The question I hear most frequently from Indian CTOs and compliance leads is not about consent. They understand consent. They have read the sections, attended the webinars, and started building their consent flows. The question that trips them up is the opposite one: when do I not need consent?
Section 7 of the DPDP Act 2023 answers that question. It defines nine specific circumstances, called "certain legitimate uses," where a Data Fiduciary may process personal data without obtaining the Data Principal's consent. These are not loopholes. They are not catch-all provisions you can stretch to cover whatever processing your business finds convenient. They are a closed, enumerated list, and misreading any one of them exposes you to penalties of up to ₹50 crore under Item 5 of the Schedule to the Act.
I reviewed over thirty privacy policies from Indian companies last quarter that referenced "legitimate use" or "deemed consent" in their data processing disclosures. Fewer than five had correctly mapped their processing activities to the actual grounds in Section 7. The rest were either citing the 2022 draft Bill's broader "deemed consent" language (which no longer exists) or importing GDPR's "legitimate interest" concept (which the DPDP Act explicitly does not include).
This guide walks through each of the nine grounds, explains what they cover and what they do not, and identifies the mistakes I see businesses making with each one.
Key Takeaways
- Section 7 of the DPDP Act 2023 establishes nine specific grounds for processing personal data without the Data Principal's consent. These are a closed list; no additional grounds can be created through interpretation.
- The DPDP Act does not include a "legitimate interest" basis comparable to GDPR Article 6(1)(f). Indian law takes a prescriptive, enumerated approach rather than a balancing-test approach.
- "Voluntary provision" under Section 7(a) is the ground most frequently misapplied by private businesses. It requires that the Data Principal has not indicated non-consent, and it limits processing to the specified purpose only.
- Employment processing under Section 7(i) covers payroll, loss prevention, and employee-requested benefits, but does not extend to wellness programmes, social events, or employee surveillance beyond the stated purposes.
- As of February 2026, no balancing test exists under Indian data protection law. You either have consent under Section 6, you fall within one of the nine grounds in Section 7, or your processing is unlawful.
What Are "Legitimate Uses" Under the DPDP Act?
Section 7 of the DPDP Act 2023, titled "Certain Legitimate Uses," establishes the circumstances under which a Data Fiduciary may process personal data without obtaining the Data Principal's consent under Section 6. The term replaced the broader concept of "deemed consent" that appeared in the 2022 draft of the Digital Personal Data Protection Bill. The shift in language was deliberate: the legislature narrowed the scope from implied consent (which could be construed through inaction) to a specific list of permissible processing activities.
The nine grounds can be grouped into three functional categories:
Private sector grounds: Voluntary provision (Section 7(a)) and employment (Section 7(i))
State and governance grounds: State benefits and services (Section 7(b)), performance of State functions (Section 7(c)), and compliance with law or court orders (Section 7(d) and Section 7(e))
Emergency and public interest grounds: Medical emergencies (Section 7(f)), public health threats (Section 7(g)), and disaster or public order breakdown (Section 7(h))
Each ground operates independently. A Data Fiduciary relying on any of them must still comply with all other obligations under the Act: security safeguards under Section 8(4), breach notification under Section 8(6), data retention limits under Section 8(7), and the full range of Data Principal rights. Legitimate use is an alternative to consent, not an exemption from the Act.
The Nine Grounds: What Each One Covers
Ground 1: Voluntary Provision for a Specified Purpose (Section 7(a))
This is the ground that matters most for private businesses. Section 7(a) permits processing when a Data Principal has "voluntarily provided her personal data to the Data Fiduciary" for a "specified purpose" and "has not indicated to the Data Fiduciary that she does not consent to the use of her personal data."
The Act includes two illustrations that define the boundaries.
Illustration I (The Pharmacy Receipt): An individual purchases medicines at a pharmacy and voluntarily provides her mobile number, requesting a receipt via SMS. The pharmacy may process her mobile number to send the receipt. That is the specified purpose. The pharmacy may not add the number to a marketing database, share it with a pharmaceutical company, or use it for anything beyond sending the requested receipt.
Illustration II (The Real Estate Broker): An individual contacts a real estate broker, shares personal details, and asks for help finding rented accommodation. The broker may process the data to identify and share available listings. But when the individual later informs the broker that help is no longer needed, the broker must stop processing the personal data.
Three elements must be present for Section 7(a) to apply:
- The Data Principal must have voluntarily provided the data (not been required to provide it as a precondition)
- The provision must be for a specified purpose (not open-ended or vague)
- The Data Principal must not have indicated non-consent (silence is acceptable; active objection is not)
Where businesses get this wrong: treating Section 7(a) as blanket permission to process any data a customer provides through a website form. A customer who fills out a checkout form and provides their email address for order confirmation has voluntarily provided data for that specified purpose. Using that same email address for a weekly newsletter, partner promotions, or behavioural analytics exceeds the specified purpose and requires separate consent under Section 6.
Ground 2: State Benefits and Services (Section 7(b))
The State and its instrumentalities may process personal data for providing subsidies, benefits, services, certificates, licences, or permits, subject to two conditions:
- The Data Principal has previously consented to processing by the State for any subsidy, benefit, service, certificate, licence, or permit; or
- The personal data is available in a government database, register, or document that has been notified by the Central Government
The Act includes an illustration that reveals the scope of this provision: a pregnant woman who enrols for maternity benefits through one government programme has her data processed for eligibility determination across other prescribed benefits without fresh consent. The legislature explicitly prioritised administrative efficiency over purpose limitation in this context.
Section 7(b) applies only to the State and its instrumentalities. A private company operating a government scheme under contract does not automatically inherit this ground. Its applicability depends on whether the private entity qualifies as an "instrumentality of the State" for the purpose of the Act.
Ground 3: State Functions and Sovereignty (Section 7(c))
Processing is permitted for the performance of any function by the State under any law in force in India, or in the interest of sovereignty and integrity of India, or security of the State.
This is the broadest of the nine grounds and the one that overlaps most significantly with the exemptions under Section 17. The distinction matters: Section 7(c) is a legitimate use ground that allows processing without consent but still requires compliance with other DPDP obligations. Section 17 is an exemption that can remove some or all obligations entirely. A law enforcement agency processing personal data for investigation under Section 7(c) must still maintain security safeguards. An agency granted a Section 17 exemption by the Central Government may not need to.
Ground 4: Compliance with Indian Law (Section 7(d))
A Data Fiduciary may process personal data as necessary for compliance with any law in force in India. This covers regulatory reporting obligations, tax filings, statutory record-keeping requirements, and any other processing mandated by Indian statute.
Note that Section 7(d) applies to compliance with Indian law specifically. A requirement under a foreign law does not create a legitimate use under the DPDP Act.
Ground 5: Legal Proceedings and Court Orders (Section 7(e))
Processing is permitted for compliance with any judgment, decree, or order issued under Indian law, or any judgment or order relating to claims of a contractual or civil nature under any law in force outside India.
This ground extends beyond Indian courts. A Data Fiduciary complying with a foreign court order relating to a contractual dispute can rely on Section 7(e), even though Section 7(d) is limited to Indian law. The drafters recognised that Indian companies engaged in cross-border commerce face judicial obligations in multiple jurisdictions.
Ground 6: Medical Emergencies (Section 7(f))
Personal data may be processed to respond to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual.
Two qualifications are critical. First, the emergency must involve a threat to life or an immediate threat to health. A chronic condition requiring ongoing treatment does not qualify. A patient arriving at an emergency department in cardiac arrest does.
Second, Section 7(f) covers the Data Principal or any other individual. This means a hospital can process a bystander's personal data when needed to respond to someone else's medical emergency, such as contact information of the person who brought the patient in.
For a detailed analysis of how this ground applies to hospitals, telemedicine platforms, and HealthTech companies, see our healthcare compliance guide.
Ground 7: Public Health Emergencies (Section 7(g))
Processing is permitted for providing medical treatment or health services during an epidemic, outbreak of disease, or any other threat to public health.
Section 7(g) is structurally different from Section 7(f). The medical emergency ground requires an immediate threat to a specific individual. The public health ground applies to population-level health threats: epidemics, disease outbreaks, and systemic public health emergencies. Contact tracing during a communicable disease outbreak, emergency vaccination drives, and epidemiological surveillance fall under this ground.
The practical relevance became vivid during COVID-19. India's contact tracing and exposure notification systems processed enormous volumes of personal data. Under the framework that the DPDP Act now provides, such processing would be covered by Section 7(g) without requiring individual consent from every person whose data is processed for outbreak management.
Ground 8: Disasters and Public Order Breakdown (Section 7(h))
Personal data may be processed for measures to ensure the safety of, or provide assistance or services to, any individual during any disaster or breakdown of public order.
Consider a cyclone hitting a coastal state. Government agencies and authorised disaster response teams may access population registry data to coordinate evacuations, locate missing persons, and deliver relief supplies. Section 7(h) provides the legal basis for processing that data without obtaining consent from each affected individual during the crisis.
The ground is temporally bounded by the disaster or breakdown. Once the emergency has passed, continued processing of data collected under this ground requires a separate legal basis.
Ground 9: Employment Purposes (Section 7(i))
This ground permits a Data Fiduciary to process personal data of a Data Principal who is its employee, for three categories of purposes:
- Purposes of employment (payroll, human resource management, performance evaluation, background verification)
- Safeguarding the employer from loss or liability, including prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, and classified information
- Provision of any service or benefit sought by the Data Principal who is an employee
The phrase "purposes of employment" is not further defined in the Act, which gives employers flexibility but also creates compliance risk. Processing employee biometric data for attendance tracking is clearly within the scope. Processing employee social media activity for brand reputation monitoring is almost certainly outside it.
The third category, "services or benefits sought by the Data Principal," is tightly scoped. The employee must have sought the service or benefit. An employer cannot process employee health data for a corporate wellness programme and claim Section 7(i) unless each employee has individually requested participation in that programme.
| Employment Processing Activity | Section 7(i) Basis | Likely Covered? |
|---|---|---|
| Payroll and salary disbursement | Purposes of employment | Yes |
| Background verification at hiring | Purposes of employment | Yes |
| Preventing corporate espionage | Safeguarding from loss/liability | Yes |
| Protecting trade secrets and IP | Safeguarding from loss/liability | Yes |
| Employee-requested insurance enrolment | Service sought by employee | Yes |
| Corporate wellness programme (opt-in) | Service sought by employee | Yes, if employee individually opted in |
| Employee monitoring beyond stated purposes | None | No; requires separate consent |
| Sharing employee data with marketing partners | None | No; requires separate consent |
| Office social event organisation using personal data | None | No; requires separate consent |
How Do Legitimate Uses Compare to GDPR's Legal Bases?
This is the comparison that causes the most confusion for Indian companies with European operations, or for those building compliance infrastructure based on GDPR templates.
Under GDPR Article 6(1), there are six lawful bases for processing personal data: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. The sixth basis, "legitimate interests," allows a data controller to process personal data based on its own interests or those of a third party, provided those interests are not overridden by the fundamental rights of the data subject. The controller must conduct a balancing test (Legitimate Interest Assessment) to determine whether this basis applies.
The DPDP Act 2023 does not include an equivalent. There is no balancing test. There is no mechanism by which a Data Fiduciary can justify processing by arguing that its business interests outweigh the Data Principal's privacy rights. You have consent (Section 6), you have the nine enumerated grounds (Section 7), or you do not have a lawful basis.
| Feature | DPDP Act 2023 (Section 7) | GDPR (Article 6(1)) |
|---|---|---|
| Structure | Closed list of 9 specific grounds | 6 legal bases, including open-ended "legitimate interests" |
| Balancing test required? | No. If processing falls within a ground, no further analysis needed | Yes, for legitimate interests (LIA required) |
| "Legitimate interest" as catch-all? | Does not exist | Yes, Article 6(1)(f) |
| Contractual necessity? | Not a separate ground; partial coverage under Section 7(a) | Explicit basis under Article 6(1)(b) |
| Data Principal's right to object? | No right to object to Section 7 processing | Right to object exists for legitimate interests (Article 21) |
| Voluntary provision | Specific ground with illustrations (Section 7(a)) | Subsumed under consent or contractual necessity |
| Employment processing | Specific ground (Section 7(i)) | No specific employment basis; typically consent or legitimate interest |
| State function processing | Two separate grounds (Section 7(b), 7(c)) | "Public task" basis (Article 6(1)(e)) |
The operational implication is significant. If your company currently processes customer data under GDPR's legitimate interest basis for activities like fraud detection, network security monitoring, or direct marketing to existing customers, those processing activities have no direct equivalent under the DPDP Act. You will need to either obtain consent under Section 6 or identify a specific Section 7 ground that covers each activity.
Fraud detection, for instance, might fall under Section 7(d) if there is a specific Indian law mandating it for your industry (RBI guidelines for banks, IRDAI requirements for insurers). But if you are a SaaS company running fraud detection on your own initiative, Section 7 does not provide a ready-made ground. You need consent.
The "Deemed Consent" Confusion
The earlier draft of the DPDP Bill, circulated in 2022, used the term "deemed consent" rather than "legitimate uses." Under that framework, consent was implied through the Data Principal's silence or inaction in certain circumstances, conceptually similar to an opt-out model.
The final Act, passed in August 2023, deliberately moved away from this language. "Deemed consent" suggests that the individual has consented but through inference rather than action. "Certain legitimate uses" signals something different: the legislature has determined that these categories of processing serve purposes important enough that consent is not required at all. The legal basis is statutory, not consensual.
This distinction matters for compliance documentation. When you process personal data under Section 7, your records should reflect the specific legitimate use ground you are relying on, not a claim that the Data Principal has "deemed to have consented." The Data Principal has not consented. The law has authorised the processing on a different basis entirely.
As of February 2026, I still encounter privacy policies that reference "deemed consent under the DPDP Act." This language is incorrect and should be updated. The Act does not use the term.
Common Mistakes Businesses Make With Section 7
Having reviewed compliance frameworks across dozens of Indian companies, five mistakes recur with troubling consistency.
Mistake 1: Treating Section 7(a) as a general permission for all voluntarily provided data. A customer who types their name into your registration form has voluntarily provided data. That does not mean you can process it for any purpose. Section 7(a) is limited to the specified purpose for which the data was provided. Purpose creep turns a legitimate use into unlawful processing.
Mistake 2: Importing GDPR's "legitimate interest" reasoning. I have seen Indian companies conduct Legitimate Interest Assessments (LIAs) and document balancing tests as if the DPDP Act contained an Article 6(1)(f) equivalent. It does not. The assessment methodology is irrelevant under Indian law. Either your processing falls within one of the nine grounds, or it does not.
Mistake 3: Confusing Section 7 (legitimate uses) with Section 17 (exemptions). Section 7 authorises processing without consent but within the Act's full compliance framework. Section 17 exemptions can remove some or all of the Act's obligations entirely. A government agency relying on Section 7(c) must still comply with security and breach notification requirements. An agency exempted under Section 17 may not need to. Using the wrong section in your compliance documentation creates a false sense of regulatory shelter.
Mistake 4: Overextending the employment ground. Section 7(i) is generous by global standards, but it is not a blank cheque for all employee data processing. The three sub-categories (purposes of employment, loss prevention, and employee-sought benefits) have boundaries. Processing employee data for purposes unrelated to employment, loss prevention, or individually requested benefits requires consent under Section 6.
Mistake 5: Failing to document the ground relied upon. The Act does not explicitly require Data Fiduciaries to maintain records of which legitimate use ground they rely on for each processing activity. But when the Data Protection Board investigates a complaint and asks why you processed someone's data without consent, "we believe it falls under Section 7" without documentation of which specific ground, what the specified purpose was, and why the processing was necessary for that purpose is not a defensible position.
What Should You Do Next?
If your organisation processes personal data of individuals in India, audit every processing activity that currently operates without explicit consent. For each one, answer three questions:
- Does this processing fall within one of the nine grounds in Section 7? If yes, which specific ground?
- Is the processing necessary for the purpose covered by that ground, or is it merely convenient?
- Can you document the basis clearly enough to explain it to a regulator?
Any processing activity that does not produce clear answers to all three questions needs to be migrated to a consent-based model under Section 6 before the May 2027 enforcement date. For a broader view of your compliance obligations, see our complete guide to the DPDP Act 2023.
The legitimate uses framework is one of the most practically important provisions in Indian data protection law. It is also one of the most commonly misunderstood. The companies that get this right will save themselves significant operational friction; the ones that get it wrong will discover their error when a Data Principal complaint reaches the Data Protection Board.
Frequently Asked Questions
Does the DPDP Act include a "legitimate interest" basis like GDPR?
No. The DPDP Act 2023 does not include a "legitimate interest" legal basis comparable to GDPR Article 6(1)(f). Under GDPR, a data controller can process personal data based on its own interests if those interests are not overridden by the data subject's rights, using a balancing test. The DPDP Act takes a prescriptive approach instead: Section 7 provides nine specific, enumerated grounds for processing without consent. If your processing does not fall within one of these grounds, you must obtain consent under Section 6. There is no mechanism to argue that your business interests justify processing without consent.
Can I use Section 7(a) to process customer data for marketing?
Only if the customer voluntarily provided their data specifically for the purpose of receiving marketing communications and has not indicated non-consent. Section 7(a) is limited to the "specified purpose" for which data was voluntarily provided. A customer who provides an email address during checkout for order confirmation has provided data for that purpose. Using the same email for promotional newsletters or partner offers exceeds the specified purpose and requires separate consent under Section 6 of the DPDP Act 2023.
What employee data can I process without consent under Section 7(i)?
Section 7(i) of the DPDP Act 2023 permits processing employee personal data for three categories: purposes of employment (payroll, HR management, background verification), safeguarding the employer from loss or liability (preventing corporate espionage, protecting trade secrets and intellectual property), and providing services or benefits that the employee has individually sought. Processing employee data for purposes outside these three categories, such as employee surveillance unrelated to loss prevention, sharing employee data with marketing partners, or using employee data for social event planning, requires separate consent.
How is Section 7 different from Section 17 of the DPDP Act?
Section 7 establishes grounds for processing personal data without consent while remaining subject to all other DPDP obligations (security safeguards, breach notification, data retention limits, Data Principal rights). Section 17 empowers the Central Government to exempt specific government instrumentalities from some or all provisions of the Act entirely. Section 7 is a legal basis for processing; Section 17 is an exemption from the law's compliance requirements. A Data Fiduciary relying on Section 7 must still implement security measures, notify breaches, and honour Data Principal requests. An entity exempted under Section 17 may be relieved of some or all of these obligations.
As of February 2026, has the Central Government issued any guidance on interpreting Section 7?
As of February 2026, the Central Government has not issued separate interpretive guidance or rules specifically clarifying the scope of Section 7's legitimate use grounds. The DPDP Rules 2025 operationalise other aspects of the Act (breach notification timelines, consent manager registration, security safeguard requirements) but do not expand on the Section 7 framework beyond what the Act itself provides. The two illustrations included in Section 7(a) of the Act remain the most authoritative guidance on how "voluntary provision for a specified purpose" should be interpreted.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
Mapping your processing activities to the correct legal basis, whether consent under Section 6 or a legitimate use under Section 7, is one of the most consequential compliance decisions you will make before May 2027. ComplyZero provides a self-serve compliance platform with automated consent management, processing activity mapping, and audit-ready documentation, designed for Indian businesses building their DPDP compliance infrastructure without needing external consultants.
Simplify Your DPDP Compliance
This article is for informational purposes and reflects the DPDP Act 2023 and DPDP Rules 2025 as understood at the time of writing. For guidance specific to your business, we recommend consulting a qualified data protection professional.
ComplyZero handles the complexity for you: consent management, privacy notices in 22 languages, DSR workflows, and audit-ready compliance records. Get your business DPDP-ready in minutes, not months.