Join our WhatsApp Group
Breaking
Monday, June 29, 2026 New Delhi Edition
Sign In Contribute
Cyber Law Featured

The DPDP Act's Consent Framework — A Comparative Study with GDPR's Legitimate Interest Doctrine

The Digital Personal Data Protection Act 2023 leans heavily on consent as the primary ground for processing, yet fails to incorporate GDPR's robust "legitimate interests" balancing test, creating a regulatory vacuum.

The Digital Personal Data Protection Act, 2023 (DPDP Act) represents India's first standalone data protection statute. While it borrows substantially from GDPR principles, a critical divergence lies in its treatment of consent as a near-exclusive ground for data processing.

**I. THE DPDP ACT'S CONSENT ARCHITECTURE**

Section 6 of the DPDP Act mandates that a Data Fiduciary must obtain free, specific, informed, unconditional and unambiguous consent from the Data Principal before processing personal data. The Act recognises "legitimate uses" under Section 7 — which include processing for the purposes of employment, medical emergencies and legal proceedings — but these are narrowly drawn and do not approximate the breadth of GDPR's Article 6(1)(f) legitimate interests ground.

**II. GDPR'S LEGITIMATE INTEREST DOCTRINE**

Under GDPR Article 6(1)(f), processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights of the data subject. This is operationalised through a three-part Legitimate Interests Assessment (LIA):

1. Purpose test: Is the interest legitimate?
2. Necessity test: Is processing necessary for that purpose?
3. Balancing test: Do the data subject's rights override the controller's interest?

**III. THE VACUUM IN DPDP**

The absence of a flexible legitimate interests ground creates significant operational challenges for Indian businesses. Consider the following scenarios:

- Fraud prevention: A fintech company processing transaction patterns to detect fraud cannot easily fit this within the DPDP's consent or legitimate uses framework.
- Employee monitoring: Limited coverage under the employment purpose exception creates grey areas around workplace analytics.
- Academic research: The research exemption in Section 17 is poorly defined and likely to generate litigation.

**IV. RECOMMENDATIONS**

The Data Protection Board, when constituted, should issue guidance expanding the "legitimate uses" categories through subordinate legislation to fill the gaps identified. India's trade relationships — particularly with the EU, which has extended adequacy discussions — will also require eventual convergence with GDPR standards.
Topics: DPDP Act Data Protection
Nyay Vidhan Editorial
May 8, 2026 2 min read 7 views

Discussion (Leave a comment)

Join the conversation — share your perspective
WhatsApp X / Twitter LinkedIn

Daily Briefing
Stay ahead of every verdict. Court updates, landmark judgments and expert analysis — delivered before 9 AM.

No spam. Unsubscribe at any time. Read our Privacy Policy.

Popular: POCSO, IBC, Electoral Bond, Article 370, NDPS Act, Bail Conditions, SC Contempt