Digital Personal Data Protection Act 2023 (DPDPA 2023) lays down the legal bases for processing digital personal information. Consent is the bedrock for processing data, and the legislation also provides a few exemptions to consent, allowing certain legitimate use cases of data. The list of exemptions predominantly squares down towards vital interests like medical emergencies, fulfilling legal obligations, performing public tasks, etc., with less room for legitimate interest under the grounds of fair and reasonable purpose.
Legitimate Interest under Data Protection Legislations
Legitimate interest is defined as it applies to commercial, societal, or individual purposes. Since consent can’t be operationalized in every scenario, legitimate interest is an essential legal tool for processing personal data without operational disruption while not overriding the rights and interests of data principals.
Legitimate interest is one of the legal bases provided for in data protection legislation globally, including the European Union’s General Data Protection Regulation (EU GDPR) and the Brazilian General Data Protection Law (LGPD). It is a flexible legal basis for processing personal information within strict data protection regulations like EU GDPR. This provision provides data fiduciaries additional means to process data with less disruption, as consent can’t be operationalized in every scenario.
Previous versions of the Indian data protection bill laid out the conditions under which data fiduciaries can rely on legitimate interest as a legal basis for processing data for reasonable and fair purposes. However, DPDPB 2023 does not provide legitimate interest as a legal basis for processing data.
Importance of Legimitate Interest as Lawful Base
Legitimate interest as a legal base ensures business continuity while not compromising the interests of data principals. Entities could rely on legitimate interest only when data principals reasonably expect such processing, or there is a strong justification. Moreover, under EU GDPR, processing personal information on the grounds of legitimate interest comes with exceptions where processing shall not violate the fundamental rights and freedoms of the individual.
Moreover, consent as a lawful base can’t be extended to different scenarios and data collection chains. A data fiduciary collects information about persons (data principals) in various ways – both direct and indirect. Directly, by directly seeking information from data principals, where individuals provide data in return for service. Indirectly, through third parties and publicly available personal information. In comparison, obtaining consent from individuals when data is collected directly is possible. However, it would be difficult to obtain consent during indirect data collection where data fiduciaries don’t directly interact with individuals to whom the data belongs. This might create disruptions to emerging technological innovations.
For instance, Artificial Intelligence relies heavily on the model’s ability to scrape, collect, and process data forms, including publicly available personal information, semi-public (or private) personal information, or license information that might contain strands of personal information. The more a model processes data, the better it becomes. However, as prescribed under section 6 of DPDPA 2023, the consent-based approach doesn’t consider AI solutions’ complex data processing mechanism, which involves other reasonable purposes to process. For instance, data fiduciaries source information through different means. Consent could be operationalised when data fiduciaries directly seek information from data principals. However, it would be difficult in the case of third-party data collection, like through scraping, where there is no direct interaction between the individuals and data fiduciaries. Moreover, seeking consent to process data generated as an outcome of AI solutions would be challenging, as this blurs the lines between data collection and processing.
This could cause a fall through the cracks as the determining legitimacy of consent is nebulous in AI operations. Therefore, it would be essential for the government to consider expanding the legal bases for processing data within the DPDPA 2023 to account for use cases of emerging technologies.
Safeguards Around Legitimate Interest
As we expand the legal base by incorporating legitimate interests, it would be essential to draw guardrails around them to balance data utility and data protection. Clarifying that legitimate interest does not override the interest of the data principles, especially in sensitive cases like processing children’s personal data, is essential. There has to be an appropriate checklist that would aid data fiduciaries in demonstrating and justifying their reasons for choosing legitimate interest as the lawful basis for processing data.
Firstly, it would be essential for data fiduciaries to know if there is a legitimate interest within their organisation or of that to third parties that they engage. Secondly, they may map the list of data processing activities and analyse if it is essential to achieve the legitimate interest. Thirdly, the identified legitimate interest should be tested to ensure that it doesn’t override the interest of data principals and complies with the data protection principles. Finally, the legitimate interest assessment should be recorded to justify the processing of the data and demonstrate accountability.
