India's DPDP Act 2023: No Legitimate Interest? The Legal Bases That Replace It

Table of Contents
What Legal Bases Does the DPDP Act 2023 Provide?
Unlike the GDPR, India's Digital Personal Data Protection Act, 2023 (DPDP Act) does not include 'legitimate interest' as a standalone legal basis. Instead, it relies on consent and certain deemed consent situations. This shift simplifies compliance but raises questions about flexibility for businesses.
Consent: The Primary Ground
Under the DPDP Act, consent must be free, specific, informed, unconditional, and unambiguous, with a clear affirmative action. Data fiduciaries must provide a notice at the time of seeking consent, detailing the purpose and the data to be processed. Consent can be withdrawn at any time, and withdrawal does not affect the lawfulness of processing before withdrawal.
Deemed Consent: The Practical Alternative
The Act introduces 'deemed consent' for certain purposes, such as when the data principal voluntarily provides data for a specific purpose, or when processing is necessary for employment, public interest, or legal compliance. This is not a free pass; it requires a reasonable expectation by the data principal that processing will occur.
Comparison with GDPR's Legitimate Interest
GDPR's legitimate interest allows processing without consent if the data controller's interest outweighs the individual's rights. The DPDP Act's approach is more restrictive, potentially reducing grey areas but also limiting innovation. For example, under GDPR, a company might use legitimate interest for direct marketing; under DPDP Act, explicit consent is likely required.
Practical Implications for Businesses
Businesses operating in India must rely heavily on consent mechanisms. This means updating privacy notices, implementing robust consent management platforms, and ensuring transparency. The absence of legitimate interest may increase consent fatigue, but it also provides clearer rules. As one privacy lawyer joked, 'Reading the DPDP Act is like assembling IKEA furniture without the Allen key—possible, but you'll need to read the manual twice.'
Key Takeaways
- No legitimate interest basis under DPDP Act.
- Consent and deemed consent are the only grounds.
- Deemed consent covers specific scenarios like employment and public interest.
- Businesses must prioritize consent management and transparency.
For the official text of the DPDP Act, visit the Ministry of Electronics & Information Technology.
FAQ
Can I use legitimate interest for processing data in India under the DPDP Act?
No, the DPDP Act does not recognize legitimate interest as a legal basis. You must rely on consent or deemed consent.
What is deemed consent under the DPDP Act?
Deemed consent applies when the data principal voluntarily provides data for a specific purpose, or when processing is necessary for employment, public interest, or legal compliance, among other scenarios.
How does the DPDP Act's consent requirement differ from GDPR?
Both require free, specific, informed, and unambiguous consent. However, the DPDP Act does not have a legitimate interest basis, making consent the primary route, while GDPR offers more flexibility.

NakedPact Editorial Committee
Article created by the NakedPact editorial team. Our mission is to analyze, simplify, and expose unfair terms and hidden risks in everyday contracts to protect citizens and consumers.
Sources and Legal References

Do you own a website?
Want to communicate your data processing transparency to your users? Dynamically use our badge and showcase your platform's compliance.
Recommended Readings
🛡️ Protect your rights with one click
Don't risk signing abusive clauses. Install the free NakedPact extension for Chrome or Firefox and instantly analyze any contract on the web.
Don't trust, verify.
Now that you know the risks, don't sign blindly. Upload your contract to NakedPact and let AI find the hidden clauses for you. It's 100% free.
Analyze Your Contract Now
