Please click here to download the Prism as a PDF.

Legal basis of processing and privacy notice

In the second instalment of our Prism series on the Digital Personal Data Protection Act, 2023 (“DPDPA”), we delve into the legal basis for processing personal data and the requirements around privacy notice. Building on our first edition, which examined the applicability of the DPDPA and identified the key stakeholders, this episode shifts focus to the legal grounds, basis which, personal data can be processed under the DPDPA. Subsequently, we summarise the requirements of a privacy notice and when a notice must be provided to the data principals. In the latter part of the Prism, we compare and contrast data protection laws in the European Union, the State of California, USA and Singapore to understand their approach towards legal grounds for processing and privacy notice.

Legal basis for processing

Consent can be obtained through an interoperable platform called a ‘consent manager’, more details of which will be provided in the Rules
It is pertinent to identify the right legal basis for processing since the notice requirements and the data principals’ rights will differ based on the legal basis.
DPDPA does not categorise sensitive personal data separately. Therefore, there are no specific grounds for processing of sensitive personal data, unlike the GDPR.

What are the ‘Legitimate Uses’?

The DPDPA lists 9 (nine) legitimate uses, where personal data can be processed without the consent of the data principal.

Voluntary Basis:

What will be considered as ‘voluntary’ provision of personal data is ambiguous.

Processing by the State or its instrumentalities:

Any processing by the Government or its departments must also comply with policies issued by the Central Government or any law in force that regulates governance of personal data.

Processing for State Functions:

Processing for Fulfilling Legal Obligations:

Processing for Compliance with Court Orders:

Processing during Medical Emergencies:

Processing during Epidemic or Outbreak of Disease

Processing during Disaster or Breakdown of Public Order

‘Disaster’ is defined under the Disaster Management Act of 2005 as “a catastrophe, mishap, calamity or grave occurrence in any area, arising from natural or man-made causes, or by accident or negligence which results in substantial loss of life or human suffering or damage to, and destruction of, property, or damage to, or degradation of, environment, and is of such a nature or magnitude as to be beyond the coping capacity of the community of the affected area”.

Processing for the Purpose of Employment

There is lack of clarity on whether the term ‘for employment purposes’ can be extended to contractors, retainers or professionals.
In a similar context, the Personal Data Protection Act (“PDPA”) of Singapore specifically allows processing of personal data (without obtaining consent) to evaluate the individual or to manage or terminate the employment relationship.

Notice under the DPDPA:

A notice should be provided to the data principal while requesting their consent or to identify the purpose if the personal data is volunteered.
What should be the contents of a notice?

The notice must be provided earlier than or along with the request for consent.
Where a data principal has given her consent for the processing of her personal data before the date of commencement of the DPDPA, a notice should be provided to the data principal as soon as it is reasonably practicable. The data fiduciary may continue to process the personal data until the data principal withdraws their consent.
The data fiduciary will give the data principal the option to access the contents of the notice in English or in any language specified in the Eighth Schedule to the Constitution of India.
The Rules will prescribe the manner in which the notice should be given to the data principal.

It is not clear if the notice has to be provided in all the languages that are listed on the Eighth Schedule in the Constitution of India, as it may be an operational overhead. Currently, there are 22 (twenty-two) languages in this Schedule vis.: Assamese, Bengali, Bodo, Dogri, Gujarati, Hindi, Kannada, Kashmiri, Konkani, Malayalam, Manipuri, Marathi, Maithili, Nepali, Oriya, Punjabi, Sanskrit, Santhali, Sindhi, Tamil Telugu, and Urdu.

Comparison with select data protection laws around the world:

Concept	DPDPA	The General Data Protection Regulation (“GDPR”)	The California Consumer Privacy Act	PDPA, Singapore
Legal basis for processing personal data	Consent or legitimate uses	Consent, necessary for fulfilment of contractual obligations, for compliance with legal obligations, for protecting the vital interests of the data subject, necessary for performance of task carried out in public interest or legitimate interests.	There is a general presumption that a business can process personal data without relying on a legal basis. However, businesses are required to provide an option to the consumers to opt-out from selling or sharing of their personal information.	Consent, or without consent for circumstances mentioned in the PDPA. It is an exhaustive list, some of the instances are where it is necessary to protect vital interests of the individual, necessary in national interest, processing for artistic, literary, archival, research or historical purposes, for the legitimate interest of the organisation, necessary for investigation or proceedings, for employment purposes, for the purposes of business asset transaction, for business improvement purposes, etc.
Legal basis for processing of sensitive personal data	DPDPA does not define sensitive personal data. Hence there are no specific legal bases for processing it.	GDPR prohibits the processing of special categories of personal data unless the consent of the data subject is obtained or one of the conditions mentioned under Article 9 of GDPR is fulfilled.	Sensitive personal information can be processed without consumer’s consent, but businesses must offer consumers the option to limit its use or prevent sharing and selling.	The PDPA does not mention specific legal basis for processing of sensitive personal data.
Notice	A notice will have to be provided to the data principal when requesting consent, or to notify the specific purpose when the data principal volunteers their data. Notice will also have to be given for personal data obtained before the commencement of the DPDPA.	When personal data is collected directly or indirectly from the data subject, notice must be provided regardless of the legal basis for processing. However, notice is not required in certain circumstances, such as when an individual already has the information, if providing notice would involve disproportionate effort, if the law permits obtaining or disclosing the personal data , or if confidentiality is mandated due to professional secrecy law.	A business must provide notice at or before the collection of a consumer’s personal information. If the business does not collect personal information directly from the consumer and does not sell or share it, no notice is required.	Notice must be provided when obtaining an individual’s consent, except when consent is ‘deemed’ or other legal bases are relied upon.