What are the grounds for processing under the DPDP Act

Personal data is the lifeblood of modern businesses. From crafting razor-sharp marketing campaigns to delivering personalized customer experiences, data drives innovation and competitive edge. Enter the Digital Personal Data Protection (DPDP) Act 2023 - a revolutionary law setting a new gold standard for how personal data can be handled in India. 

As per the DPDP Act you can only process personal data for a Lawful Purpose and under a valid Ground of processing, i.e., clear criteria that must be met for any use of personal data to be considered lawful.  In this article, we’ll dive deep into these grounds for processing, breaking down what they are and how they impact your business operations. These aren’t mere guidelines; they are mandatory rules that can make or break your compliance strategy.

Lawful Purpose

First and foremost, the DPDP Act only permits you to process personal data for a Lawful Purpose. This means that you cannot process personal data for a purpose that is prohibited by any law, regulation or rules. For example, sharing of sensitive personal information with hackers would be an unlawful purpose as it is prohibited by the Information Technology Act.

If the purpose is lawful, then there are two grounds on which you can process personal data: 

1. Consent of the Data Principal; OR
2. Certain Legitimate Uses.

Thus, you can process personal data on the basis of user consent even if such processing does not qualify as a legitimate use. Conversely, if you don't have user consent, you can still process personal data if the processing falls under the category of a legitimate use. However, in either scenario if the processing is for an unlawful purpose, it would violate the DPDP Act and attract severe penalties. Further, all processing of personal data is limited by the purpose for which it is collected. In that, you cannot process personal data beyond what is necessary for that purpose.

Consent as Grounds for Processing

Consent is at the heart of the DPDP Act and this blog. As our avid readers would know and will also become clear in the course of this article: in most use cases you will need to rely on user Consent as the ground of processing. Only in exceptional cases where consent is absent or cannot be taken, will your business need to rely on certain legitimate uses as the ground of processing. 

So consent is the primary ground of processing personal data under the DPDP Act. Now, what do you need to do to meet the DPDP standard of consent? For starters, you need to collect consent in the manner prescribed:

• Freely given: The consent must be given voluntarily, with a clear understanding of the specific purpose for which the data will be processed. This means no hidden clauses or confusing language.
• Unconditional and unambiguous: The consent should not be conditional on unrelated factors and must be clear and precise. Users should fully understand what they are consenting to.
• Specific Purpose: Consent must be linked to clear and specific purposes that are communicated upfront. You cannot take blanket consents anymore. The processing must be limited to this specified purpose and only the personal data necessary for that granular purpose may be collected. 
• Given with affirmative action: Consent must be provided through an explicit action, such as checking a box or clicking "I agree." Passive consent, such as pre-ticked boxes or implied consent, is not acceptable.

Once you have validly collected consent, you need to fulfill the following compliances to process personal data on the basis of consent:

• Notice Requirement: For making a request for collecting consent, your business must furnish a valid notice at the time of data collection. You must inform your users about the personal data being collected, the purpose of processing, their rights, and the method for lodging complaints with the Data Protection Board. This notice must appear at all points where you collect personal data - websites, mobile apps, questionnaires, or physical onboarding forms. Further, this notice must be available in the 22 local languages specified in the Indian Constitution.
• One-Time Notice: For consents collected before the enactment of the DPDP Act, a notice with the same details must be sent to your existing database of users. If they withdraw their consent in response to this one time notice, you must stop processing their data. 
• Storage Limitations: Data Fiduciaries cannot store personal data indefinitely. The personal data must be erased in two cases whichever transpires first:

First, the users have a right to withdraw consent at any time with comparable ease with which consent was given. If consent is withdrawn, the data processing must stop and data erased. 

Second, Personal Data must be erased after the specific purpose of its use has been fulfilled. 

For example, if an online shopping platform collected your address solely for shipping a purchase, they can't keep that information afterward to pepper you with localized ads. Similarly, the shopping platform must delete their account and all associated personal data if the user chooses to withdraw their consent.

• Verifiable Records: There should be auditable records and proof that consent was collected in the manner prescribed in the Act - this includes proof that a valid notice was given and that consent was not withdrawn or purpose not fulfilled yet.
• Vendor Management: You must ensure that all third parties that you have shared personal data with also adhere to the same standards of consent based data processing and deletion. In case of non-compliance at any level, the burden will fall on to the business that decides the manner and purpose of processing the personal data.

Role of Consent Managers

The DPDP Act introduces the concept of Consent Managers, who act as intermediaries to facilitate the giving, managing, reviewing, and withdrawing of consent. Consent Managers can provide a unified platform where users can manage their consents across multiple services, making life easier for both users and businesses. You can easily integrate Leegality Consent Manager into your existing systems to achieve compliant consent as the basis of your data collection and processing. 

Certain Legitimate Uses

In certain cases, the DPDP Act allows the processing of personal data without explicit user consent. These uses are limited to specific scenarios where consent may not be necessary or practically collectable. These are termed certain legitimate uses:

1. Voluntary Sharing of Personal Data

If personal data is provided voluntarily by the data principal for a specific purpose, then consent is not required. You can process such data for the specified purpose until the customer withdraws their consent.

Example: A prospective tenant contacts a real estate agency via email to seek assistance in finding a rental property and shares personal details such as name and preferred location. The real estate agency can use this data to send information about available rentals. However, if the tenant later informs the agency that they no longer require help, the agency must stop using their data and delete it.

2. Performance of State Functions

The DPDP Act allows the State and its instrumentalities to process personal data without explicit consent under specific circumstances including issuing of subsidies, benefits, services, etc. This is contingent upon 

Previous Consent: If the user has previously consented to the processing of their personal data by the State for any subsidy or benefit; or

Existing Data: If the personal data is available from any database or document maintained by the State and notified by the Central Government.

Further, this processing must comply with the standards and policies issued by the Central Government or any law governing personal data.

Example: The government might use personal data to determine eligibility for a new social welfare program and ensure that benefits reach the intended recipients.

3. Responding to Health and Other Emergencies

Data can be processed to address immediate threats to life or health, ensuring timely intervention in critical situations. These include both individual emergencies that threaten life or health, and wider public health crises like epidemics or disease outbreaks.  Data processing should be limited to what is strictly necessary for the emergency at hand.

Example: During a viral outbreak, healthcare providers might share patient data with government agencies to track the spread of the virus and allocate resources effectively. 

4. Fulfilling Legal Obligations

The Digital Personal Data Protection Act 2023 allows businesses to process personal data without user consent when such processing is required under a law or based on the order of a court or government body.

Example: Banks are required to share transaction data with regulatory bodies to prevent money laundering. Similarly, a business may need to report specific financial details to tax authorities as part of regulatory compliance.

5. Compliance with Judicial Orders and Other Legal Obligations

The DPDP Act allows businesses to process personal data without consent when it is required to comply with legal orders. This includes following court decisions or legal directives, both from India and from international courts in civil or contractual matters.

Example: If an Indian court orders a tech company to provide the contact details and email exchanges of an employee involved in a harassment lawsuit, the company must comply and share the necessary data, even if the employee hasn’t given consent. 

6. Employment-Related Processing

The DPDP Act permits employers to process personal data without consent when it relates to employment purposes or safeguards the employer from loss or liability. This includes preventing corporate espionage, maintaining the confidentiality of trade secrets, intellectual property, and managing employee-related services or benefits.

Example: A pharmaceutical company could process employee data to restrict access to a new drug formula and monitor interactions with this highly confidential information to prevent industrial espionage.

7.  Disasters and Breakdown of Public Order

Processing personal data without consent is also permissible when it's necessary to ensure the safety and assistance of individuals during disasters or situations causing a breakdown of public order.

Example: Following a major cyclone, rescue teams use government databases to identify residents in the affected areas. They process this information to coordinate evacuation plans, deliver aid, and assist in locating missing persons. This timely and efficient data processing is key to managing the crisis and is exempt from DPDP obligations.

Exemptions

Please note that under the DPDP Act, there are broad exemptions that can absolve you from most of the Act's obligations including the need for a valid ground for processing. If your data processing falls within these specific exemptions, you are not required to obtain consent or prove a legitimate use for processing personal data. These exemptions provide a level of flexibility for businesses in certain situations such as business process outsourcing, corporate restructuring and mergers, financial assessment on loan default, and other scenarios specified in the Act. Read our post on DPDP Exemptions to learn more on this.

Comparing Consent and Legitimate Uses

Grounds for processing in practice

Understanding practical applications and consequences of missteps around grounds for processing personal data under the Digital Personal Data Protection (DPDP) Act can help businesses navigate compliance more effectively. Here, we provide examples of lawful processing as well as instances of violations and the potential penalties involved:

Examples of Lawful Processing 

1. A bank processing customer data for account management would need explicit consent, but it may process data without consent to comply with anti-money laundering regulations as that falls under the legitimate use of processing to fulfill a legal obligation.
2. An employer processes personal data to conduct background checks on potential employees to ensure they meet the job requirements. This processing is lawful as it relates to employment purposes and safeguarding the employer from potential risks.
3. A customer emails an e-commerce website for support and shares their address in the email. The e-commerce business can use this data to respond to the customer’s support request, as it is considered voluntarily shared for a specific purpose.

Examples of Violations and Penalties 

1. A telecom company shares customer data with unauthorized third parties for marketing purposes without obtaining explicit consent. This violation could result in penalties up to ₹50 Crore per instance of violation. Read more about DPDP Penalties here.
2. An online retailer uses a generic consent form that does not clearly specify the purpose of data collection. This inadequate consent can invalidate the processing and lead to hefty fines under the DPDP Act.
3. An e-commerce platform continues to send marketing emails to a customer even after they have withdrawn their consent. This violation of the DPDP Act’s provisions on consent withdrawal can result in penalties and mandatory corrective actions.

Final thoughts

Understanding the grounds for processing under the DPDP Act is essential for businesses to ensure compliance with the latest data protection laws. By adhering to lawful purposes, obtaining valid consent, and appropriately applying legitimate uses, organizations can build trust with their customers and avoid significant penalties. As the regulatory landscape continues to evolve, staying informed and proactive in compliance efforts will be crucial for business success.