DPDPA. The shift from flexible legal bases to a consent-dominant regime fundamentally alters how products, interfaces, and data flows must be designed, issues that Part II examine through the lens of implementation, enforcement risk, and organisational readiness.

Footnotes :

[1] Section 6(1), DPDPA, 2023.

[2] Section 5(1), DPDPA, 2023.

[3] Article 13, GDPR, 2016.

[4] Refer: https://www.edpb.europa.eu/our-work-tools/our-documents/other/report-work-undertaken-chatgpt-taskforce_en.

[5] Section 7(a), DPDPA, 2023.

[6] Article 9(2)(b), GDPR, 2016.

[7] Section 7(i), DPDPA, 2023.

[8] Accessible at: Summary of Hellenic DPA's decision No. 26 of 2019

Check out PART 1 here.

Please feel free to reach out to our Team to discuss any of the Technology Law, Competition Law, International Trade and Policy Issues.