General awareness
Consent is not the default under the DPDP Act
A common assumption is that the DPDP Act requires consent for every act of processing. It does not.
Think of the Act as a road network. Consent is the main road. Section 7 provides a small number of clearly marked exits, the "certain legitimate uses" where a Data Fiduciary may process personal data without consent. What the Act does not provide is a lane marked "because it makes commercial sense."
The legitimate uses that matter to most organisations
- Where the Data Principal has voluntarily provided her personal data for a specified purpose and has not indicated that she does not consent to its use for that purpose (Section 7(a)).
- Employment purposes, including safeguarding the employer from loss or liability, protecting trade secrets or confidential information, or providing any service or benefit sought by the employee (Section 7(i)).
- Responding to a medical emergency, an epidemic, a disaster, or a threat to life or health (Section 7(f) to (h)).
- Complying with a legal obligation, a judgment or decree, or enabling specified functions of the State (Section 7(b) to (e)).
So far this reads like relief. Here is where care is needed.
Section 7 is not a GDPR style legitimate interests clause. There is no general balancing test where a Data Fiduciary weighs its commercial interest against the interests of the individual and decides the matter for itself. The list is closed. If a processing activity does not fall within one of the enumerated legitimate uses, a Data Fiduciary cannot rely on Section 7.
Two practical consequences follow.
- Activities such as marketing, profiling, or monetising personal data should not be assumed to fall within Section 7 merely because they are commercially beneficial.
- Even where a legitimate use applies, the rest of the Act does not simply switch off. The applicable obligations under the Act continue to apply unless specifically excluded. Section 7 removes the need for consent for that processing activity. It is not a general exemption from the Act.
Before asking for consent, ask a different question.
Do I actually need consent for this processing activity, or am I relying on one of the specific legitimate uses recognised by Section 7?
Starting with that question often avoids both unnecessary consent notices and misplaced reliance on Section 7.
Where do you see the line being drawn in practice? Are organisations more likely to over rely on consent out of caution, or to over rely on "legitimate uses" by treating Section 7 as if it were a GDPR style balancing test?