The Digital Personal Data Protection Act, 2023 (“DPDP Act“) introduces ‘legitimate uses’ as a lawful basis for processing personal data without consent. At a conceptual level, this reflects a pragmatic recognition that modern organisations cannot operate if every instance of data processing is contingent on obtaining explicit consent.
However, the framing of ‘legitimate uses’ under Indian law differs in important ways from its closest conceptual counterpart under the Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR“), namely, the ground of ‘legitimate interests’. Article 6(1)(f) of the GDPR permits processing where it is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the rights and freedoms of the data subject. Over time, this provision has evolved into a structured and well-tested framework, requiring organisations to undertake and document a balancing exercise, assessing necessity, proportionality, and impact.
By contrast, the DPDP Act adopts a different legislative technique. Rather than articulating a general balancing test, it identifies specific contexts in which processing without consent is permissible such as compliance with law, employment-related purposes, medical emergencies, and certain public interest functions. The emphasis is on enabling processing in defined scenarios, rather than requiring a case-by-case evaluation of competing interests.
This distinction is not merely academic. It has significant implications for how organisations interpret and apply the law in practice.
From Structured Balancing to Contextual Permission
The GDPR’s ‘legitimate interests’ framework operates as a conditional permission, one that is contingent on the outcome of a documented balancing exercise. Regulatory guidance and enforcement actions across the European Union have reinforced the expectation that organisations must be able to demonstrate, at any point, why a particular use of data was necessary and proportionate.
The DPDP Act, in contrast, is less prescriptive. ‘legitimate uses’ is framed as a set of circumstances in which consent is not required, without an explicit obligation to conduct or record a proportionality assessment. This creates a degree of operational flexibility. At the same time, it shifts the burden of interpretation and, ultimately, of risk onto organisations themselves.
In the absence of detailed regulatory guidance or established enforcement trends, much of the meaning of ‘legitimate uses’ will be shaped by how it is applied in day-to-day business contexts.
Operational Realities
In practice, a substantial proportion of data processing within organisations already sits outside formal consent frameworks.
In sectors such as oil and energy, for instance, operational efficiency and safety depend on continuous data flows. Organisations routinely process information relating to employee location, system access, and on-ground activity to ensure compliance with safety protocols, prevent operational disruptions, and safeguard critical infrastructure. These uses are both necessary and, in most cases, justifiable within the scope of employment-related processing.
However, the challenge lies not in the initial justification, but in how such processing evolves. Data collected for safety monitoring may, over time, be used to assess productivity or behavioural patterns. System logs maintained for cybersecurity purposes may begin to inform performance metrics or internal decision-making. Each of these developments may appear incremental, but they represent a gradual expansion of purpose often without a corresponding reassessment of the legal basis.
A similar trajectory can be observed in financial services. Fraud detection mechanisms rely on analysing transactional and behavioural data, including device identifiers and usage patterns. While this clearly falls within the realm of necessity, such systems frequently develop into broader risk assessment tools, influencing customer profiling and business strategy. The distinction between preventing fraud and evaluating customers becomes increasingly blurred, even as the underlying justification remains unchanged.
Function Creep and the Absence of Recalibration
One of the key lessons from the European experience with ‘legitimate interests’ is that the validity of a legal basis is not static. As purposes evolve, so too must the justification for processing. Under the GDPR, this has translated into an expectation that organisations periodically reassess whether continued reliance on ‘legitimate interests’ remains appropriate particularly where data is repurposed or used in new contexts.
The DPDP framework does not explicitly mandate such recalibration. Nevertheless, the underlying risk remains.
Across industries, data is increasingly shared across functions customer support, analytics, product development, and compliance. AI enabled tools further accelerate this trend, enabling large volumes of personal data to be processed, analysed, and, in some cases, retained for iterative improvement.
In customer facing operations, for example, support interactions handled through automated systems may be reused to refine algorithms or generate behavioural insights. While the initial collection may be justified as necessary for service delivery, subsequent uses may not be as clearly bounded.
In the absence of defined internal limits, ‘legitimate uses’ can effectively become a default justification for a wide range of processing activities many of which extend beyond their original purpose.
The Emerging Risk Landscape
The principal risk arising from this approach is not necessarily immediate non-compliance, but rather the gradual erosion of discipline in decision-making.
Where reliance on ‘legitimate uses’ becomes routine, the threshold for necessity may be lowered, distinctions between purposes may become blurred and the rationale for processing may remain undocumented. This creates vulnerability in the event of regulatory scrutiny. Without a clear record of why a particular use of data was considered necessary and proportionate, organisations may find it difficult to justify their practices retrospectively.
Experience under the GDPR suggests that enforcement in this area often focuses less on the existence of a legal basis in theory, and more on the robustness of the reasoning that supports it.
Towards a More Disciplined Approach
In the absence of a mandated framework, organisations would benefit from adopting internal practices that introduce a degree of discipline into the use of ‘legitimate uses’ as a legal basis. This does not require a wholesale import of GDPR compliance structures. However, certain principles are instructive:
- clearly defining the purpose for which data is processed;
- assessing whether the processing is genuinely necessary for that purpose;
- considering the impact on individuals; and
- maintaining a record of the rationale.
Such an approach not only mitigates regulatory risk but also supports more sustainable data governance practices. Importantly, it enables organisations to distinguish between what is operationally convenient and what is legally justifiable two considerations that do not always align.
Conclusion
‘Legitimate uses’ under the DPDP Act represents a conscious legislative choice to prioritise flexibility and enable practical business operations. In doing so, it departs from the more structured and heavily scrutinised framework of ‘legitimate interests’ under the GDPR.
This flexibility, however, comes with corresponding responsibility.
As Indian data protection enforcement begins to take shape, the interpretation of ‘legitimate uses’ will likely be tested in increasingly complex factual scenarios. Organisations that rely on this ground without clearly defining its scope or documenting its application may find themselves exposed to avoidable risk.
Ultimately, the question is not whether ‘legitimate uses’ permits a particular form of processing in principle. It is whether that processing can be explained, justified, and defended in practice. That distinction between permission and justification will define how this concept evolves in the Indian data protection landscape.
English
Chinese (Simplified)
Japanese