Legitimate Uses Without Consent Under DPDPA

Section 7 of the DPDPA carves out specific grounds on which personal data may be processed without the Data Principal's consent. These legitimate uses are not open-ended exceptions — they are precisely enumerated categories with defined boundaries. Unlike the European GDPR's flexible legitimate interest ground, the DPDPA's Section 7 operates as a closed list: if the processing does not fall within one of the specified categories, consent under Section 6 is the only lawful basis. This design choice reflects a deliberate legislative preference for consent primacy, with limited, purpose-bound exceptions. Understanding the exact scope of each legitimate use ground — and its operational boundaries — is critical for organisations seeking to process personal data without consent.

Section 7 enumerates specific legitimate uses: (a) the Data Principal has voluntarily provided personal data and has not indicated unwillingness to its processing — applicable where the purpose is reasonable and the processing is expected by the Data Principal; (b) processing by the State or any instrumentality for subsidies, benefits, services, certificates, licences, or permits; (c) processing in compliance with any law or court order; (d) processing for responding to a medical emergency; (e) processing for ensuring safety during disasters; and (f) processing for employment purposes where the employer-employee relationship exists. Each ground operates independently and cannot be combined to create a broader processing justification. The fundamental principle underlying Section 7 is specificity: each ground maps to a defined context, and processing outside that context requires consent. Organisations cannot invoke Section 7(a) — voluntary provision — as a general-purpose alternative to consent under Section 6. The voluntary provision ground requires that the Data Principal's reasonable expectation aligns with the processing purpose.

Section 7(a) is the most frequently invoked — and most frequently misunderstood — legitimate use ground. It applies where a Data Principal voluntarily provides personal data and has not indicated unwillingness to its processing. The critical interpretive question is what constitutes reasonable expectation. Providing an email address for a service registration creates a reasonable expectation that the email will be used for service-related communications — not that it will be shared with third-party marketing partners. The voluntary provision must be genuinely voluntary: pre-populated fields, dark patterns, or bundled consent mechanisms do not satisfy the voluntariness requirement. The data must have been provided by the Data Principal themselves, not collected from third-party sources or inferred through profiling. Section 7(a) does not authorise processing that goes beyond what a reasonable person would expect in the context of the original provision. Organisations relying on this ground should document their reasonable expectation analysis for each processing activity.

Sections 7(b) through 7(e) address specific institutional and emergency contexts. The State function ground under Section 7(b) is deliberately broad for government operations — covering subsidies, benefits, services, and regulatory functions — but remains purpose-bound to the specific function being performed. A government agency processing data for ration card distribution cannot repurpose that data for surveillance without separate lawful authority. The legal compliance ground under Section 7(c) requires an existing legal obligation or court order — it does not authorise processing merely because no law prohibits it. The medical emergency ground under Section 7(d) is temporally bounded: it applies during the emergency and for the immediate health response, not for subsequent research or analysis. The disaster management ground under Section 7(e) similarly applies during the period of threat to life, health, or safety. These temporal and purpose limitations mean that organisations invoking emergency grounds must document the specific emergency, the processing conducted, and the point at which the emergency basis ceased.

Section 7(f) permits processing for employment purposes where an employer-employee relationship exists. This covers payroll processing, statutory compliance (PF, ESI, tax withholding), performance management, and workplace safety. However, the employment ground does not authorise all employer processing of employee data. Processing that extends beyond legitimate employment purposes — biometric surveillance beyond security requirements, social media monitoring, personal device data collection — may exceed the Section 7(f) boundary and require separate consent or contractual basis. The employment ground applies to the employer-employee relationship specifically: it does not extend to contractor, consultant, or gig-worker relationships unless the processing is necessary for legal compliance under Section 7(c). Organisations must map their employment data processing activities against the Section 7(f) scope and identify processing activities that require alternative legal bases. The practical implication is that most organisations will operate under a hybrid model: some employment processing under Section 7(f), with remaining activities requiring consent or other Section 7 grounds.