Opinion: The views expressed in this article are those of the author and do not necessarily represent the editorial position of Nyay Vidhan.
India's Digital Personal Data Protection Act, 2023 is a landmark statute and a missed opportunity simultaneously. It is a landmark because India finally has comprehensive data protection legislation after nearly a decade of deliberation. It is a missed opportunity because the law, in its zeal to be simple, has created a framework that will be difficult to comply with in practice and may not deliver the privacy protections it promises.
My specific concern is the consent architecture.
**The Consent Obsession**
The DPDP Act makes consent the primary — and in practice near-exclusive — ground for personal data processing. Section 6 requires consent to be free, specific, informed, unconditional and unambiguous. Section 7 provides a limited list of "legitimate uses" that do not require consent, but these are narrow carve-outs, not a genuine alternative framework.
Contrast this with GDPR, which provides six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Of these, legitimate interests — Article 6(1)(f) — is the most commercially significant. It allows processing where a controller has a genuine business need, provided that need is balanced against data subject rights through a Legitimate Interests Assessment.
**Why Consent Doesn't Work as a Universal Principle**
Consent-as-the-default sounds protective but is actually counterproductive for three reasons.
First, consent is often meaningless in practice. Research consistently shows that users click through consent banners without reading them. A statute built on the fiction of informed consent does not protect users — it creates a compliance ritual that both parties understand to be empty.
Second, many legitimate processing activities cannot practically be reduced to consent. Fraud prevention, credit scoring, workplace safety monitoring, academic research on public data — these require processing that does not fit neatly into a consent framework. The DPDP's "legitimate uses" list does not adequately address these cases.
Third, India's regulatory approach will create asymmetric burdens. Multinational corporations will transpose their GDPR compliance frameworks with minor modifications and move on. Indian startups, building compliance from scratch, will bear disproportionate costs trying to obtain consent for every processing activity their business model requires.
**The Adequacy Problem**
India's trade aspirations require personal data flows with the European Union. The EU's adequacy determination process requires that the third country provide essentially equivalent protection to GDPR. Without a workable legitimate interests framework — and with significant gaps in the DPDP's independent oversight mechanism — obtaining adequacy will be a protracted negotiation.
**What Should Be Done**
The Data Protection Board, when constituted, should use its rule-making powers to publish detailed guidance expanding the legitimate uses categories. This is legally possible within the framework and would address the most pressing gaps without requiring legislative amendment.
The Board should also prioritise processing activity categories that are commercially significant and not adequately addressed by the consent framework — financial data processing, HR analytics, research data, and platform moderation are obvious starting points.
Legislation as complex as data protection must be supplemented by robust subordinate regulation and guidance. The DPDP Act's success will ultimately depend not on its text but on how the Board chooses to interpret and implement it. Early, detailed guidance will determine whether India's first data protection statute works in practice or merely on paper.
My specific concern is the consent architecture.
**The Consent Obsession**
The DPDP Act makes consent the primary — and in practice near-exclusive — ground for personal data processing. Section 6 requires consent to be free, specific, informed, unconditional and unambiguous. Section 7 provides a limited list of "legitimate uses" that do not require consent, but these are narrow carve-outs, not a genuine alternative framework.
Contrast this with GDPR, which provides six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Of these, legitimate interests — Article 6(1)(f) — is the most commercially significant. It allows processing where a controller has a genuine business need, provided that need is balanced against data subject rights through a Legitimate Interests Assessment.
**Why Consent Doesn't Work as a Universal Principle**
Consent-as-the-default sounds protective but is actually counterproductive for three reasons.
First, consent is often meaningless in practice. Research consistently shows that users click through consent banners without reading them. A statute built on the fiction of informed consent does not protect users — it creates a compliance ritual that both parties understand to be empty.
Second, many legitimate processing activities cannot practically be reduced to consent. Fraud prevention, credit scoring, workplace safety monitoring, academic research on public data — these require processing that does not fit neatly into a consent framework. The DPDP's "legitimate uses" list does not adequately address these cases.
Third, India's regulatory approach will create asymmetric burdens. Multinational corporations will transpose their GDPR compliance frameworks with minor modifications and move on. Indian startups, building compliance from scratch, will bear disproportionate costs trying to obtain consent for every processing activity their business model requires.
**The Adequacy Problem**
India's trade aspirations require personal data flows with the European Union. The EU's adequacy determination process requires that the third country provide essentially equivalent protection to GDPR. Without a workable legitimate interests framework — and with significant gaps in the DPDP's independent oversight mechanism — obtaining adequacy will be a protracted negotiation.
**What Should Be Done**
The Data Protection Board, when constituted, should use its rule-making powers to publish detailed guidance expanding the legitimate uses categories. This is legally possible within the framework and would address the most pressing gaps without requiring legislative amendment.
The Board should also prioritise processing activity categories that are commercially significant and not adequately addressed by the consent framework — financial data processing, HR analytics, research data, and platform moderation are obvious starting points.
Legislation as complex as data protection must be supplemented by robust subordinate regulation and guidance. The DPDP Act's success will ultimately depend not on its text but on how the Board chooses to interpret and implement it. Early, detailed guidance will determine whether India's first data protection statute works in practice or merely on paper.