Legitimate Use and its Probable Boundaries

The Digital Personal Data Protection Act 2023 (DPDP Act) allows processing of digital personal data for a lawful purpose upon consent of data principals or for certain legitimate uses. The “legitimate use” ground for processing, while an exception to the consent-obligation, could be tricky and may expose data fiduciaries to legal risks if the purpose of processing does not qualify as a legitimate use under the DPDP Act.

This primer identifies the statutory prescribed legitimate uses and explores the probable boundaries of the “legitimate use” exception to the consent-obligation.

Consent-based processing is at the core of the DPDP Act. For the most part, a data fiduciary cannot process personal data without free, specific, informed, unconditional and unambiguous consent of data principals. The legislature, however, has been cognizant that for certain purposes, consent might not be feasible or appropriate. Hence, it has prescribed certain legitimate uses where a data fiduciary need not obtain consent:

• Voluntary provision of personal data: The specified purpose for which the data principal has voluntarily provided their personal data, and in respect of which they have not indicated that they do not consent for processing.
• State functions (services/ benefits: The State (or its instrumentalities) to provide or issue a subsidy, benefit, service, certificate, licence, or permit, where the data principal has either previously consented or their personal data is available in a notified government database.
• State Sovereignty & Security: Processing by State (or its instrumentalities) for purposes in the interest of sovereignty and integrity, or security of the State.
• Legal function of the State: Processing for the performance of a function by the State or its instrumentalities, as required under any existing law.
• Fulfilling obligation under law: Processing for fulfilling a person’s obligation under any existing Indian law to disclose any information to the State (or its instrumentalities).
• Medical emergency (Life threat): Processing for responding to a medical emergency that involves a threat to life or immediate threat to the health of the data principal or any other individual.
• Public health/disaster: Processing for taking measures to provide medical treatment or health services during an epidemic, disease outbreak, or public health crisis; or for safety, assistance, or services during any disaster or breakdown of public order.
• Employment purposes: Processing for the purposes of employment or to safeguard the employer from loss or liability (g., corporate espionage, protection of trade secrets).
• Compliance with judgement/order: Processing for complying with any judgment, decree, or order issued under any existing Indian law, or any judgment or order relating to claims of a contractual or civil nature under any law in force outside India.

• The Supreme Court in Puttaswamy [1] recognizes that the right to privacy is not absolute, and it can be regulated through a law, for a legitimate aim and so long the restriction is proportionate to the objective sought to be achieved.
• A consent-based processing in all cases may frustrate the purpose sought to be achieved. For example, where a data principal or any other individual is facing a life threat, it would be absurd to respond (which may require personal data processing) to the medical emergency only after obtaining consent from such a data principal.[2] Similarly, the State may have a legitimate interest in protecting its sovereignty or integrity, and seeking consent of data principals for those objectives may not be feasible.[3]
• Furthermore, consent is rendered artificial in specific relationships (e.g., core welfare functions of the State; many employment use‑cases).[4]

[1] – Justice KS Puttaswamy (retd.) & Anr. v. Union of India, 2017 SCC OnLine SC 996, at para 325.

[2] – Justice BN Srikrishna Committee Report 2017, at page 114.

[3] – Justice BN Srikrishna Committee Report 2017, at page 122.

[4] – Justice Justice BN Srikrishna Committee Report 2017, at page 115.

The draft 2018 Bill, and the 2019 bill provided for non-consent-based processing of data in scenarios such as for employment, prompt action for medical emergencies, and reasonable purposes with an element of necessity built into the statutory language for the corresponding provisions. Similarly, the 2022 Bill which provided for processing under the “deemed consent” category for certain purposes also had a similar requirement of necessity.

Although the DPDP Act identifies a set of purposes as legitimate uses where personal data may be processed without consent, these statutory grounds are, in some cases, drafted in broad and open-ended terms. Their breadth, however, does not imply that regulators or courts will interpret them without restraint. While earlier iterations of India’s personal data protection framework (the 2018, 2019, 2021, and 2022 Bills) expressly incorporated a “necessity” requirement within the “reasonable purpose” or “deemed consent” exceptions, the omission of an explicit “necessity” element in the DPDP Act’s “legitimate use” framework should not be read as a licence for expansive or unfettered processing.

This is because the architecture of the DPDP Act is fundamentally oriented towards the protection of personal data and the rights of data principals. As a result, legitimate-use provisions are likely to be interpreted in a manner that remains tethered to the underlying objective of the specified grounds themselves. In that sense, judicial interpretation of the legitimate-use exception is likely to be informed by the proportionality framework articulated in Puttaswamy[1].

• Existence of of law (e, whether processing is covered under one or more of the legitimate uses);
• Necessity (e., processing of personal data is necessary for the purpose/ legitimate use so claimed);
• Proportionality (e., processing is proportional to the objective underlying the legitimate uses and is not excessive).

[1] – Justice KS Puttaswamy (retd.) & Anr. v. Union of India, 2017 SCC OnLine SC 996, at para 325.

A clear understanding and careful application of legitimate uses are central to compliance under the DPDP Act and for effective legal-risk mitigation. Incorrectly classifying a processing activity as a legitimate use may expose businesses to significant penalties of up to INR 250 crore (~USD 27.8 million). In practice, a data fiduciary cannot simply characterise any operational or commercial objective as a “legitimate use.” The statutory framework is purpose-bound and confined to specific, enumerated scenarios.

Accordingly, data fiduciaries must exercise particular caution when seeking to rely on the legitimate-use exception, especially in situations where:

• The use-case falls outside the listed categories: Activities such as commercial analytics, targeted advertising, customer profiling, loyalty programmes, and similar business-driven processing generally do not fall within the codified legitimate uses and will typically require valid consent.
• The processing is not necessary or proportionate: Even where a processing activity appears to fall within a recognised legitimate use, it must still be necessary for achieving that purpose and limited to what is proportionate.

The imperative to correctly identify legitimate uses translates into following compliance requirements:

• Accurate data inventory and mapping:
  • Businesses must maintain a comprehensive data inventory, with clear mapping of each processing activity to its lawful basis under the DPDP Act.
  • For every processing activity, it must be determined with precision whether the activity relies on consent or on one of the recognized legitimate uses.
  • Where reliance is placed on legitimate uses, the processing must demonstrably and clearly fall within one or more of the statutorily specified categories.
• Internal documentation and accountability: For every data set being processed under legitimate uses, businesses must maintain records and internal documents detailing:
  • The specific data is being processed under it.
  • The reasons explaining why processing fits into one or more of specified legitimate uses.

We trust you will find this an interesting read. For any queries or clarifications please write to us at insights@elp-in.com or write to our authors:

Ravisekhar Nair, Partner – Email- – Email – ravisekharnair@elp-in.com

Parthsarathi Jha, Advocate – Email- – Email – parthjha@elp-in.com

Akash Gulati, Advocate – Email- mridulabhat@elp-in.com

Priyanjali Singh, Advocate – Email- priyanjalisingh@elp-in.com