Legitimate Uses of Data Without Consent under the DPDP Act, 2023

Posted On - 25 September, 2025 • By - Jidesh Kumar

Executive Summary

While the Digital Personal Data Protection Act, 2023 (DPDP Act) establishes consent as the principal basis for processing personal data, the legislation also recognizes a set of “legitimate uses” where personal data may be processed without explicit consent. These exceptions balance individual autonomy with practical necessities of governance, business operations, and societal interests.

This article examines the scope of legitimate uses, contrasts them with GDPR’s concept of “legitimate interests,” and analyses the risks, benefits, and compliance implications for businesses in India. It also provides sectoral illustrations from healthcare emergencies to employment contracts and financial compliance to demonstrate how organizations may lawfully rely on these exceptions.

Consent under the DPDP Act is designed to empower individuals, but it is neither practical nor desirable to require consent in every situation. There are circumstances where data must be processed swiftly, mandatorily, or in the public interest, and obtaining consent would be burdensome or impossible.

To address this, the DPDP Act lays down specific legitimate uses of personal data without consent. These carve-outs are carefully drafted to prevent abuse, yet broad enough to allow essential functions of both the State and private sector.

The Framework of Legitimate Uses under the DPDP Act

The DPDP Act identifies several circumstances where personal data may be processed without consent:

  • Where processing is required by law or court order.
  • For the performance of functions of the State, such as providing subsidies, licenses, or public services.
  • In medical emergencies, public health threats, or disasters.
  • For employment-related purposes, such as hiring, salary processing, or disciplinary action.
  • To comply with judgments, investigations, or enforcement actions.
  • For purposes related to the reasonable expectations of the data principal in the context of the relationship.
  • These carve-outs, collectively described as legitimate uses, establish a legal basis parallel to consent. Unlike GDPR’s open-ended “legitimate interests” ground, India’s Act uses a closed-list approach to limit discretion.

One of the clearest grounds for legitimate use arises where processing is mandated by law or by a judicial or regulatory order. For example, banks and fintech lenders are required under RBI’s KYC guidelines to collect Aadhaar, PAN, or other identification documents. Similarly, tax authorities may mandate disclosure of financial records. In such cases, seeking “consent” would be redundant, since individuals cannot refuse.

This ground ensures that fiduciaries are not exposed to liability when complying with statutory duties. However, the scope is limited to legal necessity; it cannot be used as a blanket justification for unrelated data collection. For instance, a payment wallet cannot rely on “legal compliance” to justify collecting social media handles, as no law requires such processing.

State Functions and Public Interest

A significant carve-out allows the State and its instrumentalities to process personal data without consent for the performance of governmental functions. This includes delivery of subsidies, social benefits, licenses, permits, and certificates. The rationale is administrative efficiency requiring consent for every interaction with government schemes would create friction.

Examples include processing data for Aadhaar-enabled direct benefit transfers, issuance of driving licenses, or property registration. The State is also exempted when processing data for reasons of sovereignty, integrity, security, or public order.

While necessary, this ground raises concerns of overbreadth. Without strong safeguards, government agencies may collect or share data beyond proportional need. Businesses dealing with government data, such as contractors or service providers, must therefore ensure that their processing aligns strictly with the scope of the State’s mandate.

Emergencies and Public Health

The DPDP Act permits processing of personal data without consent in cases of medical emergencies, disasters, or public health crises. For instance, hospitals may process a patient’s data without prior consent in life-threatening situations. Similarly, data may be shared during epidemics for contact tracing or vaccination drives.

This ground is critical for healthcare providers, insurers, and emergency response entities. The Act’s language, however, requires that processing be limited to the emergency context. A hospital cannot later use the same data for marketing health packages without explicit consent. Businesses must therefore maintain clear boundaries between emergency-based processing and secondary use.

Employment Purposes

One of the most commercially significant exceptions is employment-related processing. Employers may process personal data of employees for recruitment, payroll, attendance, workplace safety, performance evaluation, and disciplinary measures, even without explicit consent.

This reflects global recognition that employment relationships are inherently imbalanced employees cannot freely refuse consent. By providing a statutory ground, the DPDP Act resolves this issue.

Yet employers must use this ground responsibly. For example, processing employee attendance records or salary details falls within legitimate use. But constant surveillance through intrusive monitoring software may exceed what employees reasonably expect, risking regulatory scrutiny. Balancing efficiency with privacy remains essential.

Reasonable Expectations of Data Principals

The DPDP Act allows processing without consent when it falls within the reasonable expectations of the data principal in the context of their relationship with the fiduciary. This is perhaps the most flexible, yet subjective, ground.
For example, a bank customer can reasonably expect that their transaction data will be processed to detect fraud. A frequent flyer can expect that their airline processes travel data to issue boarding passes. But using that same data to profile spending habits for third-party advertising would likely exceed such expectations.
This ground requires fiduciaries to conduct careful assessments of what is reasonably anticipated by users, factoring in transparency, industry norms, and trust.

Comparison with GDPR’s Legitimate Interests

Under GDPR, “legitimate interests” is a broad ground allowing controllers to process data without consent if their interest is not overridden by the rights of individuals. It requires a balancing test and is widely used in Europe for marketing, fraud detection, and operational analytics.

The DPDP Act diverges significantly by rejecting this open-ended approach. Instead, it lists specific legitimate uses. This reduces flexibility for businesses but provides greater legal certainty. For instance, while European firms can justify personalized marketing under “legitimate interests,” Indian firms must rely on explicit consent unless the activity fits a listed exception.

Sectoral Implications

1. Banking and Fintech: Financial institutions may process KYC and transaction data under legal compliance grounds. Fraud detection and AML checks may also be covered under reasonable expectations. However, personalized product recommendations or marketing require consent.
2. Healthcare and Insurance: Hospitals and insurers may process data during medical emergencies or for regulatory compliance. Public health authorities may share anonymized data during pandemics. But secondary commercial uses require consent.
3. Employment and HR: Payroll processing, background verification, and workplace safety monitoring qualify as legitimate uses. But employers must avoid overreach; for instance, intrusive surveillance or unnecessary collection of personal communications.
4. Government Services: Issuance of licenses, subsidies, or certificates falls under State functions. Contractors handling government projects must strictly adhere to scope, ensuring they do not repurpose data for unrelated objectives.

Illustrations of Valid vs. Invalid Reliance

  • Valid (Banking): Bank collects PAN details to comply with RBI KYC norms.
  • Invalid (Banking): Bank uses KYC data for targeted third-party product ads without consent.
  • Valid (Healthcare): Hospital processes patient data during an emergency surgery.
  • Invalid (Healthcare): Same hospital later uses emergency data for promotional calls.
  • Valid (Employment): Employer processes attendance records to calculate salary.
  • Invalid (Employment): Employer continuously monitors keystrokes and webcam feeds without proportional justification.
  • Valid (Government): Municipality processes citizen data to issue property tax bills.
  • Invalid (Government): Municipality shares same data with private marketers.

Compliance Strategies for Businesses:

  • Purpose Limitation: Use data strictly for the stated legitimate use.
  • Transparency: Even when consent is not required, provide notices explaining reliance on legitimate use.
  • Proportionality: Ensure data collection is limited to what is necessary.
  • Internal Documentation: Maintain records of reliance on legitimate use to demonstrate accountability.
  • Segregation: Distinguish data processed under legitimate use from data collected under consent.

Risks of Overreliance and Abuse

  • While legitimate uses provide operational flexibility, overuse or misinterpretation may backfire:
  • Regulatory Penalties: Misuse may attract fines up to ₹250 crore.
  • Litigation Risk: Data principals may challenge processing as exceeding reasonable expectations.
  • Reputational Harm: Perception of exploiting exceptions may erode consumer trust.
  • Businesses should treat legitimate use as a narrow exception, not a broad fallback.

Global Comparisons

1. LGPD (Brazil): Provides multiple legal bases including compliance with law, health, and employment, closely resembling India’s model.
2. PDPA (Singapore): Allows consent exceptions for business improvement and research, broader than India’s list.
3. CCPA (California): Focuses on opt-out rights rather than specific legitimate use categories, making it structurally different.
India’s approach is stricter than most, reflecting a consent-first philosophy with narrowly tailored exceptions.

Conclusion & Key Takeaways

The DPDP Act’s legitimate use provisions strike a balance between individual rights and operational realities. While narrower than GDPR’s “legitimate interests,” they provide businesses with certainty in contexts such as legal compliance, employment, healthcare, and state functions.
Key takeaways for organizations:

  • Legitimate uses are limited and specific, not open-ended.
  • They must be applied with purpose limitation, proportionality, and transparency.
  • Overreliance without proper documentation risks regulatory penalties.
  • For most commercial activities particularly marketing and profiling explicit consent remains the only safe basis.
  • For businesses, the message is clear: use legitimate use exceptions judiciously, document them rigorously, and treat them as narrow carve-outs within a consent-driven regime.

Contributed By – Aurelia Menezes