The Digital Personal Data Protection Act, 2023 – The Inconspicuous Absence of Legitimate Interest

With the Digital Personal Data Protection Act, 2023 (‘DPDP Act”) being notified, it is now India’s most comprehensive statute in the field of privacy, bringing in a much-needed framework for assuring individuals visibility and control over their online personal data. Businesses, on the other hand, will need to adapt to continue operating in the new environment once implementation begins.

The DPDP Act borrows significantly from the European General Data Protection Regulation (GDPR), with some foundational deviations. One of these deviations is the permissible grounds for processing. The GDPR specifies a defined set of grounds of processing along with ‘legitimate interest’. Legitimate interest, while not specifically defined, is akin to a residual enablement, which allows businesses flexibility to process some personal data provided there is no undue impact on the data principal (individual whose personal data is being processed).

Therefore, businesses may carry out some processing for ancillary activities such as direct marketing without the consent of the data principal. It is not a wide exception to processing based on consent or one of the defined lawful grounds but is ringfenced and permissible where the interests of the controller are not overridden by the interests and rights of the data principal (there are additional safeguards as well). However, the essence of ‘legitimate interest’ is that it enables flexibility by leaving room for interpretation. An individual who is aggrieved by the processing of their personal data can challenge the same through the local regulator (supervisory authority under the GDPR).

The DPDP Act on the other hand, while incorporating many of the grounds of processing under the GDPR, has dropped ‘legitimate interest’ as a legal basis. Under the DPDP Act, processing may either be based on consent of the data principal; or in defined situations termed ‘legitimate uses’. Meaning therefore any processing by a business must fall within one of the expressly permissible mechanisms. The DPDP Act leaves no room for a residual enablement like ‘legitimate interest’ for use-cases it may not have contemplated.

In respect of commercial enterprises, direct marketing is a key instance of ‘legitimate interest’ (there are others as well which can vary based on the nature of the enterprise). The business models of many online enterprises involve providing discounted or even free information and services. The giveaway from a consumer is certain personal data which is monetized by these enterprises by conducting marketing activity through mailers, text messages and other means. There is also advertising activity, which may or may not be targeted, typically enabled through tracking consumer behavior using ‘cookies’.

The DPDP Act does not expressly enable processing for marketing and uses that are not directly linked to provision of the product or service. However, it creates two distinct mechanisms of consent-based processing. The first is based purely on consumer/ individual consent, which must be free, specific, informed, unconditional, unambiguous, combined with limiting the data requirement to that which is necessary for the specific purpose. The other distinct consent mechanism flows from the specified ‘legitimate uses’ which contemplates a situation where (i) the data principal has voluntarily provided some personal data for use for a specific purpose; and (ii) has not refused consent to / not opted out of some processing purposes (which could potentially be ancillary purposes) specified by the controller.

Therefore, if the consent-based approaches under the DPDP Act are to be interpreted liberally, then direct marketing and similar activity may continue with consent (with the risk that consent may be denied). However, when read with other requirements under the DPDP Act such as data minimization, erasure and purpose limitation requirements, many businesses may find it challenging to continue any activity other than what is directly related to the main product or service. This could create roadblocks for businesses predominantly dependent on online marketing and advertising including those operating industry specific marketplaces and discovery platforms.

A mechanism like ‘legitimate interest’ has been tried and tested and there is already a wealth of literature available on balancing measures and safeguards that can be prescribed to ensure that any processing of personal data based on this mechanism remains within the boundaries of law and reason. Therefore, instead of a restrictive approach of permitting only what is expressly specified, the DPDP Act ought to have considered incorporating a residual mechanism like ‘legitimate interest’. This would have allowed enterprises some flexibility to operate while ensuring the legitimacy of their processing activity.

Abhishek Mitra is a Counsel at DSK Legal.