The Digital Personal
Data Protection Act, 2023, (DPDP) is India’s first comprehensive data
protection legislation. Under the DPDP, data fiduciaries can process data
principal’s personal data under either ground of consent or legitimate use. The
ground of legitimate use on voluntarily providing data is previously unknown
and has been less explored in the Indian context where the implementation of
the DPDP is awaited. Legitimate use allows data processing when the data
principal voluntarily provides data for a specified purpose and does not
indicate non-consent. The paper proposes how to legally interpret legitimate
use for strong data protection in India. The paper finds that ‘specified
purpose’ should be interpreted as a ‘specific’ purpose, and not all purposes
envisaged in the privacy policy. A data principal’s voluntariness to data
processing must be assumed to the extent that a reasonable person would expect
their data to be processed when explicitly requesting a service. When relying
on legitimate use, the data fiduciaries must always provide the data principal
with an option to opt-out.